Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2025-14815 Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric ... | N/A | NONE | β | 0 |
| CVE-2025-14816 Cleartext Storage of Sensitive Information in GUI vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi El... | N/A | NONE | β | 0 |
| CVE-2025-57847 A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the buil... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-57851 A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during bu... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-57853 A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain c... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-57854 A container privilege escalation flaw was found in certain OpenShift Update Service (OSUS) images. This issue stems from the /etc/passwd file being created with group-writable permissions during build... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-31411 In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_... | N/A | NONE | β | 0 |
| CVE-2026-39389 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.... | 6.7 | MEDIUM | β | 0 |
| CVE-2026-35023 Wimi Teamwork On-Premises versions prior toΒ 8.2.0 contain an insecure direct object reference vulnerability in the preview.php endpoint where the item_id parameter lacks proper authorization checks. A... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-39390 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap fi... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-39391 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in U... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-39406 @hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39865 Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malic... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-39409 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) ... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14243 A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during au... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-57175 Siklu EtherHaul 8010 siklu-uimage-nxp-enc-10_6_2-18707-ea552dc00b devices have a static root password. | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2377 A flaw was found in mirror-registry. Authenticated users can exploit the log export feature by providing a specially crafted web address (URL). This allows the application's backend to make arbitrary ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33460 Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrie... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33461 Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve se... | 7.7 | HIGH | β | 0 |
| CVE-2026-4498 Execution with Unnecessary Privileges (CWE-250) in Kibanaβs Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). ... | 7.7 | HIGH | β | 0 |
| CVE-2026-4837 An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon res... | 6.6 | MEDIUM | β | 0 |
| CVE-2026-33458 Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restric... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-33459 Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit s... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-45059 D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the fn parameter in the tgfile_htm function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a cra... | 7.5 | HIGH | β | 0 |
| CVE-2026-33756 Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a ... | 7.5 | HIGH | β | 0 |
| CVE-2025-50644 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper validation of user input in the qj.asp endpoint. | 7.5 | HIGH | β | 0 |
| CVE-2025-50645 A vulnerability has been discovered in D-Link DI-8003 16.07.26A1, which can lead to a buffer overflow when the s parameter in the pppoe_list_opt.asp endpoint is manipulated. By sending a crafted reque... | 7.5 | HIGH | β | 0 |
| CVE-2025-50655 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /thd_group.asp endpoint. | 7.5 | HIGH | β | 0 |
| CVE-2025-50657 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the pid parameter in the /trace.asp endpoint. | 7.5 | HIGH | β | 0 |
| CVE-2025-50659 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the custom_error parameter in the /user.asp endpoint. | 7.5 | HIGH | β | 0 |
| CVE-2025-50660 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /url_member.asp endpoint. | 7.5 | HIGH | β | 0 |
| CVE-2026-33350 LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injecti... | 7.5 | HIGH | β | 0 |
| CVE-2026-34392 LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, ... | 7.5 | HIGH | β | 0 |
| CVE-2026-34248 Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, customers in shared organizations (means they can see each other's tickets) could see fields which are not intended ... | 5.7 | MEDIUM | β | 0 |
| CVE-2026-34985 LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, ... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-35165 LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, ... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-34724 Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environ... | 7.2 | HIGH | β | 0 |
| CVE-2026-34718 Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34720 Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway befor... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-23869 A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0... | 7.5 | HIGH | β | 0 |
| CVE-2026-35476 InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user accou... | 7.2 | HIGH | β | 0 |
| CVE-2026-35477 InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, th... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-39411 LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-a... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-39859 LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), ... | 7.5 | HIGH | β | 0 |
| CVE-2026-39860 Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically... | 9.0 | CRITICAL | β | 0 |
| CVE-2026-39881 Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands wh... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-39882 OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a siz... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39888 PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a ... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-39889 PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function ... | 7.5 | HIGH | β | 0 |
| CVE-2026-39892 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Pytho... | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.