Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-33532 `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3530 Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5630 A flaw has been found in assafelovic gpt-researcher up to 3.4.3. The impacted element is an unknown function of the file backend/server/app.py of the component Report API. This manipulation causes cro... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-27857 Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer ti... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4971 A weakness has been identified in SourceCodester Note Taking App up to 1.0. This impacts an unknown function. This manipulation causes cross-site request forgery. The attack is possible to be carried ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4985 A vulnerability was identified in dloebl CGIF up to 0.5.2. This vulnerability affects the function cgif_addframe of the file src/cgif.c of the component GIF Image Handler. The manipulation of the argu... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33534 EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the intern... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-6796 A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5031 A vulnerability was found in BichitroGan ISP Billing Software 2025.3.20. Impacted is an unknown function of the file /?_route=settings/users-view/ of the component Endpoint. The manipulation of the ar... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4820 IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33829 Exposure of sensitive information to an unauthorized actor in Windows Snipping Tool allows an unauthorized attacker to perform spoofing over a network. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33868 Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*`... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4002 The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function whi... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-6293 The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on th... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3139 The User Profile Builder β Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1541 The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's `fusion_get_post_custom_field(... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5377 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in publ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-41285 In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an "nd_op... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-32620 Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could acc... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1917 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33313 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the co... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33315 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2F... | 4.3 | MEDIUM | β | 0 |
| CVE-2019-25682 CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5864 Heap buffer overflow in WebAudio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium se... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-55268 HCL Aftermarket DPC is affected by Spamming Vulnerability which can allow the actor to excessive spamming can consume server bandwidth and processing resources which may lead to Denial of Service. | 4.3 | MEDIUM | β | 0 |
| CVE-2025-55273 HCL Aftermarket DPC is affected by Cross Domain Script Include vulnerability where an attacker using external scripts can tamper with the DOM, altering the content or behavior of the application. Mali... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-28859 The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A malicious website may b... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3225 The LearnPress β WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question_answer() function of... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-39469 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Softaculous PageLayer pagelayer allows Retrieve Embedded Sensitive Data.This issue affects PageLayer: from n... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-39477 Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CartFlows: from n/a through <= 2.... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4066 The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and includi... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4141 The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quran_playlist_options... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14595 GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticat... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-20719 Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33290 WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero cap... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5315 A vulnerability was determined in Nothings stb up to 1.26. The affected element is the function stbtt__buf_get8 in the library stb_truetype.h of the component TTF File Handler. Executing a manipulatio... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4330 The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to t... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-21783 HCL Traveler is affected by sensitive information disclosure.Β The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file n... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5542 A vulnerability was determined in code-projects Simple Laundry System 1.0. Impacted is an unknown function of the file /modstaffinfo.php of the component Parameter Handler. Executing a manipulation of... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5541 A vulnerability was found in code-projects Simple Laundry System 1.0. This issue affects some unknown processing of the file /modmemberinfo.php of the component Parameter Handler. Performing a manipul... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5539 A flaw has been found in code-projects Simple Laundry System 1.0. This affects an unknown part of the file /modifymember.php of the component Parameter Handler. This manipulation of the argument first... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3211 Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules allows Cross Site Request Forgery.This issue affects Theme Negotiation by Rules: from 0.0.0 before 1.2.1. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5535 A security flaw has been discovered in FedML-AI FedML up to 0.8.9. This impacts an unknown function of the file FileUtils.java of the component MQTT Message Handler. Performing a manipulation of the a... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5533 A vulnerability was determined in badlogic pi-mono 0.58.4. The impacted element is an unknown function of the file packages/web-ui/src/tools/artifacts/SvgArtifact.ts of the component SVG Artifact Hand... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5529 A vulnerability was detected in Dromara lamp-cloud up to 5.8.1. This vulnerability affects the function pageUser of the file /defUser/pageUser of the component DefUserController. Performing a manipula... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-2826 The Kadence Blocks β Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not pro... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5897 Incorrect security UI in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML pa... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4057 The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all vers... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-31150 Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-35642 OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gate... | 4.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.