Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-3657 The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using a... | 7.5 | HIGH | β | 0 |
| CVE-2026-25537 jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or ... | 7.5 | HIGH | β | 0 |
| CVE-2026-25499 Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in esc... | 7.5 | HIGH | β | 0 |
| CVE-2026-2890 The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe... | 7.5 | HIGH | β | 0 |
| CVE-2026-20119 A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial o... | 7.5 | HIGH | β | 0 |
| CVE-2026-24735 Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes... | 7.5 | HIGH | β | 0 |
| CVE-2025-15268 The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficien... | 7.5 | HIGH | β | 0 |
| CVE-2026-32364 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in redqteam Turbo Manager turbo-manager allows PHP Local File Inclusion.This issue... | 7.5 | HIGH | β | 0 |
| CVE-2026-32369 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Medilink-Core medilink-core allows PHP Local File Inclusion.This is... | 7.5 | HIGH | β | 0 |
| CVE-2026-25223 Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Ty... | 7.5 | HIGH | β | 0 |
| CVE-2020-37093 Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET req... | 7.5 | HIGH | β | 0 |
| CVE-2020-37092 Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded ... | 7.5 | HIGH | β | 0 |
| CVE-2026-32384 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam WpBookingly service-booking-manager allows PHP Local File Inclus... | 7.5 | HIGH | β | 0 |
| CVE-2026-32392 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly greenly allows PHP Local File Inclusion.This issue aff... | 7.5 | HIGH | β | 0 |
| CVE-2026-32393 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly Theme Addons greenly-addons allows PHP Local File Incl... | 7.5 | HIGH | β | 0 |
| CVE-2026-25614 Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. | 7.5 | HIGH | β | 0 |
| CVE-2026-32400 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemetechMount Boldman boldman allows PHP Local File Inclusion.This issue affec... | 7.5 | HIGH | β | 0 |
| CVE-2026-24773 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated ... | 7.5 | HIGH | β | 0 |
| CVE-2026-32426 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Medilazar Core medilazar-core allows PHP Local File Inclusion.This i... | 7.5 | HIGH | β | 0 |
| CVE-2026-1285 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_h... | 7.5 | HIGH | β | 0 |
| CVE-2025-14550 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple... | 7.5 | HIGH | β | 0 |
| CVE-2026-3045 The Appointment Booking Calendar β Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to... | 7.5 | HIGH | β | 0 |
| CVE-2026-1947 The NEX-Forms β Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() functio... | 7.5 | HIGH | β | 0 |
| CVE-2026-2579 The WowStore β Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the βsearchβ parameter in all versions up to, and including, 4.4.3 due to insuffic... | 7.5 | HIGH | β | 0 |
| CVE-2026-20401 In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no ... | 7.5 | HIGH | β | 0 |
| CVE-2024-54263 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion.This issue affects Spir... | 7.5 | HIGH | β | 0 |
| CVE-2026-1800 The Fonts Manager | Custom Fonts plugin for WordPress is vulnerable to time-based SQL Injection via the βfmcfIdSelectedFntβ parameter in all versions up to, and including, 1.2 due to insufficient esca... | 7.5 | HIGH | β | 0 |
| CVE-2026-2468 The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntn_wp_access' cookie in all versions up to, and including, 1.2.12. This is due to insufficient escaping on the user supplie... | 7.5 | HIGH | β | 0 |
| CVE-2020-37041 OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with p... | 7.5 | HIGH | β | 0 |
| CVE-2020-37039 Frigate 2.02 contains a denial of service vulnerability that allows attackers to crash the application by sending oversized input to the command line interface. Attackers can generate a payload of 800... | 7.5 | HIGH | β | 0 |
| CVE-2020-37038 Code Blocks 20.03 contains a denial of service vulnerability that allows attackers to crash the application by manipulating input in the FSymbols search field. Attackers can paste a large payload of 5... | 7.5 | HIGH | β | 0 |
| CVE-2026-40870 Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level `commentable` field in the API allows access to all commentable resour... | 7.5 | HIGH | β | 0 |
| CVE-2020-37034 HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET re... | 7.5 | HIGH | β | 0 |
| CVE-2026-40890 The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > characte... | 7.5 | HIGH | β | 0 |
| CVE-2026-22016 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u... | 7.5 | HIGH | β | 0 |
| CVE-2026-34282 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java ... | 7.5 | HIGH | β | 0 |
| CVE-2026-34320 Vulnerability in the Oracle Financial Services Customer Screening product of Oracle Financial Services Applications (component: User Interface). The supported version that is affected is 8.1.2.8.0. ... | 7.5 | HIGH | β | 0 |
| CVE-2026-35229 Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker... | 7.5 | HIGH | β | 0 |
| CVE-2026-35231 Vulnerability in the Oracle Financial Services Transaction Filtering product of Oracle Financial Services Applications (component: User Interface). The supported version that is affected is 8.1.2.8.... | 7.5 | HIGH | β | 0 |
| CVE-2026-40938 Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0, the git resolver's revision parameter is passed directly as a positional argumen... | 7.5 | HIGH | β | 0 |
| CVE-2026-6857 A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by s... | 7.5 | HIGH | β | 0 |
| CVE-2020-37015 Ruijie Networks Switch eWeb S29_RGOS 11.4 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by manipulating file path parameter... | 7.5 | HIGH | β | 0 |
| CVE-2020-36995 Mocha Telnet Lite for iOS 4.2 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the user configuration input. Attackers can overwrite the 'User'... | 7.5 | HIGH | β | 0 |
| CVE-2026-23743 Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, ... | 7.5 | HIGH | β | 0 |
| CVE-2026-40164 jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table ope... | 7.5 | HIGH | β | 0 |
| CVE-2025-71000 An issue in the flow.cuda.BoolTensor component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 7.5 | HIGH | β | 0 |
| CVE-2025-70999 A GPU device-ID validation flaw in the flow.cuda.get_device_capability() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted device ID. | 7.5 | HIGH | β | 0 |
| CVE-2025-65891 A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a Denial of Dervice (DoS) by invoking flow.cuda.get_device_properties() with an invalid or negative device index. | 7.5 | HIGH | β | 0 |
| CVE-2026-30994 Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials. | 7.5 | HIGH | β | 0 |
| CVE-2026-30996 An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows attackers to execute a directory traversal and read arbitrary files from the system via a crafted GET reques... | 7.5 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.