Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-4252 A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation leads to reliance on ip address for authen... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-31843 The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-30314 Ridvay Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile reg... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-31283 In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22563 A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0.... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22564 An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.β¨ Affected Products: UniFi Play ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-33434 An issue in tiagorlampert CHAOS v5.0.1 before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe co... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-27852 Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. This issue affects: Checkbox Survey versions ... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2025-61260 A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a use... | 9.8 | CRITICAL | β | 0 |
| CVE-2012-0391 The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2001-1125 Symantec LiveUpdate before 1.6 does not use cryptography to ensure the integrity of download files, which allows remote attackers to execute arbitrary code via DNS spoofing of the update.symantec.com ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-31657 In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gatew... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7202 A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWiFiWpsStart of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7152 A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulati... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7203 A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipula... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7204 A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulatio... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7121 A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument w... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7153 A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. P... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-31478 In the Linux kernel, the following vulnerability has been resolved: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() After this commit (e2b76ab8b5c9 "ksmbd: add suppo... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7122 A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the arg... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-33942 Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token st... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7123 A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the a... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-1938 When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HT... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2021-37415 Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. | 9.8 | CRITICAL | KEV | 0 |
| CVE-2026-7124 A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Exec... | 9.8 | CRITICAL | β | 0 |
| CVE-2019-0708 A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2026-41264 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-41462 ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without param... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-31501 In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path cppi5_hdesc_get_psdata() returns a pointer into the CPPI d... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-23428 In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of share_conf in compound request smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without v... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7136 A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setDmzCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a mani... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26830 pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to i... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7137 A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulat... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-31436 In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() At the end of this function, d is the traversal cu... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7139 A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setWiFiAclRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the a... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7140 A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argu... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-22681 Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLo... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2024-47552 Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Severity Justification: The Apache Seata... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7138 A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setNtpCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-39087 An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function | 9.8 | CRITICAL | β | 0 |
| CVE-2025-50229 Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-41460 SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized befor... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-41176 Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate g... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-41676 rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.27 to before 0.10.78, Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out leng... | 9.8 | CRITICAL | β | 0 |
| CVE-2018-25270 ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can cr... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-6156 A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipula... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-6155 A weakness has been identified in Totolink A7100RU 7.4cu.2313. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-6139 A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-6138 A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-7037 A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulati... | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.