Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2025-30508 Improper authorization in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated us... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1602 SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28217 hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data β includin... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28226 Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in ve... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-20733 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-20791 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25846 In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs | 6.5 | MEDIUM | β | 0 |
| CVE-2021-4456 Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-22922 Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24418 OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk op... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24417 OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the gl... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24416 OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the ar... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-69216 OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1627 An attacker may exploit the use of outdated and weak MAC algorithms in the deviceβs SSH service to potentially compromise the integrity of the SSH session, allowing manipulation of transmitted data if... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34897 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Media LIbrary Assistant... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-0665 An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall i... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-70063 The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference (IDOR) vulnerability. The application fails to verify that the requested 'viewid... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-70062 PHPGurukul Hospital Management System v4.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the 'Add Doctor' module. The application fails to enforce CSRF token validation on the add-doct... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-41763 A lowβprivileged remote attacker can directly interact with the wwwdnload.cgi endpoint to download any resource available to administrators, including system backups and certificate request files. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-35175 Ajenti is a Linux and BSD modular server admin panel. Prior to 2.2.15, an authenticated user (using the auth_users plugin authentication method) could install a custom package even if this user is not... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23596 A vulnerability in the management API of the affected product could allow an unauthenticated remote attacker to trigger service restarts. Successful exploitation could allow an attacker to disrupt ser... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-30233 OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumera... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-11725 The Aruba HiSpeed Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the multiple functions in all versions up to, and including, 3.0.2... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27777 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27027 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39354 Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-27901 IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 IBM Db2 Recovery Expert for Linux, UNIX and Windows is vulnerable to HTTP header injection, caused by improper validation of input by the HOST heade... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-0722 The Shield Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 21.0.8. This is due to the plugin allowing nonce verification to be bypassed ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25368 Missing Authorization vulnerability in codepeople Calculated Fields Form calculated-fields-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Calculated Fi... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25372 Missing Authorization vulnerability in Kodezen LLC Academy LMS academy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Academy LMS: from n/a through <= 3.5.3... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25962 MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs currently extracts zip files without any size or entry-count limits. For example, inst... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27770 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2452 Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26361 Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerabili... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25689 An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.2.0, FortiDeceptor 6.0 all versions, FortiDeceptor 5.3 all versions, For... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27058 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast penci-podcast allows DOM-Based XSS.This issue affects Penci Podcast: fro... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34832 Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege u... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-4309 Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-29905 Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate th... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34737 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. Thi... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2669 A vulnerability was determined in Rongzhitong Visual Integrated Command and Dispatch Platform up to 20260206. This impacts an unknown function of the file /dm/dispatch/user/delete of the component Use... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33983 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-35631 OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modifications. Attackers without admin privileges can execute mutating con... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33676 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all relate... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34733 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33581 OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass loc... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-3756 A vulnerability exists in the command handling of the IEC 61850 communication stack included in the product revisions listed as affected in this CVE. An attacker with access to IEC 61850 networks coul... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32964 SD-330AC and AMC Manager provided by silex technology, Inc. contain an improper neutralization of CRLF sequences ('CRLF Injection') vulnerability. Processing some crafted configuration data may lead t... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-5888 Uninitialized Use in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium secu... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-21004 Improper authentication in Smart Switch prior to version 3.7.69.15 allows adjacent attackers to trigger a denial of service. | 6.5 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.