Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2021-4456 Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28769 A path traversal vulnerability exists in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management portal version 10... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1602 SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2606 IBM webMethods API Gateway (on-prem) 10.11 through 10.11_Fix3210.15 to 10.15_Fix2711.1 to 11.1_Fix7 IBM webMethods API Management (on-prem) fails to properly validate user-supplied input passed to the... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-13616 IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks against the system. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-21527 User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2303 The mongo-go-driver repositoryΒ contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incor... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1626 An attacker may exploit the use of weak CBC-based cipher suites in the deviceβs SSH service to potentially observe or manipulate parts of the encrypted SSH communication, if they are able to intercept... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-36018 IBM Concert 1.0.0 through 2.1.0 for Z hub componentΒ is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that... | 6.5 | MEDIUM | β | 0 |
| CVE-2024-10938 The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known ma... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1495 The vulnerability, if exploited, could allow an attacker with Event Log Reader (S-1-5-32-573) privileges to obtain proxy details, including URL and proxy credentials, from the PI to CONNECT event log ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26006 AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The autogpt before 0.6.32 is vulnerable to Regular Expr... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24488 OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, an arbitrary file exfiltration vulnerability in the fax ... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-47209 A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (Do... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-8303 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in EKA Software Computer Information Advertising Services Ltd. Real Estate Script V5 (With Dop... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27753 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interf... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27754 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predictab... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-33089 IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27734 Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "conta... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27793 Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, inc... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28354 ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify ano... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3255 HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in ra... | 6.5 | MEDIUM | β | 0 |
| CVE-2018-25160 HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an appli... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-54148 A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (Do... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2256 A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived inp... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1401 The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13463 The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization a... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4279 The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to i... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1807 The InteractiveCalculator for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'interactivecalculator' shortcode in all versions up to, and including, 1.0.3... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14149 The Xpro Addons β 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and incl... | 6.4 | MEDIUM | β | 0 |
| CVE-2022-50941 BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. Attackers can exploit unv... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5820 The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rende... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2362 The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to,... | 6.4 | MEDIUM | β | 0 |
| CVE-2022-50951 WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit the... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4353 The CI HUB Connector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `cihub_metadata` shortcode in all versions up to, and including, 1.2.106 due to ins... | 6.4 | MEDIUM | β | 0 |
| CVE-2022-50952 Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST reque... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-12122 The Popup Box β Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-11737 The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_sns_title' parameter in all versions up to, and including, 9.112.3 due to insuffici... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-15267 The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1822 The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4076 The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This i... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-0742 The Smart Appointment & Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the saab_save_form_data AJAX action in all versions up to, and including, 1.0.7 due to insufficien... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1808 The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplus_button shortcode in all versions up to... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-12803 The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sani... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13732 The s2Member β Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2... | 6.4 | MEDIUM | β | 0 |
| CVE-2019-25369 OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. At... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1575 The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `itemscope` shortcode in all versions up to, and including, 1.0 due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2019-25399 IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID para... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2029 The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[labb_pricing_item]` shortcode's `title` and `value` attributes in all versions up to,... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1904 The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' shortcode in all versions up to, and including, 1.0 due... | 6.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.