Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2019-25403 Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the comment parameter. At... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13738 The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13732 The s2Member β Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13617 The Apollo13 Framework Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βa13_alt_linkβ parameter in all versions up to, and including, 1.9.8 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13612 The Album and Image Gallery plus Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `aigpl-gallery-album` shortcode in all versions up to, and including, 2.1.7... | 6.4 | MEDIUM | β | 0 |
| CVE-2019-25404 Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input through admin management par... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-28800 Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, anyone with Discord Remote Control set up in a non-private channel gives access to any user with ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1614 The Rise Blocks β A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βlogoTagβ Site Identity block attribute in all versions up to, and includi... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13048 The StatCounter β Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1236 The Envira Gallery for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'justified_gallery_theme' parameter in all versions up to, and including, 1.12.3 due to insuf... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-28682 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload stat... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2367 The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' shortcode in all versions up to, and including, 5.... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2486 The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficien... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-28343 CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in t... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-28558 wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14149 The Xpro Addons β 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and incl... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14040 The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. Thi... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2029 The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[labb_pricing_item]` shortcode's `title` and `value` attributes in all versions up to,... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2384 The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanit... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1373 The Easy Author Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author_profile_picture_url' parameter in all versions up to, and including, 1.7 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2362 The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to,... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-27473 SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an a... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-69674 Buffer Overflow vulnerability in CDATA FD614GS3-R850 V3.2.7_P161006 (Build.0333.250211) allows an attacker to execute arbitrary code via the node_mac, node_opt, opt_param, and domainblk parameters of ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-20438 In MAE, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interacti... | 6.4 | MEDIUM | β | 0 |
| CVE-2019-25448 OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attac... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14983 The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-12448 The Smartsupp β live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-12375 The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. T... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14142 The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to i... | 6.4 | MEDIUM | β | 0 |
| CVE-2019-25399 IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID para... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14851 The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input s... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-12117 The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. T... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-12116 The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. Th... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-27810 calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Serv... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14445 The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-27605 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files (project l... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-29786 node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target suc... | 6.3 | MEDIUM | β | 0 |
| CVE-2025-13687 IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user sup... | 6.3 | MEDIUM | β | 0 |
| CVE-2025-13688 IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user sup... | 6.3 | MEDIUM | β | 0 |
| CVE-2025-11950 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KNOWHY Advanced Technology Trading Ltd. Co. EduAsist allows Reflected XSS.This issue affect... | 6.3 | MEDIUM | β | 0 |
| CVE-2025-13327 A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that e... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-1200 A flaw was found in the rgaufman/live555 fork of live555. A remote attacker could exploit a segmentation fault, in the `increaseBufferTo` function. This vulnerability can lead to memory corruption pro... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-2435 Tanium addressed a SQL injection vulnerability in Asset. | 6.3 | MEDIUM | β | 0 |
| CVE-2026-22268 Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with remote access could potentially exploit this vulne... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-3263 A vulnerability was found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected by this vulnerability is an unknown functionality of the file /api/Security/ of the com... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-3484 A vulnerability was detected in PhialsBasement nmap-mcp-server up to bee6d23547d57ae02460022f7c78ac0893092e38. Affected by this issue is the function child_process.exec of the file src/index.ts of the... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-28509 LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBotβs web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting (XSS) vulnerabi... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-28361 NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-27127 Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMSβs GraphQL Asset mutation performs DNS resolution separa... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-27113 Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, arb... | 6.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.