Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-32893 Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32607 Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritiz... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-4324 A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34749 Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain condit... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2595 The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34848 hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41318 AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsa... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32273 Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category descr... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-5026 The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG files with the 'image/svg+xml' content type without sanitizing their content. Since SVG files can contain embedded JavaScript, an ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41233 Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling rese... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-35602 Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip in... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2973 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to execute arb... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-35600 Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown spe... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-38948 Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privi... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-4065 The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller actions in all versi... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25100 Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upl... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-24069 Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-pre... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-40112 PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relie... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-40098 Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pri... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-40212 OpenStack Skyline before 5.0.1, 6.0.0, and 7.0.0 has a DOM-based Cross-Site Scripting (XSS) vulnerability in the console because document.write is used unsafely, which is relevant in scenarios where a... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2957 A weakness has been identified in qinming99 dst-admin up to 1.5.0. This impacts the function deleteBackup of the file src/main/java/com/tugos/dst/admin/controller/BackupController.java of the componen... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-35620 OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owne... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33742 Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stor... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25720 A vulnerability exists inΒ SenseLive X3050βs web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requir... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-6201 A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipu... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-35565 Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI Versions Affected: before 2.8.6 Description: The Storm UI visualization component interpolates topology metad... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-4274 Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a m... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33411 Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33291 Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators can create Zendesk tickets for topics they do not have access to view. This aff... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41382 OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stale... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2551 A vulnerability was determined in ZenTao up to 21.7.8. Affected by this vulnerability is the function delete of the file editor/control.php of the component Backup Handler. This manipulation of the ar... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32243 Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the abil... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-20108 A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of th... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33312 Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the `DELETE /api/v1/projects/:project/background` endpoint checks `CanRead` permi... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-14912 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system,... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-4332 GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26352 Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPN_IP parameter. Authentica... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3212 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.4... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-30527 A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly ... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-15445 The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged opera... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3215 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).This issue affects Islandora: from 0.0.0 before... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-70365 A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user c... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-31313 An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted pa... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-31354 Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-31353 An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload in... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-31352 An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted pay... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34475 Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or auth... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-66168 WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See theΒ following for more details: https://activemq.apache.org/security-advisories.data/CVE-... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34247 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any sche... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-20114 A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate their privileges and access management APIs that woul... | 5.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.