Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-2505 The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rend... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32390 Missing Authorization vulnerability in linethemes Nanosoft nanosoft allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nanosoft: from n/a through < 1.3.2. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32412 Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.This issue affects Gift Up Gift Cards for WordP... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32416 Missing Authorization vulnerability in bPlugins PDF Poster pdf-poster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF Poster: from n/a through <= 2.4.0. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-42421 OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket co... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32420 Cross-Site Request Forgery (CSRF) vulnerability in Ruben Garcia GamiPress gamipress allows Cross Site Request Forgery.This issue affects GamiPress: from n/a through <= 7.6.6. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32423 Missing Authorization vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin a... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41916 OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41344 OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attacke... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39635 Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.This issue affects Grand Magazine: from n/a through <= 3.5.5. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34307 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Workflow). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32511 Deserialization of Untrusted Data vulnerability in Mikado-Themes StΓ₯l stal allows Object Injection.This issue affects StΓ₯l: from n/a through < 1.7. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39504 Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a thro... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27411 Guessable CAPTCHA vulnerability in jp-secure SiteGuard WP Plugin siteguard allows Functionality Bypass.This issue affects SiteGuard WP Plugin: from n/a through <= 1.7.9. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41381 OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to bypass channel-level member access allowlist restrictions. Attackers can... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41376 OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root a... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3107 Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The applicatio... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32859 ByteDance Deer-Flow versions prior to commit 5dbb362Β contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2109 A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argumen... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33044 Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious n... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-30520 A Blind SQL Injection vulnerability exists in SourceCodester Loan Management System v1.0. The vulnerability is located in the ajax.php file (specifically the save_loan action). The application fails t... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-21631 Lack of output escaping leads to a XSS vector in the multilingual associations component. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33628 Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing s... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39426 MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability where the frontend's MdRenderer.vue component parses custom <ifr... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-70033 An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34848 hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2595 The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3106 Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contraseΓ±a' parameter of the login form 'redacted/index.php'. During f... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32923 OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in Discord guild reaction ingestion that fails to enforce member users and roles allowlist checks. Non-allowlisted guild member... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33738 Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unesca... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34574 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability g... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-21724 A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the requi... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34071 Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In version 2.7.3, the /api/v1/convert/eml/pdf endpoint with parameter downloadHtml=true ret... | 5.4 | MEDIUM | β | 0 |
| CVE-2024-23104 An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.0... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33276 Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-21632 Lack of output escaping for article titles leads to XSS vectors in various locations. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39425 MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability that allows authenticated users to inject arbitrary HTML and Jav... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34624 Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environm... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-70936 Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32867 OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-6583 A vulnerability has been found in TransformerOptimus SuperAGI up to 0.0.14. This affects the function delete_api_key/edit_api_key of the file superagi/controllers/api_key.py of the component API Key M... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27122 svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted in... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25337 Cross-Site Request Forgery (CSRF) vulnerability in wpcoachify Coachify coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through <= 1.1.5. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27147 GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload funct... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-59540 Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27248 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts int... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33303 OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 are vulnerable to stored cross-site scripting (XSS) via unescaped `po... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39603 Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Photography grandphotography allows Cross Site Request Forgery.This issue affects Grand Photography: from n/a through <= 5.7.8. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39607 Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filter Plus: from n/a through <= 1.1.17... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27742 Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforc... | 5.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.