Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-32328 Cross-Site Request Forgery (CSRF) vulnerability in shufflehound Lemmony lemmony allows Cross Site Request Forgery.This issue affects Lemmony: from n/a through < 1.7.1. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2732 The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versi... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27411 Guessable CAPTCHA vulnerability in jp-secure SiteGuard WP Plugin siteguard allows Functionality Bypass.This issue affects SiteGuard WP Plugin: from n/a through <= 1.7.9. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-4542 A vulnerability has been found in SSCMS 4.7.0. The affected element is an unknown function of the file LayerImageController.Submit.cs of the component layerImage Endpoint. Such manipulation of the arg... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32511 Deserialization of Untrusted Data vulnerability in Mikado-Themes StΓ₯l stal allows Object Injection.This issue affects StΓ₯l: from n/a through < 1.7. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39504 Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a thro... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39614 Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordP... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-20122 A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the atta... | 5.4 | MEDIUM | KEV | 0 |
| CVE-2026-6848 A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for sensitive operations, such as token generation or robot account creation, the re-authentication prompt can be ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39635 Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.This issue affects Grand Magazine: from n/a through <= 3.5.5. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-4790 The Premium Addons for Elementor β Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_svg' parameter in versions up to, and includ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-36766 Multiple authenticated cross-site scripting (XSS) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-36756 A Server-Side Request Forgery (SSRF) in the /plugins/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-5077 The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() inside... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33978 Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip me... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32417 Missing Authorization vulnerability in wppochipp Pochipp pochipp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pochipp: from n/a through < 1.18.9. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-6446 The My Social Feeds β Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the 'ttp_get_accounts' AJAX action. This ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32391 Missing Authorization vulnerability in linethemes SmartFix smartfix allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SmartFix: from n/a through < 1.2.4. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2917 The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. Th... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-7500 When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully funct... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41194 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}`. ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32331 Missing Authorization vulnerability in Israpil Textmetrics webtexttool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Textmetrics: from n/a through <= 3.6.4... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2879 The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create(... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2505 The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rend... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32373 Missing Authorization vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Alert Order No... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32385 Missing Authorization vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32390 Missing Authorization vulnerability in linethemes Nanosoft nanosoft allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nanosoft: from n/a through < 1.3.2. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-42421 OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket co... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32412 Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.This issue affects Gift Up Gift Cards for WordP... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41916 OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32416 Missing Authorization vulnerability in bPlugins PDF Poster pdf-poster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF Poster: from n/a through <= 2.4.0. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32420 Cross-Site Request Forgery (CSRF) vulnerability in Ruben Garcia GamiPress gamipress allows Cross Site Request Forgery.This issue affects GamiPress: from n/a through <= 7.6.6. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32423 Missing Authorization vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin a... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-6774 Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-24906 October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-24907 October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-40929 WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It d... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41298 OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by se... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33740 EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulne... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-40927 Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on t... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-40923 Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restri... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-22019 Vulnerability in the PeopleSoft Enterprise HCM Shared Components product of Oracle PeopleSoft (component: Person Search). The supported version that is affected is 9.2. Easily exploitable vulnerabil... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41356 OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-41344 OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attacke... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34307 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Workflow). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-1509 The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` f... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-35232 Vulnerability in Oracle Fusion Middleware (component: Dynamic Monitoring Service). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low pri... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34213 Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated use... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34212 Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to s... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39367 WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly int... | 5.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.