Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-20112 A vulnerability in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cross-site sc... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-34831 Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When th... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-31351 An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted pa... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-24147 NVIDIA Triton Inference Server contains a vulnerability in triton server where an attacker may cause an information disclosure by uploading a model configuration. A successful exploit of this vulnerab... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-35623 OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-35635 OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook path... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-1564 Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role. | 4.8 | MEDIUM | — | 0 |
| CVE-2026-35646 OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-32896 OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routi... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-1711 Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role. | 4.8 | MEDIUM | — | 0 |
| CVE-2025-52470 Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists in the session_category_add.php script. The vulnerability is caused by impro... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-31993 OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with o... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-26351 GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provid... | 4.8 | MEDIUM | — | 0 |
| CVE-2025-70973 ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentic... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-1726 IBM Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2, 4.2.1, 5.0, and 5.1 | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25496 Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The... | 4.8 | MEDIUM | — | 0 |
| CVE-2025-50186 Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-28475 OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network ac... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-21291 Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-p... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-27128 Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validati... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-3242 In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vect... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-3241 In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-3240 In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete... | 4.8 | MEDIUM | — | 0 |
| CVE-2025-40895 A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properties. A malicious authenticated user with adminis... | 4.8 | MEDIUM | — | 0 |
| CVE-2025-41257 Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without providing the current one. Exploiting this flaw combined with other vulnerabilities can lead to unauthorized account ac... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-3244 In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search resul... | 4.8 | MEDIUM | — | 0 |
| CVE-2025-0577 An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which h... | 4.8 | MEDIUM | — | 0 |
| CVE-2024-51225 A stored cross-site scripting (XSS) vulnerability in the component /admin/add-brand.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML vi... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-39812 A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 al... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-1430 The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks e... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-42041 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-2485 IBM Infosphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI t... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-32065 OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but... | 4.8 | MEDIUM | — | 0 |
| CVE-2025-10539 Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime updat... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-33751 n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, a flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-1001 Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-30568 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to saniti... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-2728 LibreNMS versions before 26.3.0 are affected by an authenticated Cross-site Scripting vulnerability on the showconfig page. Successful exploitation requires administrative privileges. Exploitation cou... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-22895 A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security me... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-40175 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any ... | 4.8 | MEDIUM | — | 0 |
| CVE-2024-51224 Multiple cross-site scripting (XSS) vulnerabilities in the component /admin/edit-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HT... | 4.8 | MEDIUM | — | 0 |
| CVE-2025-52648 HCL AION is affected by a vulnerability where offering images are not digitally signed. Lack of image signing may allow the use of unverified or tampered images, potentially leading to security risks ... | 4.8 | MEDIUM | — | 0 |
| CVE-2024-51223 A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via ... | 4.8 | MEDIUM | — | 0 |
| CVE-2024-51222 A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-3218 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicon... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-33542 Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to imag... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-31867 Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows use... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-29176 Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-27447 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability du... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-33598 A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache. | 4.8 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.