Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-3098 The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated... | 6.5 | MEDIUM | β | 0 |
| CVE-2024-14028 Use after free vulnerability in Softing smartLink HW-DP or smartLink HW-PN webserver allows HTTP DoS. This issue affects: smartLink HW-DP: through 1.31 smartLink HW-PN: before 1.02. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33907 Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing Authentication Response and Authentication Failure NAS message missing IEs. An attacker able to send... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34389 Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated again... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-20083 A vulnerability in the Secure Copy Protocol (SCP) server feature of Cisco IOS XE Software could allow an authenticated, local attacker with low privileges to cause a denial of service (DoS) condition ... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-14915 IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty is affected by privilege escalation. A privileged user could gain additional access to the... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33931 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the patie... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-14807 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOSTΒ headers. This could allow an attacker to conduct ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33730 Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulner... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33495 ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33469 Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration throug... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-5905 Incorrect security UI in Permissions in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low) | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32491 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP Review Slider wp-facebook-reviews allows Stored XSS.This issue affects WP Review Slid... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32490 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP TripAdvisor Review Slider wp-tripadvisor-review-slider allows Stored XSS.This issue a... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-31914 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33474 Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attack... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1101 GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial o... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25469 Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill – WooCommerce viabill-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affect... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25465 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople CP Multi View Event Calendar cp-multi-view-calendar allows Stored XSS.This issue affec... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32937 free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25437 Missing Authorization vulnerability in Ψ³ΫΨ― Ω ΨΩ Ψ―Ψ§Ω ΫΩ ΩΨ§Ψ΄Ω Ϋ GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GZSEO: from n/a through <= 2.0.14. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25430 Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-mailchimp allows Exploiting Incorrectly Configured Access Control Sec... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25344 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme Review Schema review-schema allows Retrieve Embedded Sensitive Data.This issue affects Review Sc... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39943 Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due t... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25327 Missing Authorization vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects F... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25034 Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiviCare: fro... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25937 GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-4927 Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This i... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2582 The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. This is due to the s... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33153 Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-35492 Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dat... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34264 During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32022 OpenClaw versions prior to 2026.2.21 contain a stdin-only policy bypass vulnerability in the grep tool within tools.exec.safeBins that allows attackers to read arbitrary files by supplying a pattern v... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34261 Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32021 OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-on... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33580 OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39482 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Post Expirator post-expirator allows DOM-Based XSS.This issue affects Post Expirator:... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-5025 The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33576 OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media stor... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33355 Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regul... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27679 Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without prope... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27678 Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27677 Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. T... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32818 Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23484 Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-14545 The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24987 Missing Authorization vulnerability in activity-log.com WP System Log winterlock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP System Log: from n/a thro... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-4432 The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the save_title() AJAX handler before allowing wishlist renaming operations. The function o... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33531 InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33314 pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external ... | 6.5 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.