Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-40037 OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attacke... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27677 Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. T... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27678 Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27679 Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without prope... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24364 Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a th... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34897 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Media LIbrary Assistant... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2375 The App Builder β Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_rol... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28844 A file access issue was addressed with improved input validation. This issue is fixed in macOS Tahoe 26.4. An attacker may gain access to protected parts of the file system. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-20110 A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability exists becaus... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32033 OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Atta... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33033 An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Tr... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24370 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme-one The Grid the-grid allows Stored XSS.This issue affects The Grid: from n/a through < 2.8.... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25390 Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25417 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Stored XSS.This iss... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2377 A flaw was found in mirror-registry. Authenticated users can exploit the log export feature by providing a specially crafted web address (URL). This allows the application's backend to make arbitrary ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-35173 Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post,... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-14790 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information due to insufficiently protected credentials. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1865 The User Registration & Membership β Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to SQL Injec... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33541 TSPortal is the WikiTide Foundationβs in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal all... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33743 Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33528 GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34733 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1900 The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-4079 The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape user input as it is concatened to SQL queries, making it possible for attackers to conduct SQL Injection attacks against th... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28282 Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creati... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26136 Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to disclose information over a network. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-29108 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed in... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32889 tinytag is a Python library for reading audio file metadata. Version 2.2.0 allows an attacker who can supply MP3 files for parsing to trigger a non-terminating loop while the library parses an ID3v2 S... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33304 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the dated reminders log allows any authenticated n... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3021 Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticate... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-55043 MuraCMS through 10.1.10 contains a CSRF vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators to create a... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39666 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in telepathy Hello Bar Popup Builder hellobar allows DOM-Based XSS.This issue affects Hello Bar Popup... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33428 Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to an... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39368 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-sid... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39374 Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue acro... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39482 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Post Expirator post-expirator allows DOM-Based XSS.This issue affects Post Expirator:... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39636 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects L... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32053 OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39633 Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Car Rental grandcarrental allows Cross Site Request Forgery.This issue affects Grand Car Rental: from n/a through <= 3.6.9. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39639 Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RPS Include Co... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39641 Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre blackfyre allows Cross Site Request Forgery.This issue affects Blackfyre: from n/a through <= 2.5.4. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2351 The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authent... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32027 OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can ex... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2503 The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2720 The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to,... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25937 GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26004 Sentry is a developer-first error tracking and performance monitoring tool. Versions prior to 26.1.0 have a cross-organization Insecure Direct Object Reference (IDOR) vulnerability in Sentry's GroupEv... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32758 File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal thro... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32761 File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypa... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32818 Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts... | 6.5 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.