Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-3571 The Pie Register β User Registration, Profiles & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pie_main() functio... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1900 The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-4079 The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape user input as it is concatened to SQL queries, making it possible for attackers to conduct SQL Injection attacks against th... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-21886 OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to all... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2503 The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26136 Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to disclose information over a network. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1865 The User Registration & Membership β Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to SQL Injec... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1672 The BEAR β Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. T... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27877 When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encoura... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23484 Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3138 The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32818 Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-5330 A vulnerability was found in SourceCodester/mayuri_k Best Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_user of the component ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32733 Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32483 Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32489 Missing Authorization vulnerability in bPlugins B Blocks b-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects B Blocks: from n/a through < 2.0.30. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3079 The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filters[orderby_order]' parameter in the 'learndash_propanel_template' AJAX action in all versions up to... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33541 TSPortal is the WikiTide Foundationβs in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal all... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32697 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by modul... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-30662 ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creat... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33029 Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Den... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33952 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, an unvalidated auth_length field read from the network triggers a WINPR_ASSERT() failure in rts_read_auth_veri... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25627 NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQβs MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33281 Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing NGAP messages with invalid PDU Session IDs outside of 1-15. An attacker able to send crafted NGAP me... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33283 Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing malformed UL NAS Transport NAS messages without a Request Type. An attacker able to send crafted NAS... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33314 pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2412 The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged_question' parameter in all versions up to, and including, 10.3.5. This is due to insufficient sanit... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-67115 A path traversal vulnerability in /ftl/web/setup.cgi in Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote authenticated users to read arbitrary files ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32761 File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypa... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-20097 A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with admin-level privileges to execute arbitrary code as the root user. This vulne... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-20096 A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with admin-level privileges to perform command injection attacks on an affected system ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-20095 A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with admin-level privileges to perform command injection attacks on an affected system ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-4749 NVD-CWE-noinfo vulnerability in albfan miraclecast.This issue affects miraclecast: before v1.0. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33677 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` a... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25398 Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25454 Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The League: from n/a through <= 4.4.1. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25455 Missing Authorization vulnerability in PickPlugins Product Slider for WooCommerce woocommerce-products-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-4147 An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-35383 Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34832 Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege u... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34825 NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables di... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34531 Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without pass... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23481 Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34613 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoin... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34611 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the p... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34395 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balanc... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39569 Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 12 Step Meeti... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-6068 NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33580 OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33531 InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the... | 6.5 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.