Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-35468 nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, two peer-facing consensus request handlers ass... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-10734 The ReviewX β WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5650 A vulnerability was found in code-projects Online Application System for Admission 1.0. Impacted is an unknown function of the file /enrollment/database/oas.sql. Performing a manipulation results in i... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-22560 An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34979 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when buil... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-29142 SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to forge a GINA-encrypted email. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5022 The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by kno... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33763 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given passw... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5502 The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing auth... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-35626 OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33705 Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These temp... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-40100 FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() on... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-21726 The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/r... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5234 The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39687 Missing Authorization vulnerability in Rapid Car Check Rapid Car Check Vehicle Data free-vehicle-data-uk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rapi... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39685 Missing Authorization vulnerability in lvaudore The Moneytizer the-moneytizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Moneytizer: from n/a throug... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39675 Missing Authorization vulnerability in webmuehle Court Reservation court-reservation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Court Reservation: from ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39673 Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39669 Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39663 Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: f... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39608 Missing Authorization vulnerability in iPOSPays iPOSpays Gateways WC ipospays-gateways-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iPOSpays Gateways W... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39606 Missing Authorization vulnerability in Foysal Imran BizReview bizreview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizReview: from n/a through <= 1.5.13... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-40347 Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39407 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by usi... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39406 @hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-4751 NULL Pointer Dereference vulnerability in tmate-io tmate.This issue affects tmate: before 2.4.0. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3595 The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-6494 A flaw was found in the AAP MCP server. An unauthenticated remote attacker can exploit a log injection vulnerability by sending specially crafted input to the `toolsetroute` parameter. This parameter ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-29055 Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39716 Missing Authorization vulnerability in CKThemes Flipmart flipmart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flipmart: from n/a through <= 2.8. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39714 Missing Authorization vulnerability in G5Theme G5Plus April g5plus-april allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects G5Plus April: from n/a through <= 6.... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-2100 A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-59028 When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable serve... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39676 Missing Authorization vulnerability in Shahjada Download Manager download-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Manager: from n/a ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-0394 When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the doma... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39672 Missing Authorization vulnerability in shiptime ShipTime: Discounted Shipping Rates shiptime-discount-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affect... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-27859 A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail delivery process to consume large amounts of CPU t... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39668 Missing Authorization vulnerability in g5theme Book Previewer for Woocommerce book-previewer-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34364 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39616 Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39622 Missing Authorization vulnerability in acmethemes Education Base education-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Education Base: from n/a thro... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5603 A vulnerability was identified in elgentos magento2-dev-mcp up to 1.0.2. The affected element is the function executeMagerun2Command of the file src/index.ts. Such manipulation leads to os command inj... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39612 Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39610 Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39609 Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wava Payment: from n/a through <= 0.... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39564 Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.This issue affects Sunshine Photo C... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5484 A weakness has been identified in BookStackApp BookStack up to 26.03. Affected is the function chapterToMarkdown of the file app/Exports/ExportFormatter.php of the component Chapter Export Handler. Ex... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39542 Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Doofinder fo... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39570 Insertion of Sensitive Information Into Sent Data vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Retrieve Embedded Sensitive Data.This issue affects 12 Step Meeting L... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5602 A vulnerability was determined in Nor2-io heim-mcp up to 0.1.3. Impacted is the function registerTools of the file src/tools.ts of the component new_heim_application/deploy_heim_application/deploy_hei... | 5.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.