Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-4612 A vulnerability has been found in itsourcecode Free Hotel Reservation System 1.0. This affects an unknown part of the file /hotel/admin/mod_users/index.php?view=edit&id=8 of the component Parameter Ha... | 7.3 | HIGH | — | 0 |
| CVE-2026-4611 A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the a... | 7.2 | HIGH | — | 0 |
| CVE-2026-33634 Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action... | 8.8 | HIGH | KEV | 0 |
| CVE-2026-32913 OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redi... | 9.3 | CRITICAL | — | 0 |
| CVE-2026-32912 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32911 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32910 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32909 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32908 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32907 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32904 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32903 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32902 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32901 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32900 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32300 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the M... | 8.1 | HIGH | — | 0 |
| CVE-2026-32299 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the p... | 7.5 | HIGH | — | 0 |
| CVE-2026-32279 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Server-Side Request Forgery (SSRF) iss... | 6.8 | MEDIUM | — | 0 |
| CVE-2026-32278 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issu... | 8.2 | HIGH | — | 0 |
| CVE-2026-32277 Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1... | 8.7 | HIGH | — | 0 |
| CVE-2026-32276 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to exe... | 8.8 | HIGH | — | 0 |
| CVE-2026-32066 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32047 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-32012 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-29111 systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an asse... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-28483 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-28455 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-27646 OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-27183 OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-22173 Rejected reason: This CVE ID has been rejected. | N/A | NONE | — | 0 |
| CVE-2026-1940 An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_R... | 5.1 | MEDIUM | — | 0 |
| CVE-2025-60949 Census CSWeb 8.0.1 allows "app/config" to be reachable via HTTP in some deployments. A remote, unauthenticated attacker could send requests to configuration files and obtain leaked secrets. Fixed in 8... | 9.1 | CRITICAL | — | 0 |
| CVE-2025-60948 Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 alp... | 4.6 | MEDIUM | — | 0 |
| CVE-2025-60947 Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticated attacker could upload a malicious file, possibly leading to remote code execution. Fixed in 8.1.0 alpha. | 8.8 | HIGH | — | 0 |
| CVE-2025-60946 Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated attacker could access unintended file directories. Fixed in 8.1.0 alpha. | 8.8 | HIGH | — | 0 |
| CVE-2026-4597 A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. Impacted is the function selectAll of the file src/main/java/com/genersoft/iot/vmp/streamProxy/dao/provider/StreamProxyPro... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-4368 Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup | N/A | NONE | — | 0 |
| CVE-2026-3055 Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread | 9.8 | CRITICAL | KEV | 0 |
| CVE-2026-23882 Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are execut... | 7.2 | HIGH | — | 0 |
| CVE-2026-23488 Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-23487 Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-23486 Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This issu... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-23485 Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different er... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-23484 Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-23483 Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within the... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-23482 Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, al... | 7.5 | HIGH | — | 0 |
| CVE-2026-23481 Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-23480 Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, a... | 8.8 | HIGH | — | 0 |
| CVE-2026-4596 A vulnerability was identified in projectworlds Lawyer Management System 1.0. This issue affects some unknown processing of the file /lawyers.php. The manipulation of the argument first_Name leads to ... | 3.5 | LOW | — | 0 |
| CVE-2026-33548 Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML... | 6.1 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.