Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-25443 Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Exploiting Incorrectly Configured Access Cont... | 7.5 | HIGH | β | 0 |
| CVE-2026-25442 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha kentha allows Reflected XSS.This issue affects Kentha: from n/a through <= 4.7... | 7.1 | HIGH | β | 0 |
| CVE-2026-25438 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks unlimited-blocks allows Reflected XSS.This issue affects Gutenberg Bloc... | 7.1 | HIGH | β | 0 |
| CVE-2026-21788 HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executin... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-68836 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Markbeljaars Table of Contents Creator table-of-contents-creator allows Reflected XSS.This issue a... | 7.1 | HIGH | β | 0 |
| CVE-2025-67618 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ArtstudioWorks Brookside brookside allows Reflected XSS.This issue affects Brookside: from n/a thr... | 7.1 | HIGH | β | 0 |
| CVE-2025-62043 Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-60237 Deserialization of Untrusted Data vulnerability in Themeton Finag finag allows Object Injection.This issue affects Finag: from n/a through <= 1.5.0. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-60233 Deserialization of Untrusted Data vulnerability in Themeton Zuut zuut allows Object Injection.This issue affects Zuut: from n/a through <= 1.4.2. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-53222 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows Reflected XSS.This issue affects tagDiv Opt-In... | 7.1 | HIGH | β | 0 |
| CVE-2025-50001 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n... | N/A | NONE | β | 0 |
| CVE-2025-32223 Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a... | N/A | NONE | β | 0 |
| CVE-2026-3475 The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handle_email_verification_pa... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-25471 Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard admin-safety-guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: ... | 8.1 | HIGH | β | 0 |
| CVE-2026-25312 Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: ... | N/A | NONE | β | 0 |
| CVE-2024-42210 A Stored cross-site scripting (XSS) vulnerability affects HCL Unica Marketing Operations v12.1.8 and lower. Β Stored cross-site scripting (also known as second-order or persistent XSS) arises when an a... | 7.6 | HIGH | β | 0 |
| CVE-2026-4120 The Info Cards β Add Text and Media in Card Layouts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnUrl' parameter within the Info Cards block in all versions up to, and ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4068 The Add Custom Fields to Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.3. This is due to missing nonce validation on the field deleti... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4006 The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'display_name' post meta (Custom Field) in all versions up to and including 2.6.2. This is due to insuff... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2571 The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'reviewUserStatus' function in all versions up to, and including, 3.3.49... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-27093 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.This issue affects Tripg... | 8.1 | HIGH | β | 0 |
| CVE-2026-27091 Missing Authorization vulnerability in UiPress UiPress lite uipress-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through <= 3.... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-28073 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember wp-eMember allows Reflected XSS.This issue affects WP eMember: from ... | 7.1 | HIGH | β | 0 |
| CVE-2026-28070 Missing Authorization vulnerability in Tips and Tricks HQ WP eMember wp-eMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP eMember: from n/a through ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-28044 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket wp-rocket allows Stored XSS.This issue affects WP Rocket: from n/a through <= 3... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-27542 Incorrect Privilege Assignment vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Privilege Escalation.This issue affects Woocommerce ... | N/A | NONE | β | 0 |
| CVE-2026-27540 Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Using Malicious Files.This issue af... | N/A | NONE | β | 0 |
| CVE-2026-27413 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro profile-builder-pro allows Blind SQL Injection.This issue affects P... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-27397 Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro really-simple-ssl-pro allows Exploiting Incorrectly Configured Access Control Se... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27096 Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme colorfolio allows Object Injection.This issue affects ColorFolio - Freelance Designer Wo... | 8.1 | HIGH | β | 0 |
| CVE-2026-1238 The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh' (fingerprint) parameter in all versions up to, and including, 5.3.5 due to insufficient input sani... | 7.2 | HIGH | β | 0 |
| CVE-2026-1276 IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus alter... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-36051 IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 stores potentially sensitive information in configuration files that could be read by a local user. | 6.2 | MEDIUM | β | 0 |
| CVE-2025-15051 IBM QRadar SIEMΒ 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-13995 IBM QRadar SIEMΒ 7.5.0 through 7.5.0 Update Package 14 could allow an attacker with access to one tenant to access hostname data from another tenant's account. | 5.0 | MEDIUM | β | 0 |
| CVE-2026-32000 OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers... | 7.1 | HIGH | β | 0 |
| CVE-2026-31999 OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execut... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-31998 OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attack... | 8.6 | HIGH | β | 0 |
| CVE-2026-31997 OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PAT... | 6.0 | MEDIUM | β | 0 |
| CVE-2026-31996 OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags o... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-31995 OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-31994 OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive ch... | 7.1 | HIGH | β | 0 |
| CVE-2026-31993 OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with o... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-31992 OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated operators to execute unintended commands. When /usr/bin/env is allowli... | 7.1 | HIGH | β | 0 |
| CVE-2026-31991 OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers ... | 3.7 | LOW | β | 0 |
| CVE-2026-31990 OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlink... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-31989 OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution that uses a private-network-allowing SSRF policy. An attacker who can... | 7.4 | HIGH | β | 0 |
| CVE-2026-29608 OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the work... | 6.7 | MEDIUM | β | 0 |
| CVE-2026-29607 OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allow... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-28461 OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying... | 7.5 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.