Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-30851 Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injec... | 8.1 | HIGH | β | 0 |
| CVE-2026-30850 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadat... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-30848 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerab... | 3.7 | LOW | β | 0 |
| CVE-2026-29196 Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/ext... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-29195 Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role d... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3668 A weakness has been identified in Freedom Factory dGEN1 up to 20260221. This affects the function AndroidEthereum of the component org.ethosmobile.webpwaemul. This manipulation causes improper access ... | 3.1 | LOW | β | 0 |
| CVE-2026-3667 A security flaw has been discovered in Freedom Factory dGEN1 up to 20260221. The impacted element is the function FakeAppService of the component org.ethosmobile.ethoslauncher. The manipulation result... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3665 A vulnerability was identified in xlnt-community xlnt up to 1.6.1. The affected element is the function xlnt::detail::xlsx_consumer::read_office_document of the file source/detail/serialization/xlsx_c... | 3.3 | LOW | β | 0 |
| CVE-2026-30838 league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowe... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-30834 PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint all... | 7.5 | HIGH | β | 0 |
| CVE-2026-30832 Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP ... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-29787 mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.21.0, the /api/health/detailed endpoint returns detailed system information including OS version, Pytho... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-29786 node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target suc... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-29784 Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the reque... | 7.5 | HIGH | β | 0 |
| CVE-2026-29781 Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-29780 eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script ex... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-29779 UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig (safe for clie... | 7.5 | HIGH | β | 0 |
| CVE-2026-29778 pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder p... | 7.1 | HIGH | β | 0 |
| CVE-2026-29771 Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeated... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-29194 Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true),... | 8.1 | HIGH | β | 0 |
| CVE-2026-29190 Karapace is an open-source implementation of Kafka REST and Schema Registry. Prior to version 6.0.0, there is a Path Traversal vulnerability in the backup reader (backup/backends/v3/backend.py). If a ... | 4.1 | MEDIUM | β | 0 |
| CVE-2026-29076 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipa... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-28678 DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Cre... | 8.1 | HIGH | β | 0 |
| CVE-2026-3664 A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document.cpp... | 3.3 | LOW | β | 0 |
| CVE-2026-3663 A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of the file source/detail/cryptography/compound_documen... | 3.3 | LOW | β | 0 |
| CVE-2026-29193 ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-reg... | 8.2 | HIGH | β | 0 |
| CVE-2026-29192 ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Defaul... | 7.7 | HIGH | β | 0 |
| CVE-2026-29191 ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-29186 Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdo... | 7.7 | HIGH | β | 0 |
| CVE-2026-29185 Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encode... | 2.7 | LOW | β | 0 |
| CVE-2026-29184 Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through... | 2.0 | LOW | β | 0 |
| CVE-2026-29067 ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwa... | 8.1 | HIGH | β | 0 |
| CVE-2026-3662 A vulnerability has been found in Wavlink WL-NU516U1 240425. This vulnerability affects the function usb_p910 of the file /cgi-bin/adm.cgi. Such manipulation of the argument Pr_mode leads to command i... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-3661 A flaw has been found in Wavlink WL-NU516U1 240425. This affects the function ota_new_upgrade of the file /cgi-bin/adm.cgi. This manipulation of the argument model causes command injection. It is poss... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-2219 It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, whi... | 7.5 | HIGH | β | 0 |
| CVE-2026-24308 Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the clie... | 7.5 | HIGH | β | 0 |
| CVE-2026-24281 Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper serv... | 7.4 | HIGH | β | 0 |
| CVE-2026-2433 The RSS Aggregator β RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-2420 The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization a... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-1825 The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'syv' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitizati... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1824 The Infomaniak Connect for OpenID plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'endpoint_login' parameter of the infomaniak_connect_generic_auth_url shortcode in all versi... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1823 The Consensus Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's consensus shortcode in all versions up to, and including, 1.6 due to insufficient input sanitizat... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1820 The Media Library Alt Text Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bvmalt_sc_div_update_alt_text' shortcode in all versions up to, and including, 1.0... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1805 The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's damedia_giglist shortcode in all versions up to, and including, 1.9.0 due to insufficient input ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1574 The MyQtip β easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `myqtip` shortcode in all versions up to, and including, 2.0.5 due to insufficient input sani... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1569 The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wueen-blocket` shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitizatio... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1087 The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the settings update functi... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1086 The Font Pairing Preview For Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing nonce validation on the se... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1085 The True Ranker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.9. This is due to missing nonce validation on the seolocalrank-signout action... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1074 The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanit... | 7.2 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.