Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-33936 The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signatur... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-4990 A security vulnerability has been detected in chatwoot up to 4.11.1. The affected element is an unknown function of the file /app/login of the component Signup Endpoint. Such manipulation of the argum... | 7.3 | HIGH | β | 0 |
| CVE-2026-4988 A security flaw has been discovered in Open5GS 2.7.6. This issue affects the function smf_gx_cca_cb/smf_gy_cca_cb/smf_s6b of the component CCA Message Handler. The manipulation results in denial of se... | 3.7 | LOW | β | 0 |
| CVE-2026-4985 A vulnerability was identified in dloebl CGIF up to 0.5.2. This vulnerability affects the function cgif_addframe of the file src/cgif.c of the component GIF Image Handler. The manipulation of the argu... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-34226 Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of ... | 7.5 | HIGH | β | 0 |
| CVE-2026-33989 Mobile Next is an MCP server for mobile development and automation. Prior to version 0.0.49, the `@mobilenext/mobile-mcp` server contains a Path Traversal vulnerability in the `mobile_save_screenshot`... | 8.1 | HIGH | β | 0 |
| CVE-2026-33981 changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process e... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33980 Azure Data Explorer MCP Server is a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure Data Explorer (ADX/Kusto) databases through standardized int... | 8.3 | HIGH | β | 0 |
| CVE-2026-33979 Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerabili... | 8.2 | HIGH | β | 0 |
| CVE-2026-33976 Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the deskto... | 9.6 | CRITICAL | β | 0 |
| CVE-2026-33955 Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to remote code execution in a des... | 8.6 | HIGH | β | 0 |
| CVE-2026-33954 LinkAce is a self-hosted archive to collect website links. In versions prior to 2.5.3, a private note attached to a non-private link can be disclosed to a different authenticated user via the web inte... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33953 LinkAce is a self-hosted archive to collect website links. Versions prior to 2.5.3 block direct requests to private IP literals, but still performs server-side requests to internal-only resources when... | 8.5 | HIGH | β | 0 |
| CVE-2026-33946 MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vu... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-33943 Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows ... | 8.8 | HIGH | β | 0 |
| CVE-2026-33941 Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates us... | 8.2 | HIGH | β | 0 |
| CVE-2026-33940 Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `re... | 8.1 | HIGH | β | 0 |
| CVE-2026-33939 Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorat... | 7.5 | HIGH | β | 0 |
| CVE-2026-27309 Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this is... | 7.8 | HIGH | β | 0 |
| CVE-2019-25652 UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middl... | 7.5 | HIGH | β | 0 |
| CVE-2019-25651 Ubiquiti UniFi Network Controller prior to 5.10.12 (excluding 5.6.42), UAP FW prior to 4.0.6, UAP-AC, UAP-AC v2, and UAP-AC Outdoor FW prior to 3.8.17, USW FW prior to 4.0.6, USG FW prior to 4.4.34 us... | 8.3 | HIGH | β | 0 |
| CVE-2026-4976 A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWiFiGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid resul... | 8.8 | HIGH | β | 0 |
| CVE-2026-34046 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGI... | N/A | NONE | β | 0 |
| CVE-2026-33938 Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reac... | 8.1 | HIGH | β | 0 |
| CVE-2026-33937 Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string.... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-33916 Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-33907 Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing Authentication Response and Authentication Failure NAS message missing IEs. An attacker able to send... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33906 Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file wit... | 7.2 | HIGH | β | 0 |
| CVE-2026-33904 Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, a deadlock in the AMF's SCTP notification handler causes the entire AMF control plane to hang until the process is restart... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33903 Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing a specially crafted NGAP LocationReport message. An attacker able to send crafted NGAP messages to E... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33896 Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints... | 7.4 | HIGH | β | 0 |
| CVE-2026-33895 Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures wh... | 7.5 | HIGH | β | 0 |
| CVE-2026-33894 Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for l... | 7.5 | HIGH | β | 0 |
| CVE-2026-33891 Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library ... | 7.5 | HIGH | β | 0 |
| CVE-2026-33887 Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisio... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33886 Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields co... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33885 Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could b... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-33884 Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview tok... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33883 Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escapi... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-33882 Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary f... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33881 Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals withou... | N/A | NONE | β | 0 |
| CVE-2026-33879 Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login pag... | N/A | NONE | β | 0 |
| CVE-2026-33875 Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-33874 Gematik Authenticator securely authenticates users for login to digital health applications. Starting in version 4.12.0 and prior to version 4.16.0, the Mac OS version of the Authenticator is vulnerab... | 7.8 | HIGH | β | 0 |
| CVE-2026-33873 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validatio... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-32187 Microsoft Edge (Chromium-based) Defense in Depth Vulnerability | 4.2 | MEDIUM | β | 0 |
| CVE-2026-4975 A vulnerability has been found in Tenda AC15 15.03.05.19. This affects the function formSetCfm of the file /goform/setcfm of the component POST Request Handler. The manipulation of the argument funcpa... | 8.8 | HIGH | β | 0 |
| CVE-2026-4974 A flaw has been found in Tenda AC7 15.03.06.44. Affected by this issue is the function fromSetSysTime of the file /goform/SetSysTimeCfg of the component POST Request Handler. Executing a manipulation ... | 8.8 | HIGH | β | 0 |
| CVE-2026-4973 A vulnerability was detected in SourceCodester Online Quiz System up to 1.0. Affected by this vulnerability is an unknown functionality of the file endpoint/add-question.php. Performing a manipulation... | 3.5 | LOW | β | 0 |
| CVE-2026-4972 A security vulnerability has been detected in code-projects Online Reviewer System up to 1.0. Affected is an unknown function of the file /system/system/students/assessments/databank/btn_functions.php... | 2.4 | LOW | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.