Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-26993 Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitizat... | 4.6 | MEDIUM | β | 0 |
| CVE-2026-26992 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the port group name is not sanitized, allowing attackers with admin privileges to perform St... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-26991 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform ... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-2820 A security flaw has been discovered in Fujian Smart Integrated Management Platform System up to 7.5. This issue affects some unknown processing of the file /Module/CRXT/Controller/XAccessPermissionPlu... | 7.3 | HIGH | β | 0 |
| CVE-2026-2819 A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workfl... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-27016 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID function... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26990 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address p... | 8.8 | HIGH | β | 0 |
| CVE-2026-26989 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-26988 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-26987 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are vulnerable to Reflected XSS attacks via email field. This issue has been fixed in version ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-26980 Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1. | 9.4 | CRITICAL | β | 0 |
| CVE-2026-26977 Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished co... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-26960 node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to... | 7.1 | HIGH | β | 0 |
| CVE-2026-26065 calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 20... | 8.8 | HIGH | β | 0 |
| CVE-2026-26064 calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes a... | 8.8 | HIGH | β | 0 |
| CVE-2026-26975 Music Assistant is an open-source media library manager that integrates streaming services with connected speakers. Versions 2.6.3 and below allow unauthenticated network-adjacent attackers to execute... | 8.8 | HIGH | β | 0 |
| CVE-2026-26974 Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicio... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26967 PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. T... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-30416 Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Li... | N/A | NONE | β | 0 |
| CVE-2025-30412 Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (... | N/A | NONE | β | 0 |
| CVE-2025-30411 Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (... | N/A | NONE | β | 0 |
| CVE-2025-30410 Sensitive data disclosure and manipulation due to missing authentication. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 39870, Acronis Cyb... | N/A | NONE | β | 0 |
| CVE-2026-2605 Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-2435 Tanium addressed a SQL injection vulnerability in Asset. | 6.3 | MEDIUM | β | 0 |
| CVE-2026-2408 Tanium addressed a use-after-free vulnerability in the Cloud Workloads Enforce client extension. | 4.7 | MEDIUM | β | 0 |
| CVE-2026-2350 Tanium addressed an insertion of sensitive information into log file vulnerability in Interact and TDS. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27009 OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `<script>` tag without scr... | 5.8 | MEDIUM | β | 0 |
| CVE-2026-27008 OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installation allowed `targetDir` values from skill frontmatter to resolve outside the per-skill tools directo... | 6.7 | MEDIUM | β | 0 |
| CVE-2026-27007 OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. This made ord... | 3.3 | LOW | β | 0 |
| CVE-2026-27004 OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-27003 OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot<token>/...`). Prior to vers... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-27002 OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfin... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27001 OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can ... | 7.8 | HIGH | β | 0 |
| CVE-2026-26972 OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes... | 6.7 | MEDIUM | β | 0 |
| CVE-2026-26964 Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which... | 2.7 | LOW | β | 0 |
| CVE-2026-26963 Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.18.0 through 1.18.5 will incorrectly permit traffic from Pods on other nodes when Native Routing, ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-26959 ADB Explorer is a fluent UI for ADB on Windows. Versions 0.9.26020 and below fail to validate the integrity or authenticity of the ADB binary path specified in the ManualAdbPath setting before executi... | 7.8 | HIGH | β | 0 |
| CVE-2026-26957 Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an au... | N/A | NONE | β | 0 |
| CVE-2026-26329 OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the b... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26328 OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, b... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1292 Tanium addressed an insertion of sensitive information into log file vulnerability in Trends. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26958 filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid re... | N/A | NONE | β | 0 |
| CVE-2026-26953 Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26952 Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through th... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26327 OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as `lanHost`, `tailnetDns`, `gatewayPort`, and `gatewayTlsSha256`. TXT records are unauthentic... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26326 OpenClaw is a personal AI assistant. Prior to version 2026.2.14, `skills.status` could disclose secrets to `operator.read` clients by returning raw resolved config values in `configChecks` for skill `... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-26325 OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be p... | 7.2 | HIGH | β | 0 |
| CVE-2026-26324 OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as `0:0:0:0:0:ffff:7f00:1` (which is `127.0... | 7.5 | HIGH | β | 0 |
| CVE-2026-26323 OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. The issue affects contributors/maintai... | 8.8 | HIGH | β | 0 |
| CVE-2026-26322 OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to... | 7.6 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.