Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-24312 An erroneous authorization check in SAP Business Workflow leads to privilege escalation. An authenticated administrative user can bypass role restrictions by leveraging permissions from a less sensiti... | 5.2 | MEDIUM | β | 0 |
| CVE-2026-23689 Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function... | 7.7 | HIGH | β | 0 |
| CVE-2026-23688 SAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on integrity, confidenti... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-23687 SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier.... | 8.8 | HIGH | β | 0 |
| CVE-2026-23686 Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could submit specially crafted content to the application. If proce... | 3.4 | LOW | β | 0 |
| CVE-2026-23685 Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processe... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-23684 A race condition vulnerability exists in the SAP Commerce cloud. Because of this when an attacker adds products to a cart, it may result in a cart entry being created with erroneous product value whic... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-23681 Due to missing authorization check in a function module in SAP Support Tools Plug-In, an authenticated attacker could invoke specific function modules to retrieve information about the system and its ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-0509 SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cas... | 9.6 | CRITICAL | β | 0 |
| CVE-2026-0508 The SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker with high privileges to insert malicious URL within the application. Upon successful exploitation, the victim ma... | 7.3 | HIGH | β | 0 |
| CVE-2026-0505 The BSP applications allow an unauthenticated user to manipulate user-controlled URL parameters that are not sufficiently validated. This could result in unvalidated redirection to attacker-controlled... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-0490 SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from ... | 7.5 | HIGH | β | 0 |
| CVE-2026-0488 An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the abi... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-0486 In ABAP based SAP systems a remote enabled function module does not perform necessary authorization checks for an authenticated user resulting in disclosure of system information.This has low impact o... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-0485 SAP BusinessObjects BI Platform allows an unauthenticated attacker to send specially crafted requests that could cause the Content Management Server (CMS) to crash and automatically restart. By repeat... | 7.5 | HIGH | β | 0 |
| CVE-2026-0484 Due to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an authenticated attacker could access a specific transaction code and modify the text data in the system. ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2258 A flaw has been found in aardappel lobster up to 2025.4. Affected by this vulnerability is the function WaveFunctionCollapse in the library dev/src/lobster/wfc.h. Executing a manipulation can lead to ... | 3.3 | LOW | β | 0 |
| CVE-2026-0845 The WCFM β Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege esca... | 7.2 | HIGH | β | 0 |
| CVE-2025-15314 Tanium addressed an arbitrary file deletion vulnerability in end-user-cx. | 5.5 | MEDIUM | β | 0 |
| CVE-2025-15313 Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS. | 5.5 | MEDIUM | β | 0 |
| CVE-2025-15310 Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. | 7.8 | HIGH | β | 0 |
| CVE-2025-15147 The WCFM Membership β WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'W... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25958 Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privi... | 7.7 | HIGH | β | 0 |
| CVE-2026-25957 Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a C... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25951 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privilege... | 7.2 | HIGH | β | 0 |
| CVE-2026-25939 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attack... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-25938 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execut... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25934 go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not p... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25931 vscode-spell-checker is a basic spell checker that works well with code and documents. Prior to v4.5.4, DocumentSettings._determineIsTrusted treats the configuration value cSpell.trustedWorkspace as t... | 7.8 | HIGH | β | 0 |
| CVE-2026-25895 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locati... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25894 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25893 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrat... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-15319 Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. | 7.8 | HIGH | β | 0 |
| CVE-2025-15318 Tanium addressed an arbitrary file deletion vulnerability in End-User Notifications Endpoint Tools. | 5.5 | MEDIUM | β | 0 |
| CVE-2026-25961 SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers... | 7.5 | HIGH | β | 0 |
| CVE-2026-25925 PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App pac... | 7.8 | HIGH | β | 0 |
| CVE-2026-25923 my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validati... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-25920 SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only ... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-25918 unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-25892 Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser ... | 7.5 | HIGH | β | 0 |
| CVE-2026-25890 File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the... | 8.1 | HIGH | β | 0 |
| CVE-2026-25889 File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the passw... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25885 PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated clie... | 7.5 | HIGH | β | 0 |
| CVE-2026-25881 SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag throug... | 9.0 | CRITICAL | β | 0 |
| CVE-2026-25880 SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the use... | 7.8 | HIGH | β | 0 |
| CVE-2026-25875 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforc... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25814 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without v... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25813 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction. | 7.5 | HIGH | β | 0 |
| CVE-2026-25812 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanis... | 8.8 | HIGH | β | 0 |
| CVE-2026-25811 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, wit... | 9.1 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.