Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-34060 Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpola... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-34054 vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later o... | 7.8 | HIGH | — | 0 |
| CVE-2026-34043 Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When seri... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-34042 act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can conne... | 8.2 | HIGH | — | 0 |
| CVE-2026-34041 act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disab... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-34040 Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patch... | 8.8 | HIGH | — | 0 |
| CVE-2026-34036 Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33997 Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Du... | 6.8 | MEDIUM | — | 0 |
| CVE-2026-32727 SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope c... | 8.1 | HIGH | — | 0 |
| CVE-2026-32716 SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a t... | 8.1 | HIGH | — | 0 |
| CVE-2026-32714 SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to co... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-5176 A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provide... | 7.3 | HIGH | — | 0 |
| CVE-2026-4020 The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp... | 7.5 | HIGH | — | 0 |
| CVE-2026-3300 The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_fi... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-5115 The PaperCut NG/MF (specifically, the embedded application for Konica Minolta devices) is vulnerable to session hijacking. The PaperCut NG/MF Embedded application is a software interface that runs dir... | 7.5 | HIGH | — | 0 |
| CVE-2026-4794 Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This c... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-32734 baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3. | 7.1 | HIGH | — | 0 |
| CVE-2026-30940 baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that a... | 7.2 | HIGH | — | 0 |
| CVE-2026-30880 baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-30879 baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3. | 6.1 | MEDIUM | — | 0 |
| CVE-2026-30878 baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accep... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-30877 baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administr... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-27697 baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vulnerability in blog posts. This issue has been patched in version 5.2.3. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-21861 baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execut... | 9.1 | CRITICAL | — | 0 |
| CVE-2025-32957 baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the... | 8.7 | HIGH | — | 0 |
| CVE-2026-5157 A vulnerability was identified in code-projects Online Food Ordering System 1.0. Affected is an unknown function of the file /form/order.php of the component Order Module. Such manipulation of the arg... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5156 A vulnerability was determined in Tenda CH22 1.0.0.1. This impacts the function formQuickIndex of the file /goform/QuickIndex of the component Parameter Handler. This manipulation of the argument mit_... | 8.8 | HIGH | — | 0 |
| CVE-2026-5155 A vulnerability was found in Tenda CH22 1.0.0.1. This affects the function fromAdvSetWan of the file /goform/AdvSetWan of the component Parameter Handler. The manipulation of the argument wanmode resu... | 8.8 | HIGH | — | 0 |
| CVE-2026-5154 A vulnerability has been found in Tenda CH22 1.0.0.1/1.If. The impacted element is the function fromSetCfm of the file /goform/setcfm of the component Parameter Handler. The manipulation of the argume... | 8.8 | HIGH | — | 0 |
| CVE-2026-5130 The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troub... | 8.8 | HIGH | — | 0 |
| CVE-2026-5153 A flaw has been found in Tenda CH22 1.0.0.1. The affected element is the function FormWriteFacMac of the file /goform/WriteFacMac. Executing a manipulation of the argument mac can lead to command inje... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-4257 The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is d... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-33995 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a double-free vulnerability in kerberos_AcceptSecurityContext() and kerberos_InitializeSecurityContextA() (Win... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-33987 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in persistent_cache_read_entry_v3() in libfreerdp/cache/persistent.c, persistent->bmpSize is updated before wi... | 7.1 | HIGH | — | 0 |
| CVE-2026-33986 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in yuv_ensure_buffer() in libfreerdp/codec/h264.c, h264->width and h264->height are updated before the realloc... | 7.5 | HIGH | — | 0 |
| CVE-2026-33985 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, pixel data from adjacent heap memory is rendered to screen, potentially leaking sensitive data to the attacker... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-33984 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the ... | 7.5 | HIGH | — | 0 |
| CVE-2026-33983 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33982 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, there is a heap-buffer-overflow READ vulnerability at 24 bytes before the allocation, in winpr_aligned_offset_... | 7.1 | HIGH | — | 0 |
| CVE-2026-33977 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a malicious RDP server can crash the FreeRDP client by sending audio data in IMA ADPCM format with an invalid ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33952 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, an unvalidated auth_length field read from the network triggers a WINPR_ASSERT() failure in rts_read_auth_veri... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32794 Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-5152 A vulnerability was detected in Tenda CH22 1.0.0.1. Impacted is the function formCreateFileName of the file /goform/createFileName. Performing a manipulation of the argument fileNameMit results in sta... | 8.8 | HIGH | — | 0 |
| CVE-2026-4789 Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-34558 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to proper... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-34557 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to proper... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-32884 Botan is a C++ cryptography library. Prior to version 3.11.0, during processing of an X.509 certificate path using name constraints which restrict the set of allowable DNS names, if no subject alterna... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32883 Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verify... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32877 Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value... | 8.2 | HIGH | — | 0 |
| CVE-2026-32696 NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CON... | 3.1 | LOW | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.