Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-3784 curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a s... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3783 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-1965 libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent reques... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3906 WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3492 The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3231 The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the Woo... | 7.2 | HIGH | β | 0 |
| CVE-2026-1993 The ExactMetrics β Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accep... | 8.8 | HIGH | β | 0 |
| CVE-2026-1992 The ExactMetrics β Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in th... | 8.8 | HIGH | β | 0 |
| CVE-2026-1454 The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. T... | 7.2 | HIGH | β | 0 |
| CVE-2026-3903 The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-2918 The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is du... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2917 The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. Th... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-1708 The Appointment Booking Calendar β Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to ... | 7.5 | HIGH | β | 0 |
| CVE-2024-14026 A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then explo... | 7.8 | HIGH | β | 0 |
| CVE-2024-14025 An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerabili... | 6.7 | MEDIUM | β | 0 |
| CVE-2024-14024 An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then explo... | 6.7 | MEDIUM | β | 0 |
| CVE-2026-3826 IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-3825 IFTOP developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attac... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-3824 IFTOP developed by WellChoose has an Open redirect vulnerability, allowing authenticated remote attackers to craft a URL that tricks users into visiting malicious website. | 6.1 | MEDIUM | β | 0 |
| CVE-2026-3534 The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-31844 An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter us... | 8.8 | HIGH | β | 0 |
| CVE-2026-3911 A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user cou... | 2.7 | LOW | β | 0 |
| CVE-2026-3884 Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Scripting (XSS) via the spin() function that allows a creation of more than 1 alert for each 'target' element. An attacker wou... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-3222 The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstr... | 7.5 | HIGH | β | 0 |
| CVE-2026-2707 The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry submission endpoint in all versions up to, and including, 1.6.27. This is due to inconsistent input... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2631 The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. Thi... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-2626 The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin ... | 8.1 | HIGH | β | 0 |
| CVE-2026-2466 The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against hig... | 7.1 | HIGH | β | 0 |
| CVE-2026-2358 The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including, 5.0.1. This is due t... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-27842 Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device configuration. | N/A | NONE | β | 0 |
| CVE-2026-24448 Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access. | N/A | NONE | β | 0 |
| CVE-2026-20892 Code injection vulnerability exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker with administrative privileges to execute arbitrary commands. | N/A | NONE | β | 0 |
| CVE-2026-1867 The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially creates. If an adminis... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-1753 The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_r... | 6.8 | MEDIUM | β | 0 |
| CVE-2023-27573 netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In pract... | 9.0 | CRITICAL | β | 0 |
| CVE-2026-2413 The Ally β Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the u... | 7.5 | HIGH | β | 0 |
| CVE-2025-13067 The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting fi... | 8.8 | HIGH | β | 0 |
| CVE-2026-29515 MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send ar... | N/A | NONE | β | 0 |
| CVE-2026-23817 A vulnerability in the web-based management interface of AOS-CX Switches could allow an unauthenticated remote attacker to redirect users to an arbitrary URL. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23816 A vulnerability in the command line interface of AOS-CX Switches could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | 7.2 | HIGH | β | 0 |
| CVE-2026-23815 A vulnerability in a custom binary used in AOS-CX Switches' CLI could allow an authenticated remote attacker with high privileges to perform command injection. Successful exploitation could allow an a... | 7.2 | HIGH | β | 0 |
| CVE-2026-23814 A vulnerability in the command parameters of a certain AOS-CX CLI command could allow a low-privilege authenticated remote attacker to inject malicious commands resulting in unwanted behavior. | 8.8 | HIGH | β | 0 |
| CVE-2026-23813 A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-3453 The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_su... | 8.1 | HIGH | β | 0 |
| CVE-2026-21361 Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vvulnerability that could be abused by a high-... | 8.1 | HIGH | β | 0 |
| CVE-2026-21360 Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-21359 Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature b... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-21311 Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-p... | 8.0 | HIGH | β | 0 |
| CVE-2026-21310 Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-21309 Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature b... | 7.5 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.