Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-33705 Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These temp... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33707 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no r... | 9.4 | CRITICAL | β | 0 |
| CVE-2026-33708 Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33710 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always ret... | 7.5 | HIGH | β | 0 |
| CVE-2025-67994 Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayCurrency: from n/a through <= 3... | 7.5 | HIGH | β | 0 |
| CVE-2025-68000 Missing Authorization vulnerability in PickPlugins Testimonial Slider testimonial allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Testimonial Slider: from n/... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-68005 Missing Authorization vulnerability in themewant Easy Hotel Booking easy-hotel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Hotel Booking: from n/a t... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-68022 Missing Authorization vulnerability in soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin ... | 7.3 | HIGH | β | 0 |
| CVE-2025-68023 Missing Authorization vulnerability in Addonify Addonify – Compare Products For WooCommerce addonify-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-68025 Missing Authorization vulnerability in Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-68028 Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4W... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-68032 Missing Authorization vulnerability in Passionate Brains Advanced WC Analytics advance-wc-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced ... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-68069 Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.6.6. | 7.1 | HIGH | β | 0 |
| CVE-2025-68534 Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a ... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-68545 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika nika allows PHP Local File Inclusion.This issue affects Nika: from... | 8.1 | HIGH | β | 0 |
| CVE-2026-22351 Missing Authorization vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP FullCalendar: ... | 7.5 | HIGH | β | 0 |
| CVE-2026-22383 Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Exploiting Incorrectly Configured Access Control ... | 7.5 | HIGH | β | 0 |
| CVE-2026-22384 Deserialization of Untrusted Data vulnerability in leafcolor Applay - Shortcodes applay-shortcodes allows Object Injection.This issue affects Applay - Shortcodes: from n/a through <= 3.7. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-61146 saitoha libsixel until v1.8.7 was discovered to contain a memory leak via the component malloc_stub.c. | 4.0 | MEDIUM | β | 0 |
| CVE-2026-28083 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UX-themes Flatsome flatsome allows Stored XSS.This issue affects Flatsome: from n/a through <= 3.2... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-69340 Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This... | 7.5 | HIGH | β | 0 |
| CVE-2026-22392 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Cortex cortex allows PHP Local File Inclusion.This issue affects ... | 8.1 | HIGH | β | 0 |
| CVE-2026-22403 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Innovio innovio allows PHP Local File Inclusion.This issue affect... | 8.1 | HIGH | β | 0 |
| CVE-2026-22417 Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a through < 3.1.11. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22459 Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-22460 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpWax FormGent formgent allows Path Traversal.This issue affects FormGent: from n/a through <= 1.7.0. | 8.6 | HIGH | β | 0 |
| CVE-2026-25442 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha kentha allows Reflected XSS.This issue affects Kentha: from n/a through <= 4.7... | 7.1 | HIGH | β | 0 |
| CVE-2026-25443 Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Exploiting Incorrectly Configured Access Cont... | 7.5 | HIGH | β | 0 |
| CVE-2026-27065 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27067 Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor mobile-app-editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a thr... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-27068 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.txt website-llms-txt allows Reflected XSS.This issue affects Website LLMs... | 7.1 | HIGH | β | 0 |
| CVE-2026-23977 Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security L... | 7.5 | HIGH | β | 0 |
| CVE-2026-24376 Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25034 Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiviCare: fro... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25390 Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25406 Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through <= 3.9.4. | 8.1 | HIGH | β | 0 |
| CVE-2026-40352 FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verifica... | 8.8 | HIGH | β | 0 |
| CVE-2026-28389 Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled... | 7.5 | HIGH | β | 0 |
| CVE-2026-28390 Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-contro... | 7.5 | HIGH | β | 0 |
| CVE-2026-31789 Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a cra... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-31790 Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitiali... | 7.5 | HIGH | β | 0 |
| CVE-2024-8010 The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external en... | 3.5 | LOW | β | 0 |
| CVE-2025-6024 The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into th... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-40487 Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to th... | 8.9 | HIGH | β | 0 |
| CVE-2026-5450 Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 coul... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-40497 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes `<script>`, `<form>`, `<iframe>`, `<object>` but does NOT str... | 8.1 | HIGH | β | 0 |
| CVE-2026-40353 wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled lice... | N/A | NONE | β | 0 |
| CVE-2026-40474 wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead ... | 7.6 | HIGH | β | 0 |
| CVE-2026-40476 graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(nΒ²) pairwise comparisons of fields sharing the same response na... | N/A | NONE | β | 0 |
| CVE-2026-40323 SP1 is a zeroβknowledge virtual machine that proves the correct execution of programs compiled for the RISC-V architecture. In versions 6.0.0 through 6.0.2, a soundness vulnerability in the SP1 V6 rec... | N/A | NONE | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.