Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2025-61917 n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to all... | 7.7 | HIGH | β | 0 |
| CVE-2025-71193 In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver da... | N/A | NONE | β | 0 |
| CVE-2026-25055 n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating ... | 8.1 | HIGH | β | 0 |
| CVE-2026-25056 n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or mod... | 8.8 | HIGH | β | 0 |
| CVE-2026-25115 n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execut... | 9.9 | CRITICAL | β | 0 |
| CVE-2025-69213 OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when han... | 8.8 | HIGH | β | 0 |
| CVE-2025-69215 OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, there is a SQL Injection vulnerability in the Stampe Module. At time of publica... | 8.8 | HIGH | β | 0 |
| CVE-2026-22044 GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-22247 GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in... | 4.1 | MEDIUM | β | 0 |
| CVE-2019-25276 Studio 5000 Logix Designer 30.01.00 contains an unquoted service path vulnerability in the FactoryTalk Activation Service that allows local users to potentially execute code with elevated privileges. ... | 7.8 | HIGH | β | 0 |
| CVE-2026-1892 A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.ca... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-25537 jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or ... | 7.5 | HIGH | β | 0 |
| CVE-2026-25538 Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including... | 8.8 | HIGH | β | 0 |
| CVE-2026-25539 SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-1246 The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient ... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-1268 The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 du... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1953 Nukegraphic CMS v3.1.2 contains a stored cross-site scripting (XSS) vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize u... | N/A | NONE | β | 0 |
| CVE-2026-25198 web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website whe... | N/A | NONE | β | 0 |
| CVE-2025-13416 The ProfileGrid β User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() func... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1319 The Robin Image Optimizer β Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14150 IBM webMethods Integration (on prem) - Integration Server 10.15 through IS_10.15_Core_Fix2411.1 to IS_11.1_Core_Fix8 IBM webMethods Integration could disclose sensitive user information in server resp... | 6.5 | MEDIUM | β | 0 |
| CVE-2020-37142 10-Strike Network Inventory Explorer 8.54 contains a structured exception handler buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting SEH records. Attackers ca... | 8.4 | HIGH | β | 0 |
| CVE-2020-37143 ProficySCADA for iOS 5.0.25920 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the password input field. Attackers can overwrite the password ... | 7.5 | HIGH | β | 0 |
| CVE-2020-37144 Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submit... | 5.3 | MEDIUM | β | 0 |
| CVE-2020-37145 HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious ... | 4.3 | MEDIUM | β | 0 |
| CVE-2020-37148 P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned ... | 3.5 | LOW | β | 0 |
| CVE-2020-37149 Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the ... | 8.1 | HIGH | β | 0 |
| CVE-2020-37150 Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wirel... | 7.5 | HIGH | β | 0 |
| CVE-2025-15334 Tanium addressed an information disclosure vulnerability in Threat Response. | 4.3 | MEDIUM | β | 0 |
| CVE-2025-15335 Tanium addressed an information disclosure vulnerability in Threat Response. | 4.3 | MEDIUM | β | 0 |
| CVE-2025-15336 Tanium addressed an incorrect default permissions vulnerability in Performance. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-15337 Tanium addressed an incorrect default permissions vulnerability in Patch. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-15338 Tanium addressed an incorrect default permissions vulnerability in Partner Integration. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-15339 Tanium addressed an incorrect default permissions vulnerability in Discover. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-15340 Tanium addressed an incorrect default permissions vulnerability in Comply. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-15566 A security issue was discovered in ingress-nginxΒ where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbi... | 8.8 | HIGH | β | 0 |
| CVE-2026-1279 The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_title' parameter in the `search_employee_directory` shortcode in all versions up to, and includin... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-21626 Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure | 7.5 | HIGH | β | 0 |
| CVE-2026-24915 Out-of-bounds read issue in the media subsystem. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 6.2 | MEDIUM | β | 0 |
| CVE-2026-24927 Out-of-bounds access vulnerability in the frequency modulation module. Impact: Successful exploitation of this vulnerability may affect availability. | 5.5 | MEDIUM | β | 0 |
| CVE-2026-24928 Out-of-bounds write vulnerability in the file system module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 5.8 | MEDIUM | β | 0 |
| CVE-2026-1293 The Yoast SEO β Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to,... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-23738 Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET varia... | 3.5 | LOW | β | 0 |
| CVE-2026-23739 Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents ... | 2.0 | LOW | β | 0 |
| CVE-2026-23740 Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files t... | 0.0 | NONE | β | 0 |
| CVE-2026-23741 Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, ... | 0.0 | NONE | β | 0 |
| CVE-2026-25586 SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the prope... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-25587 SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escape... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-25641 SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for acces... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-25643 Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Friga... | 9.1 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.