Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-3613 A vulnerability was identified in Wavlink WL-NU516U1 V240425. This vulnerability affects the function sub_401A0C of the file /cgi-bin/login.cgi. Such manipulation of the argument ipaddr leads to stack... | 7.2 | HIGH | β | 0 |
| CVE-2025-59544 Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which a... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3616 A vulnerability was detected in DefaultFuction Jeson Customer Relationship Management System 1.0.0. Impacted is an unknown function of the file /modules/customers/edit.php. Performing a manipulation o... | 6.3 | MEDIUM | β | 0 |
| CVE-2025-55289 Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platf... | 8.8 | HIGH | β | 0 |
| CVE-2025-59540 Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-59541 Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victimβs consent.... | 8.1 | HIGH | β | 0 |
| CVE-2025-59542 Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings ... | 9.0 | CRITICAL | β | 0 |
| CVE-2025-59543 Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an a... | 9.0 | CRITICAL | β | 0 |
| CVE-2026-25962 MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs currently extracts zip files without any size or entry-count limits. For example, inst... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27807 MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs allows course instructors to upload YAML files to create/update various entities (e.g.... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-28497 TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-28501 WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-28502 WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionali... | 8.8 | HIGH | β | 0 |
| CVE-2026-29041 Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The ... | 8.8 | HIGH | β | 0 |
| CVE-2026-25179 Improper validation of specified type of input in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 7.0 | HIGH | β | 0 |
| CVE-2026-29046 TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser ... | 8.2 | HIGH | β | 0 |
| CVE-2026-29093 WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while th... | 8.1 | HIGH | β | 0 |
| CVE-2026-25877 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks bas... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25887 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability vi... | 7.2 | HIGH | β | 0 |
| CVE-2026-25888 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability vi... | 8.8 | HIGH | β | 0 |
| CVE-2026-27005 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27603 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_... | 7.5 | HIGH | β | 0 |
| CVE-2026-27605 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files (project l... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-28428 Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perf... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-28429 Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement... | 7.5 | HIGH | β | 0 |
| CVE-2026-28507 Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in v... | 7.2 | HIGH | β | 0 |
| CVE-2026-28508 Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any... | 8.6 | HIGH | β | 0 |
| CVE-2026-28509 LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBotβs web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting (XSS) vulnerabi... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-28675 OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, some endpoints returned raw exception strings to clients. Addition... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-28676 OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, multiple storage helpers used path construction patterns that did ... | 8.8 | HIGH | β | 0 |
| CVE-2026-28677 OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, the URL ingest pipeline accepted user-controlled remote URLs with ... | 8.2 | HIGH | β | 0 |
| CVE-2026-28679 Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prior to version 1.21.0, when a user requests a download, the application does not verify whether the re... | 8.6 | HIGH | β | 0 |
| CVE-2026-28680 Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sens... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-28681 Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5... | 8.1 | HIGH | β | 0 |
| CVE-2026-28682 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload stat... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-28683 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they c... | 8.7 | HIGH | β | 0 |
| CVE-2026-28685 Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28785 Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potent... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-28787 OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, ... | 8.2 | HIGH | β | 0 |
| CVE-2026-28794 oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-29060 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to ... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-29061 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demo... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-29084 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechani... | 4.6 | MEDIUM | β | 0 |
| CVE-2026-1128 The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack | 4.3 | MEDIUM | β | 0 |
| CVE-2026-2446 The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as d... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-28438 CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements (ALTER TABLE). So, ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-28795 OpenChatBI is an intelligent chat-based BI tool powered by large language models, designed to help users query, analyze, and visualize data through natural language conversations. Prior to version 0.2... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-28799 PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that ... | 7.5 | HIGH | β | 0 |
| CVE-2026-28800 Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, anyone with Discord Remote Control set up in a non-private channel gives access to any user with ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-22457 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wanderland wanderland allows PHP Local File Inclusion.This issue ... | 8.1 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.