Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2019-25418 Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the FWADDRESSES parameter. Attackers... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25419 Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the schedule endpoint. Attackers can su... | 7.2 | HIGH | β | 0 |
| CVE-2019-25420 Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the snat endpoint. Attackers can sen... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25421 Comodo Dome Firewall 2.7.0 contains multiple cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through the policyfw endpoint. Attackers can submit POST requests wit... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25422 Comodo Dome Firewall 2.7.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through the vpnfw endpoint. Attackers can submit POST requests with script pay... | 7.2 | HIGH | β | 0 |
| CVE-2025-71244 SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary exte... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-71245 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2025-71246 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2025-71247 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2025-71248 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2025-71249 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2025-71250 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2026-25738 Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes ou... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25739 Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25766 Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echoβs `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote f... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-23608 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Mail Monitoring rule creation endpoint. An authenticated user can supply HTML/JavaScript in the ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23609 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Perimeter SMTP Servers configuration page. An authenticated user can supply HTML/JavaScript in t... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23610 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint. An authenticated user can supply HTML/JavaScript in the POP... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23611 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page. An authenticated user can supply HTML/JavaScript in the ctl00$Cont... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23612 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the IP DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23613 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the URI DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ct... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23621 GFI MailEssentials AI versions prior toΒ 22.4 contain an arbitrary directory existence enumeration vulnerability in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-26057 Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26059 ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would exec... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27472 SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-27473 SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an a... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-27474 SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form,... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-26278 fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be ... | 7.5 | HIGH | β | 0 |
| CVE-2026-26280 systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbi... | 8.4 | HIGH | β | 0 |
| CVE-2026-26318 systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes... | 8.8 | HIGH | β | 0 |
| CVE-2026-27013 Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to app... | 7.6 | HIGH | β | 0 |
| CVE-2026-26282 NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, NanaZip has an out-of-bounds heap read in `.NET Single File` bundle header parser due to missing ... | 6.6 | MEDIUM | β | 0 |
| CVE-2026-24122 Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be consider... | 3.7 | LOW | β | 0 |
| CVE-2026-26319 OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKe... | 7.5 | HIGH | β | 0 |
| CVE-2026-26320 OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep links without an unattended `key`, the app shows a confirmation d... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26321 OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem p... | 7.5 | HIGH | β | 0 |
| CVE-2026-26322 OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to... | 7.6 | HIGH | β | 0 |
| CVE-2026-26329 OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the b... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26957 Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an au... | N/A | NONE | β | 0 |
| CVE-2026-26959 ADB Explorer is a fluent UI for ADB on Windows. Versions 0.9.26020 and below fail to validate the integrity or authenticity of the ADB binary path specified in the ManualAdbPath setting before executi... | 7.8 | HIGH | β | 0 |
| CVE-2026-26963 Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.18.0 through 1.18.5 will incorrectly permit traffic from Pods on other nodes when Native Routing, ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-2605 Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS. | 5.3 | MEDIUM | β | 0 |
| CVE-2025-30410 Sensitive data disclosure and manipulation due to missing authentication. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 39870, Acronis Cyb... | N/A | NONE | β | 0 |
| CVE-2025-30411 Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (... | N/A | NONE | β | 0 |
| CVE-2025-30412 Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (... | N/A | NONE | β | 0 |
| CVE-2025-30416 Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Li... | N/A | NONE | β | 0 |
| CVE-2026-26967 PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. T... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-26980 Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1. | 9.4 | CRITICAL | β | 0 |
| CVE-2026-26991 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform ... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-26992 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the port group name is not sanitized, allowing attackers with admin privileges to perform St... | 4.8 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.