Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-24949 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods PhotoMe photome allows DOM-Based XSS.This issue affects PhotoMe: from n/a through <= 5.... | 7.1 | HIGH | β | 0 |
| CVE-2026-24950 Authorization Bypass Through User-Controlled Key vulnerability in themeplugs Authorsy authorsy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Authorsy: from... | 7.5 | HIGH | β | 0 |
| CVE-2026-27072 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite β Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.This ... | 7.1 | HIGH | β | 0 |
| CVE-2026-2846 A security vulnerability has been detected in UTT HiPER 520 1.7.7-160105. This impacts the function sub_44D264 of the file /goform/formPdbUpConfig of the component Web Management Interface. The manipu... | 7.2 | HIGH | β | 0 |
| CVE-2026-2847 A vulnerability was detected in UTT HiPER 520 1.7.7-160105. Affected is the function sub_44EFB4 of the file /goform/formReleaseConnect of the component Web Management Interface. The manipulation of th... | 7.2 | HIGH | β | 0 |
| CVE-2025-70833 An Authentication Bypass vulnerability in Smanga 3.2.7 allows an unauthenticated attacker to reset the password of any user (including the administrator) and fully takeover the account by manipulating... | 9.4 | CRITICAL | β | 0 |
| CVE-2026-1842 HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used... | N/A | NONE | β | 0 |
| CVE-2026-25715 The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the w... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26048 The Wi-Fi router is vulnerable to de-authentication attacks due to the absence of management frame protection, allowing forged deauthentication and disassociation frames to be broadcast without auth... | 7.5 | HIGH | β | 0 |
| CVE-2026-26049 The web management interface of the device renders the passwords in a plaintext input field. The current password is directly visible to anyone with access to the UI, potentially exposing administra... | 5.7 | MEDIUM | β | 0 |
| CVE-2026-26093 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26095 Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request. | 5.5 | MEDIUM | β | 0 |
| CVE-2026-26096 Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request. | 5.5 | MEDIUM | β | 0 |
| CVE-2026-26097 Uncontrolled Search Path Element in Owl opds 2.2.0.4 allows Leveraging/Manipulating Configuration File Search Paths via a crafted network request. | 5.5 | MEDIUM | β | 0 |
| CVE-2026-26713 code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/cancel-order.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26723 Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the function parameter. | 8.2 | HIGH | β | 0 |
| CVE-2026-26724 Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the selectgroup and gn parameters on the... | 7.6 | HIGH | β | 0 |
| CVE-2026-26725 An issue in edu Business Solutions Print Shop Pro WebDesk v.18.34 allows a remote attacker to escalate privileges via the AccessID parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26745 OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-26746 OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type... | 8.8 | HIGH | β | 0 |
| CVE-2026-26747 A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where ... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-27502 SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly into a... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-27503 SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in admin/log.php via the search query parameter. When an authenticated administrator views a crafted URL, the app... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-27504 SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobile_front.php via the stationid query parameter. When an authenticated administrator views a crafted U... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-27505 SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user registration workflow (index.php submitting to admin/user_action.php). User-supplied fields such as Firs... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-27506 SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user profile update workflow (user_settings.php submitting to admin/update_user.php). Authenticated users can... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-2333 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-2818 A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be... | 8.2 | HIGH | β | 0 |
| CVE-2026-2853 A vulnerability was detected in D-Link DWR-M960 1.01.07. This affects the function sub_462E14 of the file /boafrm/formSysLog of the component System Log Configuration Endpoint. Performing a manipulati... | 8.8 | HIGH | β | 0 |
| CVE-2026-24891 openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserialization sink in the Gearma... | 7.5 | HIGH | β | 0 |
| CVE-2026-2832 Certain Samsung MultiXpress Multifunction Printers may be vulnerable to information disclosure, potentially exposing address book entries and other device configuration information through specific AP... | N/A | NONE | β | 0 |
| CVE-2026-27533 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-27534 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-2854 A flaw has been found in D-Link DWR-M960 1.01.07. This impacts the function sub_4611CC of the file /boafrm/formNtp of the component NTP Configuration Endpoint. Executing a manipulation of the argument... | 8.8 | HIGH | β | 0 |
| CVE-2026-2855 A vulnerability has been found in D-Link DWR-M960 1.01.07. Affected is the function sub_4648F0 of the file /boafrm/formDdns of the component DDNS Settings Handler. The manipulation of the argument sub... | 8.8 | HIGH | β | 0 |
| CVE-2026-24892 openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP dese... | 7.5 | HIGH | β | 0 |
| CVE-2026-25896 fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entit... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-27020 Photobooth prior to 1.0.1 has a cross-site scripting (XSS) vulnerability in user input fields. Malicious users could inject scripts through unvalidated form inputs. This vulnerability is fixed in 1.0.... | N/A | NONE | β | 0 |
| CVE-2026-27190 Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8. | 8.1 | HIGH | β | 0 |
| CVE-2025-15595 Privilege escalation via dll hijacking in Inno Setup 6.2.1 and ealier versions. | 7.8 | HIGH | β | 0 |
| CVE-2026-2856 A vulnerability was found in D-Link DWR-M960 1.01.07. Affected by this vulnerability is the function sub_424AFC of the file /boafrm/formFilter of the component Filter Configuration Endpoint. The manip... | 8.8 | HIGH | β | 0 |
| CVE-2026-2857 A vulnerability was determined in D-Link DWR-M960 1.01.07. Affected by this issue is the function sub_423E00 of the file /boafrm/formPortFw of the component Port Forwarding Configuration Endpoint. Thi... | 8.8 | HIGH | β | 0 |
| CVE-2026-0777 Xmind Attachment Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xmind. User interaction ... | N/A | NONE | β | 0 |
| CVE-2026-0797 GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User inter... | N/A | NONE | β | 0 |
| CVE-2026-27022 @langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implementation for LangGraph. A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package's filt... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27024 pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children o... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-27118 SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal que... | N/A | NONE | β | 0 |
| CVE-2026-27120 Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypa... | 6.1 | MEDIUM | β | 0 |
| CVE-2018-25158 Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files w... | 8.8 | HIGH | β | 0 |
| CVE-2019-25431 delpino73 Blue-Smiley-Organizer 1.32 contains an SQL injection vulnerability in the datetime parameter that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL co... | 8.2 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.