Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-27584 Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN an... | 7.5 | HIGH | β | 0 |
| CVE-2026-27732 WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without... | 8.1 | HIGH | β | 0 |
| CVE-2026-27520 Binardat 10G08-0800GSM network switch firmware versions prior toΒ V300SP10260209Β store a user password in a client-side cookie as a Base64-encoded value accessible via the web interface. Because Base64... | 7.5 | HIGH | β | 0 |
| CVE-2026-27521 Binardat 10G08-0800GSM network switch firmware versionΒ V300SP10260209Β and priorΒ do not implement rate limiting or account lockout on failed login attempts, enabling brute-force attacks against user cr... | 7.5 | HIGH | β | 0 |
| CVE-2024-48928 Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() ... | 7.5 | HIGH | β | 0 |
| CVE-2025-13776 Multiple Finka programs use hard-coded Firebird database credentials (shared across all instances of this software). A malicious attacker in local network who knows default credentials is able to read... | 7.1 | HIGH | β | 0 |
| CVE-2026-27571 NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compr... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-27585 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path re... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27586 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to sil... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-27587 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains pe... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-27588 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host l... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-27589 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint tha... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26341 Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker wh... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-33180 NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escal... | 8.0 | HIGH | β | 0 |
| CVE-2025-33181 NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escal... | 7.3 | HIGH | β | 0 |
| CVE-2026-1768 A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries.This issue affects Devolutions Server: before 2025.3.15. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-22765 Dell Wyse Management Suite, versions prior to WMS 5.5, contain a Missing Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading... | 8.8 | HIGH | β | 0 |
| CVE-2026-22766 Dell Wyse Management Suite, versions prior to WMS 5.5, contain an Unrestricted Upload of File with Dangerous Type vulnerability. A high privileged attacker with remote access could potentially exploit... | 7.2 | HIGH | β | 0 |
| CVE-2026-23858 Dell Wyse Management Suite, versions prior to WMS 5.5, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with rem... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23859 Dell Wyse Management Suite, versions prior to WMS 5.5, contain a Client-Side Enforcement of Server-Side Security vulnerability. A high privileged attacker with remote access could potentially exploit ... | 2.7 | LOW | β | 0 |
| CVE-2026-26695 code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordstudent_edit.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26342 Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27477 Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-3105 SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timel... | 7.6 | HIGH | β | 0 |
| CVE-2026-3131 Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-46320 A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMake... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-21410 InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27204 Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exha... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27572 Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when to... | 7.5 | HIGH | β | 0 |
| CVE-2026-27593 Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's ... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-26351 GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provid... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-26696 code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordteacher_edit.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-24896 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in OpenEMRβs edih_main.php... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25124 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the OpenEMR application is vulnerable to an access control flaw that al... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25127 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server does not properly validate user permission. Unauthorized use... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25131 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order types... | 8.8 | HIGH | β | 0 |
| CVE-2026-2914 CyberArk Endpoint Privilege Manager Agent versions 25.10.0 and lower allow potential unauthorized privilege elevation leveraging CyberArk elevation dialogs | 7.8 | HIGH | β | 0 |
| CVE-2025-5781 Information Exposure Vulnerability in Hitachi Ops Center API Configuration Manager, Hitachi Configuration Manager, Hitachi Device Manager allows Session Hijacking.This issue affects Hitachi Ops Center... | 5.2 | MEDIUM | β | 0 |
| CVE-2026-26702 sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/myitem_reuse.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27609 Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection.... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27610 Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-on... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-27611 FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the pa... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27612 Repostat is a React component to fetch and display GitHub repository info. Prior to version 1.0.1, the `RepoCard` component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-27614 Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payloa... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-27632 Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state... | 2.6 | LOW | β | 0 |
| CVE-2026-27822 RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbi... | 9.0 | CRITICAL | β | 0 |
| CVE-2026-3145 A flaw has been found in libvips up to 8.18.0. The affected element is the function vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. Executi... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3146 A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. The manipulation leads to null po... | 3.3 | LOW | β | 0 |
| CVE-2026-27597 Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be use... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-27627 Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it... | 8.2 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.