Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2020-37117 jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability... | 8.8 | HIGH | β | 0 |
| CVE-2025-69619 A path traversal in My Text Editor v1.6.2 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. | 5.5 | MEDIUM | β | 0 |
| CVE-2026-1707 pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An att... | 7.4 | HIGH | β | 0 |
| CVE-2026-0106 In vpu_mmap of vpu_ioctl, there is a possible arbitrary address mmap due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. Use... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-25318 Missing Authorization vulnerability in Wisernotify team WiserReview Product Reviews for WooCommerce wiser-review allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affe... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1963 A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access contr... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-1972 A vulnerability was found in Edimax BR-6208AC 2_1.02. The affected element is the function auth_check_userpass2. Performing a manipulation of the argument Username/Password results in use of default c... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-1978 A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-27090 Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through <= 1.3.3. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-24924 Vulnerability of improper permission control in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 6.1 | MEDIUM | β | 0 |
| CVE-2026-1337 Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. Ther... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-13523 Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names t... | 7.7 | HIGH | β | 0 |
| CVE-2019-25294 html5_snmp 1.11 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through the 'Remark' parameter in add_router_operation.php. Attackers can cra... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25298 html5_snmp 1.11 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through Router_ID and Router_IP parameters. Attackers can exploit error-based, time-... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-25556 MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-own... | 7.5 | HIGH | β | 0 |
| CVE-2026-1769 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS.This issue affects CentreWare: through 7.0.6.... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-24776 OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meetin... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-24851 OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.... | 8.8 | HIGH | β | 0 |
| CVE-2026-24903 OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23989 REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verificati... | 8.2 | HIGH | β | 0 |
| CVE-2026-25651 client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnera... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-15320 Tanium addressed a denial of service vulnerability in Tanium Client. | 3.3 | LOW | β | 0 |
| CVE-2026-1709 A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows un... | 9.4 | CRITICAL | β | 0 |
| CVE-2026-22254 Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upl... | 0.0 | NONE | β | 0 |
| CVE-2026-25640 Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an at... | 7.1 | HIGH | β | 0 |
| CVE-2026-25642 HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25727 time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack e... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25580 Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic A... | 8.6 | HIGH | β | 0 |
| CVE-2026-25581 SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then ... | 5.4 | MEDIUM | β | 0 |
| CVE-2020-37165 AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character pay... | 6.2 | MEDIUM | β | 0 |
| CVE-2026-25592 Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic K... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-25597 PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vul... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-25628 Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_... | 8.5 | HIGH | β | 0 |
| CVE-2026-25631 n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send request... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25632 EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flowβs REST API parses attacker-contro... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-25634 iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to 2.3.1.4, SrcPixel and DestPixel stack buffers over... | 7.8 | HIGH | β | 0 |
| CVE-2025-68621 Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in... | 7.4 | HIGH | β | 0 |
| CVE-2026-25516 NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows r... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-25533 Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed ... | 8.8 | HIGH | β | 0 |
| CVE-2026-25544 Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25574 Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences intern... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25732 NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use t... | 7.5 | HIGH | β | 0 |
| CVE-2026-25758 Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest ad... | 7.5 | HIGH | β | 0 |
| CVE-2026-25760 Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.6.11, a path traversal in the website content subsystem lets an authenticated operator read arbitrary files ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25644 DataHub is an open-source metadata platform. Prior to version 1.3.1.8, the LDAP ingestion source is vulnerable to MITM attack through TLS downgrade. This issue has been patched in version 1.3.1.8. | 7.5 | HIGH | β | 0 |
| CVE-2026-25749 Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vu... | 6.6 | MEDIUM | β | 0 |
| CVE-2026-25754 AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to man... | 7.2 | HIGH | β | 0 |
| CVE-2020-37162 Wedding Slideshow Studio 1.36 contains a buffer overflow vulnerability in the registration key input that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malici... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25757 Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue m... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-25762 AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. W... | 7.5 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.