Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-28213 EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-28215 hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instanc... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-28216 hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.... | 8.3 | HIGH | β | 0 |
| CVE-2026-28217 hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data β includin... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28225 Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesCont... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-28226 Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in ve... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28230 SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transact... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-28276 Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /u... | 7.5 | HIGH | β | 0 |
| CVE-2026-28279 osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can injec... | 7.3 | HIGH | β | 0 |
| CVE-2026-28280 osctrl is an osquery management solution. Prior to version 0.5.0, a stored cross-site scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissio... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-3264 A vulnerability was determined in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. Affected by this issue is some unknown functionality of the component Administrative Interface. Exe... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-3265 A vulnerability was identified in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. This affects an unknown part of the file /api/Security/ of the component Security API. The manipula... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-3268 A vulnerability was detected in psi-probe PSI Probe up to 5.3.0. The affected element is an unknown function of the file psi-probe-core/src/main/java/psiprobe/controllers/sessions/RemoveSessAttributeC... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-40932 Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 retu... | 8.2 | HIGH | β | 0 |
| CVE-2026-1585 An unquoted Windows service executable path vulnerability in IJ Scan Utility for Windows versions 1.1.2 through 1.5.0 may allow a local attacker to execute a malicious file with the privileges of the ... | 6.7 | MEDIUM | β | 0 |
| CVE-2026-20733 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-20781 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can c... | 9.4 | CRITICAL | β | 0 |
| CVE-2026-20791 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-20792 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks ... | 7.5 | HIGH | β | 0 |
| CVE-2026-20895 The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in pred... | 7.3 | HIGH | β | 0 |
| CVE-2026-22890 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24731 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can c... | 9.4 | CRITICAL | β | 0 |
| CVE-2026-25113 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks ... | 7.5 | HIGH | β | 0 |
| CVE-2026-25114 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks ... | 7.5 | HIGH | β | 0 |
| CVE-2026-25711 The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in pred... | 7.3 | HIGH | β | 0 |
| CVE-2026-27773 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25778 The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in pred... | 7.3 | HIGH | β | 0 |
| CVE-2026-25851 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can c... | 9.4 | CRITICAL | β | 0 |
| CVE-2026-25945 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks ... | 7.5 | HIGH | β | 0 |
| CVE-2026-27652 The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in pred... | 7.3 | HIGH | β | 0 |
| CVE-2026-27767 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can c... | 9.4 | CRITICAL | β | 0 |
| CVE-2026-27772 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can c... | 9.4 | CRITICAL | β | 0 |
| CVE-2026-2597 Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes(). The function does not validate that the length parameter is non-negative... | 7.5 | HIGH | β | 0 |
| CVE-2026-3269 A flaw has been found in psi-probe PSI Probe up to 5.3.0. The impacted element is the function handleRequestInternal of the file psi-probe-core/src/main/java/psiprobe/controllers/sessions/ExpireSessio... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3270 A vulnerability has been found in psi-probe PSI Probe up to 5.3.0. This affects the function lookup of the file psi-probe-core/src/main/java/psiprobe/tools/Whois.java of the component Whois. The manip... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-3271 A vulnerability was found in Tenda F453 1.0.0.3. This impacts the function fromP2pListFilter of the file /goform/P2pListFilterof of the component httpd. The manipulation of the argument page results i... | 8.8 | HIGH | β | 0 |
| CVE-2026-3272 A vulnerability was determined in Tenda F453 1.0.0.3. Affected is the function fromDhcpListClient of the file /goform/DhcpListClient of the component httpd. This manipulation of the argument page caus... | 8.8 | HIGH | β | 0 |
| CVE-2026-25774 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | β | 0 |
| CVE-2021-4456 Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-20742 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input in... | 8.0 | HIGH | β | 0 |
| CVE-2026-20902 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input ... | 8.0 | HIGH | β | 0 |
| CVE-2026-20910 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input int... | 8.0 | HIGH | β | 0 |
| CVE-2026-21389 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input int... | 8.0 | HIGH | β | 0 |
| CVE-2026-21718 An authentication bypass vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, enabling any attackers to bypass the authentication requirement and achieve pre-authenticated code execut... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-22878 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24445 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks ... | 7.5 | HIGH | β | 0 |
| CVE-2026-24517 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input i... | 8.0 | HIGH | β | 0 |
| CVE-2026-24663 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an unauthenticated attacker to achieve remote code execution on the system by sending a crafted request to... | 9.0 | CRITICAL | β | 0 |
| CVE-2026-24689 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input in... | 8.0 | HIGH | β | 0 |
| CVE-2026-24695 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input... | 8.0 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.