Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-26125 Payment Orchestrator Service Elevation of Privilege Vulnerability | 8.6 | HIGH | β | 0 |
| CVE-2026-28477 OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a ... | 7.1 | HIGH | β | 0 |
| CVE-2026-28478 OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can s... | 7.5 | HIGH | β | 0 |
| CVE-2026-28479 OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker... | 7.5 | HIGH | β | 0 |
| CVE-2026-28480 OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can sp... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28481 OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bea... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28484 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2026-28485 OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations... | 8.4 | HIGH | β | 0 |
| CVE-2026-28486 OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended direct... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-29606 OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass o... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-29609 OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote... | 7.5 | HIGH | β | 0 |
| CVE-2026-29610 OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host executi... | 8.8 | HIGH | β | 0 |
| CVE-2026-27778 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by... | 7.5 | HIGH | β | 0 |
| CVE-2026-29611 OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary f... | 7.5 | HIGH | β | 0 |
| CVE-2026-29612 OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attacker... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-29613 OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without vali... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-2593 The Greenshift β animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_gspb_post_css` post meta value and the `dynamicAttributes` block attribut... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3606 A vulnerability has been found in Ettercap 0.8.4-Garofalo. Affected by this vulnerability is the function add_data_segment of the file src/ettercap/utils/etterfilter/ef_output.c of the component etter... | 3.3 | LOW | β | 0 |
| CVE-2026-21536 Microsoft Devices Pricing Program Remote Code Execution Vulnerability | 9.8 | CRITICAL | β | 0 |
| CVE-2026-23651 Permissive regular expression in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. | 6.7 | MEDIUM | β | 0 |
| CVE-2025-11790 Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 41124. | N/A | NONE | β | 0 |
| CVE-2025-11791 Sensitive information disclosure and manipulation due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186, Ac... | 7.1 | HIGH | β | 0 |
| CVE-2025-11792 Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 41124. | N/A | NONE | β | 0 |
| CVE-2025-30413 Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40497, Acronis Cyber P... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-22552 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can con... | 9.4 | CRITICAL | β | 0 |
| CVE-2026-24912 The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predic... | 7.3 | HIGH | β | 0 |
| CVE-2026-27770 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28709 Unauthorized resource manipulation due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-28710 Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-28711 Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186. | N/A | NONE | β | 0 |
| CVE-2026-28712 Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186. | N/A | NONE | β | 0 |
| CVE-2026-28713 Default credentials set for local privileged user in Virtual Appliance. The following products are affected: Acronis Cyber Protect Cloud Agent (VMware) before build 36943, Acronis Cyber Protect 17 (VM... | N/A | NONE | β | 0 |
| CVE-2026-28714 Unnecessary transmission of sensitive cryptographic material. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | N/A | NONE | β | 0 |
| CVE-2026-28715 Sensitive information disclosure due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28716 Information disclosure and manipulation due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | N/A | NONE | β | 0 |
| CVE-2026-28256 A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts. | N/A | NONE | β | 0 |
| CVE-2026-28718 Denial of service due to insufficient input validation in authentication logging. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | 7.5 | HIGH | β | 0 |
| CVE-2026-28719 Unauthorized resource manipulation due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | N/A | NONE | β | 0 |
| CVE-2026-28720 Unauthorized modification of settings due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | N/A | NONE | β | 0 |
| CVE-2026-28721 Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186. | N/A | NONE | β | 0 |
| CVE-2026-28722 Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186. | N/A | NONE | β | 0 |
| CVE-2026-28723 Unauthorized report deletion due to insufficient access control. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | N/A | NONE | β | 0 |
| CVE-2026-28724 Unauthorized data access due to insufficient access control validation. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | N/A | NONE | β | 0 |
| CVE-2026-28725 Sensitive information disclosure due to improper configuration of a headless browser. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | N/A | NONE | β | 0 |
| CVE-2026-1653 A potential divide by zero vulnerability was reported in the Lenovo Virtual Bus driver used in Smart Connect that could allow a local authenticated user to cause a Windows blue screen error. | 5.5 | MEDIUM | β | 0 |
| CVE-2026-28726 Sensitive information disclosure due to improper access control. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | N/A | NONE | β | 0 |
| CVE-2026-28727 Local privilege escalation due to insecure Unix socket permissions. The following products are affected: Acronis Cyber Protect 17 (macOS) before build 41186, Acronis Cyber Protect Cloud Agent (macOS) ... | N/A | NONE | β | 0 |
| CVE-2026-2589 The Greenshift β animation and page builder blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 12.8.3 via the automated Settings Backup s... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3610 A vulnerability was found in HSC Cybersecurity Mailinspector up to 5.3.2-3. Affected by this issue is some unknown functionality of the file /mailinspector/mliUserValidation.php of the component URL H... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-22457 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wanderland wanderland allows PHP Local File Inclusion.This issue ... | 8.1 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.