Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2022-4947 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-32111. Reason: This candidate is a reservation duplicate of CVE-2024-32111. Notes: All CVE users should reference C... | N/A | NONE | — | 0 |
| CVE-2026-1799 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate has been determined not to be a valid vulnerability. Notes: All references and descriptions in this candidate hav... | N/A | NONE | — | 0 |
| CVE-2026-26051 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can con... | 9.4 | CRITICAL | — | 0 |
| CVE-2026-2752 Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-2753 An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers can... | 7.5 | HIGH | — | 0 |
| CVE-2026-2754 Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute... | 7.5 | HIGH | — | 0 |
| CVE-2026-20748 The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predic... | 7.3 | HIGH | — | 0 |
| CVE-2026-20882 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by... | 7.5 | HIGH | — | 0 |
| CVE-2026-24696 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by... | 7.5 | HIGH | — | 0 |
| CVE-2026-26017 CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Securi... | 7.7 | HIGH | — | 0 |
| CVE-2026-26018 CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sen... | 7.5 | HIGH | — | 0 |
| CVE-2026-26288 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can con... | 9.4 | CRITICAL | — | 0 |
| CVE-2026-27027 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27123 Rejected reason: Reason: This candidate was issued in error. | N/A | NONE | — | 0 |
| CVE-2026-27764 The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predic... | 7.3 | HIGH | — | 0 |
| CVE-2026-27777 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-15602 Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can cr... | 8.8 | HIGH | — | 0 |
| CVE-2025-70363 Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs. | 7.5 | HIGH | — | 0 |
| CVE-2026-29064 Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package ... | 8.2 | HIGH | — | 0 |
| CVE-2026-29075 Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.ym... | 8.3 | HIGH | — | 0 |
| CVE-2026-29082 Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and... | 7.3 | HIGH | — | 0 |
| CVE-2026-29783 The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the... | N/A | NONE | — | 0 |
| CVE-2025-69644 An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling ... | 5.0 | MEDIUM | — | 0 |
| CVE-2025-69651 GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-28514 Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerabi... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-29087 @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. pr... | 7.5 | HIGH | — | 0 |
| CVE-2026-29089 TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, PostgreSQL uses the search_path setting to locate unqual... | 8.8 | HIGH | — | 0 |
| CVE-2026-29091 Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specific... | 8.1 | HIGH | — | 0 |
| CVE-2026-29110 Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debug mode Cryptomator might leak cleartext paths into the log file. This can reveal meta information ab... | 2.2 | LOW | — | 0 |
| CVE-2026-29178 Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to ... | N/A | NONE | — | 0 |
| CVE-2026-30831 Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Ro... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-30833 Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-29791 Agentgateway is an open source data plane for agentic AI connectivity within or across any agent framework or environment. Prior to version 0.12.0, when converting MCP tools/call request to OpenAPI re... | 4.9 | MEDIUM | — | 0 |
| CVE-2026-3419 Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-69649 GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null sec... | 7.5 | HIGH | — | 0 |
| CVE-2025-69650 GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return ear... | 7.5 | HIGH | — | 0 |
| CVE-2025-69652 GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state ... | 6.2 | MEDIUM | — | 0 |
| CVE-2025-69653 A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in file gc_decref_child in qu... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-29063 Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), ... | N/A | NONE | — | 0 |
| CVE-2025-69654 A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory ... | 7.5 | HIGH | — | 0 |
| CVE-2026-30843 Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-30844 Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment ... | 8.1 | HIGH | — | 0 |
| CVE-2026-30845 Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering,... | 8.2 | HIGH | — | 0 |
| CVE-2026-30846 Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—... | 7.5 | HIGH | — | 0 |
| CVE-2026-30847 Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the Reactiv... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-29182 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access... | 7.2 | HIGH | — | 0 |
| CVE-2026-29788 TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty st... | 7.5 | HIGH | — | 0 |
| CVE-2026-29789 Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation ac... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-29790 dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() functi... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-22457 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wanderland wanderland allows PHP Local File Inclusion.This issue ... | 8.1 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.