Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-32053 OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32055 OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks po... | 7.6 | HIGH | β | 0 |
| CVE-2026-32056 OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remot... | 7.5 | HIGH | β | 0 |
| CVE-2026-31846 An unauthenticated credential disclosure vulnerability in the /goform/ate endpoint of Nexxt Solutions Nebula 300+ firmware through Nebula300+_v12.01.01.37 allows an adjacent attacker to obtain the adm... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32968 Due to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the com_mb24sysapi module, resulting in full system... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-32969 An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpointβs authentication method due to improper neutralization of special elements in a SQL... | 7.5 | HIGH | β | 0 |
| CVE-2026-4584 A flaw has been found in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. This affects an unknown part of the component Cardholder Data Handler. Executing a manipulation can lead to cleartext transmissio... | 3.1 | LOW | β | 0 |
| CVE-2026-4585 A vulnerability has been found in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/ImportSystemConfiguration.jsp of ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-41007 SQL Injection in Cuantis. This vulnerability allows an attacker to retrieve, create, update and delete databases through the 'search' parameter in the '/search.php' endpoint. | N/A | NONE | β | 0 |
| CVE-2026-1958 Use of hard-coded credentials in Klinika XP and KlinikaXP Insertino allowed an unauthorized attacker access to several internal services. Critically, this included access to the FTP server that hosted... | N/A | NONE | β | 0 |
| CVE-2026-31847 Hidden functionality in the /goform/setSysTools endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. Once enabled, the service exp... | N/A | NONE | β | 0 |
| CVE-2026-31848 Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores administrative authentication material in the ecos_pw cookie using a reversible Base64-encoded format with a static suffix. An a... | N/A | NONE | β | 0 |
| CVE-2026-4565 A vulnerability was detected in Tenda AC21 16.03.08.16. Impacted is the function formSetQosBand of the file /goform/SetNetControlList. Performing a manipulation of the argument list results in buffer ... | 8.8 | HIGH | β | 0 |
| CVE-2026-4606 GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system.Β During installation,... | N/A | NONE | β | 0 |
| CVE-2026-1392 The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the sr_minify_html_theme() ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1393 The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validatio... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1397 The PQ Addons β Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in all versions up to, and including, 1.0.0 due to insufficient input... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1503 The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1575 The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `itemscope` shortcode in all versions up to, and including, 1.0 due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1647 The Comment Genius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.2.5 due to insufficient input s... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-4569 A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This impacts an unknown function of the file /view_category.php of the component HTTP POST Request Handler. This manipu... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-33203 SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is pre... | 7.5 | HIGH | β | 0 |
| CVE-2026-33209 Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-33226 Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) make... | 8.7 | HIGH | β | 0 |
| CVE-2026-33228 flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-33230 NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nlt... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-33231 NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nlt... | 7.5 | HIGH | β | 0 |
| CVE-2026-33649 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that ... | 8.1 | HIGH | β | 0 |
| CVE-2026-33650 WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations β ... | 7.6 | HIGH | β | 0 |
| CVE-2026-33651 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitizat... | 8.1 | HIGH | β | 0 |
| CVE-2026-33681 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin... | 7.2 | HIGH | β | 0 |
| CVE-2026-33683 WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbit... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33685 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any un... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33688 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks be... | 5.3 | MEDIUM | β | 0 |
| CVE-2024-46879 A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary Jav... | N/A | NONE | β | 0 |
| CVE-2025-52204 A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the customer.pl endpoint via the OTRSCustomerInterface parameter | N/A | NONE | β | 0 |
| CVE-2026-27131 The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission ... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-2298 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects ... | N/A | NONE | β | 0 |
| CVE-2026-30849 Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a r... | N/A | NONE | β | 0 |
| CVE-2026-30886 New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in th... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32850 MailEnable versions prior toΒ 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by... | N/A | NONE | β | 0 |
| CVE-2026-32851 MailEnable versions prior toΒ 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by... | N/A | NONE | β | 0 |
| CVE-2026-29111 systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an asse... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-32276 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to exe... | 8.8 | HIGH | β | 0 |
| CVE-2026-28455 Rejected reason: This CVE ID has been rejected. | N/A | NONE | β | 0 |
| CVE-2026-28483 Rejected reason: This CVE ID has been rejected. | N/A | NONE | β | 0 |
| CVE-2026-32012 Rejected reason: This CVE ID has been rejected. | N/A | NONE | β | 0 |
| CVE-2026-32277 Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1... | 8.7 | HIGH | β | 0 |
| CVE-2026-32278 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issu... | 8.2 | HIGH | β | 0 |
| CVE-2026-32279 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Server-Side Request Forgery (SSRF) iss... | 6.8 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.