Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-39891 PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user ... | 8.8 | HIGH | β | 0 |
| CVE-2026-5436 The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key... | 8.1 | HIGH | β | 0 |
| CVE-2026-5451 The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'elevation-track' shortcode in all versions up to, and including, 4.14. This is due to insuffic... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5803 A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API ... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-5864 Heap buffer overflow in WebAudio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium se... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5863 Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Hi... | 8.8 | HIGH | β | 0 |
| CVE-2026-5870 Integer overflow in Skia in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 8.8 | HIGH | β | 0 |
| CVE-2026-4398 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2026-4557 A vulnerability was detected in code-projects Exam Form Submission 1.0. This impacts an unknown function of the file /admin/update_s1.php. Performing a manipulation of the argument sname results in cr... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4545 A security flaw has been discovered in Flos Freeware Notepad2 4.2.25. This affects an unknown function in the library PROPSYS.dll. Performing a manipulation results in uncontrolled search path. The at... | 7.0 | HIGH | β | 0 |
| CVE-2026-4508 A vulnerability was identified in PbootCMS up to 3.2.12. The impacted element is the function checkUsername of the file apps/home/controller/MemberController.php of the component Member Login. The man... | 7.3 | HIGH | β | 0 |
| CVE-2026-2352 The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ao_post_preload' meta value in all versions up to, and including, 3.1.14. This is due to insufficient input s... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2430 The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overl... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-32666 WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with netwo... | 7.5 | HIGH | β | 0 |
| CVE-2026-33423 Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, staff can modify any user's group notification level. Versions 2026.3.0-latest.1, 2026.2.1... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-31849 Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a r... | N/A | NONE | β | 0 |
| CVE-2026-31850 Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration... | N/A | NONE | β | 0 |
| CVE-2026-31851 Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. An attacker can perform unlimited authenti... | N/A | NONE | β | 0 |
| CVE-2026-4586 A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects the function Upload of the file chat2db-server/chat2db-server-web/chat2db-server-web-api/src/main/java/ai/chat2db/server/web/... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-4587 A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curl... | 3.7 | LOW | β | 0 |
| CVE-2026-4588 A vulnerability was determined in kalcaddle kodbox 1.64. Impacted is the function shareSafeGroup of the file /workspace/source-code/app/controller/explorer/shareOut.class.php of the component Site-lev... | 3.7 | LOW | β | 0 |
| CVE-2025-10736 The ReviewX β WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authoriz... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-21388 Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service v... | 3.7 | LOW | β | 0 |
| CVE-2026-24661 Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service v... | 3.7 | LOW | β | 0 |
| CVE-2026-29111 systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an asse... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-32276 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to exe... | 8.8 | HIGH | β | 0 |
| CVE-2026-28455 Rejected reason: This CVE ID has been rejected. | N/A | NONE | β | 0 |
| CVE-2026-28483 Rejected reason: This CVE ID has been rejected. | N/A | NONE | β | 0 |
| CVE-2026-32012 Rejected reason: This CVE ID has been rejected. | N/A | NONE | β | 0 |
| CVE-2026-4571 A security flaw has been discovered in SourceCodester Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_payments.php of the component HTTP PO... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-4567 A vulnerability has been found in Tenda A15 15.13.07.13. The impacted element is the function UploadCfg of the file /cgi-bin/UploadCfg. The manipulation of the argument File leads to stack-based buffe... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-4022 The Show Posts list β Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all ... | 6.4 | MEDIUM | β | 0 |
| CVE-2019-25548 BlueStacks 4.80.0.1060 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to the search field. Attackers can paste a buffer o... | 6.2 | MEDIUM | β | 0 |
| CVE-2026-34177 Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of ke... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-39412 LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5915 Insufficient validation of untrusted input in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium securi... | 8.1 | HIGH | β | 0 |
| CVE-2026-4660 HashiCorpβs go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixe... | 7.5 | HIGH | β | 0 |
| CVE-2025-50228 Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules. | 9.1 | CRITICAL | β | 0 |
| CVE-2025-70810 Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism | 8.8 | HIGH | β | 0 |
| CVE-2026-35395 WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituiçáes assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The... | 8.8 | HIGH | β | 0 |
| CVE-2026-35399 WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup filename. This could lead to unauthorized... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-35472 WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically thr... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-22675 OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39308 PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.... | 7.1 | HIGH | β | 0 |
| CVE-2026-39885 FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in Ope... | 7.5 | HIGH | β | 0 |
| CVE-2026-39890 PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/functio... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-5912 Integer overflow in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Low) | 8.8 | HIGH | β | 0 |
| CVE-2025-45806 A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 6.1 | MEDIUM | β | 0 |
| CVE-2025-62718 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback ... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-5961 A security vulnerability has been detected in code-projects Simple IT Discussion Forum 1.0. This vulnerability affects unknown code of the file /topic-details.php. The manipulation of the argument pos... | 7.3 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.