Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2026-5383 An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated C... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-33395 Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the discourse-graphviz plugin contains a stored cross-site scripting (XSS) vulnerability t... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-1278 The Mandatory Field plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output e... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-1247 The Survey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. Th... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-3577 The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the backup title alias (`val` parameter) in the `update_kbd_bkup_alias` AJAX action in all versions up to, a... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-32220 Improper access control in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally. | 4.4 | MEDIUM | — | 0 |
| CVE-2026-3354 The Wikilookup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Popup Width' setting in all versions up to, and including, 1.1.5. This is due to insufficient input sanitizati... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-3353 The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' setting in all versions up to, and including, 1.2.1. This is due to insufficient input saniti... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-2121 The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_class' parameter in all versions up to, and including, 1.8.1. This is due to insufficient input san... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-2838 The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘woowhole_success_msg’ parameter in all versions up to, and including, 1.2.1 due to ins... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-3551 The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insuffici... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-2432 The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 d... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-32119 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/Search... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-40026 The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk ima... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-2837 The Ricerca – advanced search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.1.12 due to insufficient input sanitizatio... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-3995 The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitiz... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-3574 The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings fields (including 'Navigation Font Size', 'Navigation Font Weight', 'H... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-28265 PowerStore, contains a Path Traversal vulnerability in the Service user. A low privileged attacker with local access could potentially exploit this vulnerability, leading to modification of arbitrary ... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-27906 Improper input validation in Windows Hello allows an authorized attacker to bypass a security feature locally. | 4.4 | MEDIUM | — | 0 |
| CVE-2026-4479 The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insu... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-40025 The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bou... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-34450 The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-35206 Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's co... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-25645 Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system te... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-34726 Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the cur... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-24511 Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.6 and versions 9.11.0.0 through 9.13.0.0, contains a generation of error message containing sensitive information vulnerability. A high privilege... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-2484 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information exposure vulnerability caused by overly verbose error messages | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33527 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generate... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4898 A vulnerability was identified in code-projects Online Food Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file /dbfood/contact.php. The manipulation of the arg... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-14595 GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticat... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-40841 Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead to unauthorized modification of certain information. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33326 Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm th... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5315 A vulnerability was determined in Nothings stb up to 1.26. The affected element is the function stbtt__buf_get8 in the library stb_truetype.h of the component TTF File Handler. Executing a manipulatio... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5316 A vulnerability was identified in Nothings stb up to 1.22. The impacted element is the function setup_free of the file stb_vorbis.c. The manipulation leads to allocation of resources. The attack is po... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5319 A security vulnerability has been detected in itsourcecode Payroll Management System up to 1.0. Affected is an unknown function of the file /navbar.php. Such manipulation of the argument page leads to... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5321 A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-d... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-31869 Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authentica... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33934 OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-28859 The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A malicious website may b... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-0748 In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-32899 OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass configu... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-39415 Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-28861 A logic issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. A malicious web... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27491 Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warn... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1262 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information disclosure vulnerability. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-2272 A flaw was found in GIMP. An integer overflow vulnerability exists when processing ICO image files, specifically in the `ico_read_info` and `ico_read_icon` functions. This issue arises because a size ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-6487 A flaw has been found in Qihui jtbc5 CMS 5.0.3.6. Affected is an unknown function of the file /dev/code/common/diplomat/manage.php of the component Code Endpoint. This manipulation of the argument pat... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33534 EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the intern... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1166 Open Redirect vulnerability in Hitachi Ops Center Administrator.This issue affects Hitachi Ops Center Administrator: from 10.2.0 before 11.0.8. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-21783 HCL Traveler is affected by sensitive information disclosure. The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file n... | 4.3 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.