Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2026-33775 A Missing Release of Memory after Effective Lifetime vulnerability in the BroadBand Edge subscriber management daemon (bbe-smgd) of Juniper Networks Junos OS on MX Series allows an adjacent, unauthent... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-1014 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to exposure of sensitive information via JSON server response manipulation. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-34591 Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary f... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33954 LinkAce is a self-hosted archive to collect website links. In versions prior to 2.5.3, a private note attached to a non-private link can be disclosed to a different authenticated user via the web inte... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33981 changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process e... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-34750 Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3,... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-1776 Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary fil... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33931 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the patie... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33904 Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, a deadlock in the AMF's SCTP notification handler causes the entire AMF control plane to hang until the process is restart... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-34401 XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by defau... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32120 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the fee s... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27735 Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-2265 An unauthenticated remote code execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-35549 An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user ac... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-20680 The issue was addressed with additional restrictions on the observability of app states. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sono... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33027 Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are suppl... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33153 Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-20644 The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing malicious... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-66954 A vulnerability exists in the Buffalo Link Station version 1.85-0.01 that allows unauthenticated or guest-level users to enumerate valid usernames and their associated privilege roles. The issue is tr... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25451 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder bold-page-builder allows Stored XSS.This issue affects Bold Page Buil... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25472 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Fusion Builder fusion-builder allows Stored XSS.This issue affects Fusion Builder: fro... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-20636 The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciously crafted web content may lea... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27460 Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functiona... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33474 Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attack... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-5283 Inappropriate implementation in ANGLE in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 6.5 | MEDIUM | — | 0 |
| CVE-2026-6437 Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creatio... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-2436 A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a T... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-22485 Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33029 Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Den... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-40896 OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to an... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-21004 Improper authentication in Smart Switch prior to version 3.7.69.15 allows adjacent attackers to trigger a denial of service. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33159 Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, o... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-38533 An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and accou... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33158 Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read privat... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-3488 The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers includin... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32964 SD-330AC and AMC Manager provided by silex technology, Inc. contain an improper neutralization of CRLF sequences ('CRLF Injection') vulnerability. Processing some crafted configuration data may lead t... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-4400 Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-2405 CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /hel... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-29597 DDSN Interactive cm3 Acora CMS version 10.7.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive configuration files by force browsing the “/Admin/file_m... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-5330 A vulnerability was found in SourceCodester/mayuri_k Best Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_user of the component ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-4309 Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-15488 The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-34740 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrar... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33581 OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass loc... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28375 A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-4927 Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This i... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-53847 A missing authentication for critical function vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-30521 A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific i... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-34890 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark O’Donnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: fr... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-59969 A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the advanced forwarding toolkit (evo-aftmand/evo-pfemand) of Juniper Networks Junos OS Evolved on PTX Series o... | 6.5 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.