Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2025-48021 A vulnerability has been found in Vnet/IP Interface Package provided by Yokogawa Electric Corporation. If affected product receives maliciously crafted packets, Vnet/IP software stack process may be t... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27829 Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27945 ZITADEL is an open source identity management platform. Zitadel Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0) is a webhook based approach to allow developers act on ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27946 ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verif... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32449 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Event Post themify-event-post allows Stored XSS.This issue affects Themify Event... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27943 OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-26047 A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28493 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, an integer overflow vulnerability exists in the SIXEL decoer. The vulnerabili... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-3937 Incorrect security UI in Downloads in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32240 Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be trun... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32239 Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, a negative Content-Length value was converted to unsigned, treating it as an impossibly large length instead. ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32448 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress allows Stored XSS.T... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-26077 Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the `WebhooksContr... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-1525 Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-13587 The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_login()... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32245 Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27149 Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter condit... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-41755 A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system. The endpoint accepts a parameter specifying the log file to open (e.g., /tmp/we... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-41754 A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to read arbitrary files on the system. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-70050 An issue pertaining to CWE-312: Cleartext Storage of Sensitive Information was discovered in lesspass lesspass v9.6.9 which allows attackers to obtain sensitive information. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28217 hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — includin... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28226 Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in ve... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-20733 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-20791 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27094 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoDaddy CoBlocks coblocks allows Stored XSS.This issue affects CoBlocks: from n/a through <= 3.1.1... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-22890 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32443 Cross-Site Request Forgery (CSRF) vulnerability in Josh Kohlbach Product Feed PRO for WooCommerce woo-product-feed-pro allows Cross Site Request Forgery.This issue affects Product Feed PRO for WooComm... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27773 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25774 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | — | 0 |
| CVE-2021-4456 Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR ... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-11725 The Aruba HiSpeed Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the multiple functions in all versions up to, and including, 3.0.2... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-22878 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-29195 Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role d... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-29771 Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeated... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-30847 Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the Reactiv... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-1626 An attacker may exploit the use of weak CBC-based cipher suites in the device’s SSH service to potentially observe or manipulate parts of the encrypted SSH communication, if they are able to intercept... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32424 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Sprout Clients sprout-clients allows Stored XSS.This issue affects Sprout Clients: from n... | 6.5 | MEDIUM | — | 0 |
| CVE-2024-10938 The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known ma... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-26312 Stalwart is a mail and collaboration server. A denial-of-service vulnerability exists in Stalwart Mail Server versions 0.13.0 through 0.15.4 where accessing a specially crafted email containing malfor... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-3277 The OpenID Connect (OIDC) authentication configuration in PowerShell Universal before 2026.1.3 stores the OIDC client secret in cleartext in the .universal/authentication.ps1 script, which allows an... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24488 OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, an arbitrary file exfiltration vulnerability in the fax ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-2350 Tanium addressed an insertion of sensitive information into log file vulnerability in Interact and TDS. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25331 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log wp-security-audit-log allows DOM-Based XSS.This issue affects WP Activit... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-1355 A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user’s repository migration export due to a missing ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27753 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interf... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28685 Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27754 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predictab... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-0665 An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall i... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27734 Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "conta... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-26203 PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing... | 6.5 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.