Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2026-2986 The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sa... | 6.4 | MEDIUM | — | 0 |
| CVE-2025-57175 Siklu EtherHaul 8010 siklu-uimage-nxp-enc-10_6_2-18707-ea552dc00b devices have a static root password. | 6.4 | MEDIUM | — | 0 |
| CVE-2026-6551 The Timeline Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titleTag' attribute of the timeline-blocks/tb-timeline-blocks block in all versions up to, ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4752 Use After Free vulnerability in No-Chicken Echo-Mate.This issue affects Echo-Mate: before V250329. | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1914 The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusedesk_newcase shortcode in all versions up to, and including, 6.8 due to insufficient input sanitizat... | 6.4 | MEDIUM | — | 0 |
| CVE-2025-57851 A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during bu... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-0868 The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-2840 The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all versions up to, and including, 2.4... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3885 The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_box' shortcode in all versions up to, and including, 7.4.9 due to ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4852 The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image Source' attachment field in all versions up to, and inc... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3600 The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4059 The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. This ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3142 The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_var' parameter in versions up to, and including, 1.8 due to insuff... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-35057 XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject maliciou... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-6809 The Social Post Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Threads embed handler in all versions up to, and including, 2.0.1. This is due to insufficient input san... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-25601 A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. The application contained a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-35054 XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other u... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-2480 The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'max_width' attribute of the `su_box` shortcode in all versions up to, and incl... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3618 The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [print_clmns] shortcode in all versions up to and including 1.0.3. ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3311 The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Progress Ba... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4341 The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'follow_us_text' setting of the Mount widget in all versions up to, and including, 4.1... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4333 The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learn_press_courses shortcode in all versions up to and includin... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-40225 In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output. | 6.4 | MEDIUM | — | 0 |
| CVE-2026-33675 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3498 The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-33246 NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. Thi... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-0688 The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated at... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-33223 NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a g... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-35252 Vulnerability in the Oracle Security Service product of Oracle Fusion Middleware (component: C Oracle SSL API). Supported versions that are affected are 12.2.1.4.0 and 12.1.3.0.0. Difficult to explo... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1607 The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to ins... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-33679 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when d... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-24362 Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Post Kit: from n... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-6725 The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcsm_text_rotator` shortcode in all versions up to, and inclu... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4805 The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-31953 Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 a... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-5590 A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-5451 The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'elevation-track' shortcode in all versions up to, and including, 4.14. This is due to insuffic... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-2602 The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImageSizeWidth' parameter in versions up to, and including, 1.9.7 due to insufficient input sanitization ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4766 The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery shortcode post meta field in all versions up to, and including, 1.5.3. This is due to insuffici... | 6.4 | MEDIUM | — | 0 |
| CVE-2025-6229 The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerab... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-5711 The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 du... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34812 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the mimetypes parameter to /cgi-bin/proxypolicy.cgi. An authenticated attacker can inject arbitrary JavaScript that... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34813 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the user parameter to /cgi-bin/proxyuser.cgi. An authenticated attacker can inject arbitrary JavaScript that is sto... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34814 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the group parameter to /cgi-bin/proxygroup.cgi. An authenticated attacker can inject arbitrary JavaScript that is s... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34815 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the DOMAIN parameter to /cgi-bin/smtpdomains.cgi. An authenticated attacker can inject arbitrary JavaScript that is... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34816 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the domain parameter to /manage/smtpscan/domainrouting/. An authenticated attacker can inject arbitrary JavaScript ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-34817 Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript th... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4429 The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-5357 The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to in... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4336 The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling html_entity_... | 6.4 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.