Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2024-35644 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pascal Birchler Preferred Languages allows DOM-Based XSS.This issue affects Preferred Langu... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-39683 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.This issue affects Gard... | 5.9 | MEDIUM | — | 0 |
| CVE-2025-13219 IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, ref... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-30850 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadat... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-28044 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket allows Stored XSS.This issue affects WP Rocket: from n/a through 3.19.4. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-26311 Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Str... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-2581 This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data... | 5.9 | MEDIUM | — | 0 |
| CVE-2025-15363 The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configur... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-27686 Due to a Missing Authorization Check in SAP Business Warehouse (Service API), an authenticated attacker could perform unauthorized actions via an affected RFC function module. Successful exploitation ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-31875 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled fo... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-41173 The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies fro... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-24931 Vulnerability of improper criterion security check in the card module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-33610 A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32770 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-4603 Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.j... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-1778 Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for r... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-25151 Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote att... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-5080 Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely. The session id is generated from summing the character codepoints of the absolute pathname with the proces... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-33262 An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-25343 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS wp-sms allows DOM-Based XSS.This issue affects WP SMS: from n/a through <= 7.1. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-1642 A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream ser... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32959 SD-330AC and AMC Manager provided by silex technology, Inc. contain an issue with a use of a broken or risky cryptographic algorithm. Information in the traffic may be retrieved via man-in-the-middle ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-24938 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.This issue affects Better Search: from n/a thro... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-40966 In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conve... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-34778 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session coul... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-34767 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handler... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32351 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blubrry PowerPress Podcasting powerpress allows Stored XSS.This issue affects PowerPress Podcastin... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-5376 An issue that could prevent session inactivity timeouts from triggering due to automatic page reloading has been resolved. This is an instance of CWE-613: Insufficient Control of Resources After Expir... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-22548 When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests along with conditions beyond the attacker's control can cause the bd process to terminate. No... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-39654 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani WP Simple HTML Sitemap wp-simple-html-sitemap allows DOM-Based XSS.This issue affects... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-40592 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user can view the... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32462 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Mas... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-7318 A vulnerability was detected in elie mcp-project 0.1.0. The affected element is the function search_papers of the file research_server.py. The manipulation of the argument topic results in path traver... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-27138 Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either dir... | 5.9 | MEDIUM | — | 0 |
| CVE-2025-64098 Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, m... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-41016 Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between t... | 5.9 | MEDIUM | — | 0 |
| CVE-2025-68855 Insertion of Sensitive Information Into Sent Data vulnerability in themeglow JobBoard Job listing job-board-light allows Retrieve Embedded Sensitive Data.This issue affects JobBoard Job listing: from ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-34219 libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backof... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-24929 Out-of-bounds read vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-25155 Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32360 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.This issue af... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-42643 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a th... | 5.9 | MEDIUM | — | 0 |
| CVE-2025-13490 IBM App Connect Operator versions CD 11.3.0 through 11.6.0 and 12.1.0 through 12.20.0, LTS versions 12.0.0 through 12.0.20, and IBM App Connect Enterprise Certified Containers Operands versions CD 12.... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-24441 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material. | 5.9 | MEDIUM | — | 0 |
| CVE-2025-27903 IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 IBM Db2 Recovery Expert for Linux, UNIX and Windows transmits data in a cleartext communication channel that could allow an attacker to obtain sensi... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-40684 In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-27729 Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-26014 Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for r... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-25004 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Business Directory cm-business-directory allows Stored XSS.This issue af... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-3337 Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations ... | 5.9 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.