Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2026-22661 prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the client system by crafting malicious ZIP archiv... | 8.1 | HIGH | — | 0 |
| CVE-2026-3453 The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_su... | 8.1 | HIGH | — | 0 |
| CVE-2026-34783 Ferret is a declarative system for working with web data. Prior to 2.0.0-alpha.4, a path traversal vulnerability in Ferret's IO::FS::WRITE standard library function allows a malicious website to write... | 8.1 | HIGH | — | 0 |
| CVE-2026-2626 The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin ... | 8.1 | HIGH | — | 0 |
| CVE-2026-32610 Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combine... | 8.1 | HIGH | — | 0 |
| CVE-2025-67298 An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile | 8.1 | HIGH | — | 0 |
| CVE-2026-4101 IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Acces... | 8.1 | HIGH | — | 0 |
| CVE-2026-21361 Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vvulnerability that could be abused by a high-... | 8.1 | HIGH | — | 0 |
| CVE-2026-31969 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. Whe... | 8.1 | HIGH | — | 0 |
| CVE-2026-21284 Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-p... | 8.1 | HIGH | — | 0 |
| CVE-2026-22513 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Triompher triompher allows PHP Local File Inclusion.This issue aff... | 8.1 | HIGH | — | 0 |
| CVE-2026-33010 mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled (MCP_HTTP_ENABLED=true), the application configures FastAPI's COR... | 8.1 | HIGH | — | 0 |
| CVE-2026-22499 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Lella lella allows PHP Local File Inclusion.This issue affects Le... | 8.1 | HIGH | — | 0 |
| CVE-2026-4718 Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. | 8.1 | HIGH | — | 0 |
| CVE-2026-25457 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Mixtape mixtape allows PHP Local File Inclusion.This issue affect... | 8.1 | HIGH | — | 0 |
| CVE-2025-14037 The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitizat... | 8.1 | HIGH | — | 0 |
| CVE-2026-33468 Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` → `''`) but does ... | 8.1 | HIGH | — | 0 |
| CVE-2026-28891 A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox. | 8.1 | HIGH | — | 0 |
| CVE-2026-22509 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Gioia gioia allows PHP Local File Inclusion.This issue affects Gi... | 8.1 | HIGH | — | 0 |
| CVE-2026-22502 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mr. Cobbler mr-cobbler allows PHP Local File Inclusion.This issue ... | 8.1 | HIGH | — | 0 |
| CVE-2026-25458 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Moments moments allows PHP Local File Inclusion.This issue affect... | 8.1 | HIGH | — | 0 |
| CVE-2026-33293 WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitizatio... | 8.1 | HIGH | — | 0 |
| CVE-2026-22503 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Nelson nelson allows PHP Local File Inclusion.This issue affects Nelso... | 8.1 | HIGH | — | 0 |
| CVE-2026-22504 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion.This issue affects... | 8.1 | HIGH | — | 0 |
| CVE-2026-22505 Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2. | 8.1 | HIGH | — | 0 |
| CVE-2026-32302 OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived... | 8.1 | HIGH | — | 0 |
| CVE-2026-32034 OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allow... | 8.1 | HIGH | — | 0 |
| CVE-2026-27048 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle Core theaisle-core allows PHP Local File Inclusion.This... | 8.1 | HIGH | — | 0 |
| CVE-2026-3629 The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' f... | 8.1 | HIGH | — | 0 |
| CVE-2025-41368 Problem in the Small HTTP Server v3.06.36 service. An authenticated path traversal vulnerability in '/' allows remote users to bypass the intended restrictions of SecurityManager and display any file ... | 8.1 | HIGH | — | 0 |
| CVE-2026-25379 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes StreamVid streamvid allows PHP Local File Inclusion.This issue affect... | 8.1 | HIGH | — | 0 |
| CVE-2026-27081 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Rosebud rosebud allows PHP Local File Inclusion.This issue affect... | 8.1 | HIGH | — | 0 |
| CVE-2026-33236 NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the ... | 8.1 | HIGH | — | 0 |
| CVE-2026-32505 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Kiddy kiddy allows PHP Local File Inclusion.This issue affects Kiddy... | 8.1 | HIGH | — | 0 |
| CVE-2026-2370 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed... | 8.1 | HIGH | — | 0 |
| CVE-2026-33316 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPas... | 8.1 | HIGH | — | 0 |
| CVE-2026-33038 WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfigura... | 8.1 | HIGH | — | 0 |
| CVE-2026-35607 File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered us... | 8.1 | HIGH | — | 0 |
| CVE-2026-33037 WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which i... | 8.1 | HIGH | — | 0 |
| CVE-2026-32942 PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race c... | 8.1 | HIGH | — | 0 |
| CVE-2026-33329 FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::hand... | 8.1 | HIGH | — | 0 |
| CVE-2026-25380 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Feedy feedy allows PHP Local File Inclusion.This issue affects Feedy:... | 8.1 | HIGH | — | 0 |
| CVE-2026-33668 Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on t... | 8.1 | HIGH | — | 0 |
| CVE-2026-33055 tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE... | 8.1 | HIGH | — | 0 |
| CVE-2026-27080 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Deston deston allows PHP Local File Inclusion.This issue affects ... | 8.1 | HIGH | — | 0 |
| CVE-2026-22511 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes NeoBeat neobeat allows PHP Local File Inclusion.This issue affect... | 8.1 | HIGH | — | 0 |
| CVE-2026-4434 Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification. | 8.1 | HIGH | — | 0 |
| CVE-2026-32488 Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through <= 4.4.9. | 8.1 | HIGH | — | 0 |
| CVE-2026-33940 Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `re... | 8.1 | HIGH | — | 0 |
| CVE-2026-33142 OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name va... | 8.1 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.