Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2026-4262 Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/<ID>/'. | N/A | NONE | — | 0 |
| CVE-2026-4861 A weakness has been identified in Wavlink WL-NU516U1 260227. This vulnerability affects the function ftext of the file /cgi-bin/nas.cgi. This manipulation of the argument Content-Length causes stack-b... | 8.8 | HIGH | — | 0 |
| CVE-2026-4860 A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisT... | 7.3 | HIGH | — | 0 |
| CVE-2026-4874 A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs wh... | 3.1 | LOW | — | 0 |
| CVE-2026-4850 A security flaw has been discovered in code-projects Simple Laundry System 1.0. Affected is an unknown function of the file /checkregisitem.php of the component Parameter Handler. The manipulation of ... | 7.3 | HIGH | — | 0 |
| CVE-2026-4849 A vulnerability was identified in code-projects Simple Laundry System 1.0. This impacts an unknown function of the file /modify.php of the component Parameter Handler. The manipulation of the argument... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4848 A vulnerability was determined in dameng100 muucmf 1.9.5.20260309. This affects an unknown function of the file /admin/extend/list.html. Executing a manipulation of the argument Name can lead to cross... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4847 A vulnerability was found in dameng100 muucmf 1.9.5.20260309. The impacted element is an unknown function of the file /admin/config/list.html. Performing a manipulation of the argument Name results in... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4747 Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is s... | 8.8 | HIGH | — | 0 |
| CVE-2026-4652 On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID. An attacker with network access to the ... | 7.5 | HIGH | — | 0 |
| CVE-2026-4247 When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks th... | 7.5 | HIGH | — | 0 |
| CVE-2026-32680 The installer of RATOC RAID Monitoring Manager for Windows allows to customize the installation folder. If the installation folder is customized to some non-default one, the folder may be left with un... | N/A | NONE | — | 0 |
| CVE-2026-28760 The installer of RATOC RAID Monitoring Manager for Windows searches the current directory to load certain DLLs. If a user is directed to place a crafted DLL with the installer, an arbitrary code may b... | N/A | NONE | — | 0 |
| CVE-2026-1890 The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data | 5.3 | MEDIUM | — | 0 |
| CVE-2026-1430 The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks e... | 4.8 | MEDIUM | — | 0 |
| CVE-2025-15488 The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-15433 The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector | 6.8 | MEDIUM | — | 0 |
| CVE-2026-4846 A vulnerability has been found in dameng100 muucmf 1.9.5.20260309. The affected element is an unknown function of the file channel/admin.Account/autoReply.html. Such manipulation of the argument keywo... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4845 A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is an unknown function of the file /admin/Member/index.html. This manipulation of the argument Search causes cross site scripting. It... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1206 The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4844 A vulnerability was detected in code-projects Online Food Ordering System 1.0. This issue affects some unknown processing of the file /admin.php of the component Admin Login Module. The manipulation o... | 7.3 | HIGH | — | 0 |
| CVE-2026-4842 A security vulnerability has been detected in itsourcecode Online Enrollment System 1.0. This vulnerability affects unknown code of the file /sms/grades/index.php?view=edit&id=1 of the component Param... | 7.3 | HIGH | — | 0 |
| CVE-2026-4841 A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file form/cart.php of the component Shopping Cart Module. Executing a manipulation ... | 7.3 | HIGH | — | 0 |
| CVE-2026-4840 A security flaw has been discovered in Netcore Power 15AX up to 3.0.0.6938. Affected by this issue is the function setTools of the file /bin/netis.cgi of the component Diagnostic Tool Interface. Perfo... | 8.8 | HIGH | — | 0 |
| CVE-2026-4389 The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versi... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4331 The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() f... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4329 The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input s... | 7.2 | HIGH | — | 0 |
| CVE-2026-4281 The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connec... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-4278 The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-33201 Digital Photo Frame GH-WDF10A provided by GREEN HOUSE CO., LTD. contains an active debug code vulnerability. If this vulnerability is exploited, files or configurations on the affected device may be r... | N/A | NONE | — | 0 |
| CVE-2026-2931 The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to object... | 8.8 | HIGH | — | 0 |
| CVE-2026-4839 A vulnerability has been found in SourceCodester Food Ordering System 1.0. This affects an unknown function of the file /purchase.php of the component Parameter Handler. The manipulation of the argume... | 7.3 | HIGH | — | 0 |
| CVE-2026-4838 A flaw has been found in SourceCodester Malawi Online Market 1.0. The impacted element is an unknown function of the file /display.php. Executing a manipulation of the argument ID can lead to sql inje... | 7.3 | HIGH | — | 0 |
| CVE-2026-4335 The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-4075 The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3328 The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31.... | 7.2 | HIGH | — | 0 |
| CVE-2026-1986 The FloristPress for Woo – Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-4836 A vulnerability was detected in code-projects Accounting System 1.0. The affected element is an unknown function of the file /my_account/delete.php. Performing a manipulation of the argument cos_id re... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-4835 A security vulnerability has been detected in code-projects Accounting System 1.0. Impacted is an unknown function of the file /my_account/add_costumer.php of the component Web Application Interface. ... | 3.5 | LOW | — | 0 |
| CVE-2025-15101 A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with ... | 8.8 | HIGH | — | 0 |
| CVE-2014-125112 Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows a... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-4833 A weakness has been identified in Orc discount up to 3.0.1.2. This issue affects the function compile of the file markdown.c of the component Markdown Handler. This manipulation causes uncontrolled re... | 3.3 | LOW | — | 0 |
| CVE-2026-4831 A security flaw has been discovered in kalcaddle kodbox 1.64. Impacted is the function can of the file /workspace/source-code/app/controller/explorer/auth.class.php of the component Password-protected... | 3.7 | LOW | — | 0 |
| CVE-2026-4484 The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-4830 A vulnerability was identified in kalcaddle kodbox 1.64. This issue affects the function Add of the file app/controller/explorer/userShare.class.php of the component Public Share Handler. Such manipul... | 5.6 | MEDIUM | — | 0 |
| CVE-2026-33942 Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token st... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-33526 Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to per... | N/A | NONE | — | 0 |
| CVE-2026-33515 Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker... | N/A | NONE | — | 0 |
| CVE-2026-33287 LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` whic... | 7.5 | HIGH | — | 0 |
| CVE-2026-33285 LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse ra... | 7.5 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.