Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2026-28414 Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that en... | 7.5 | HIGH | — | 0 |
| CVE-2026-28411 WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite loc... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-28409 WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. A... | 10.0 | CRITICAL | — | 0 |
| CVE-2026-28408 WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's central controller and does not have its ow... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-28407 malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extra... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-28406 kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives u... | 8.2 | HIGH | — | 0 |
| CVE-2026-28402 nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.2.2, a malicious or compromised validator that is e... | 7.1 | HIGH | — | 0 |
| CVE-2026-28400 Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST `/engines/_configure` endpoint that accepts arbitrary runtime fla... | 7.5 | HIGH | — | 0 |
| CVE-2026-27939 Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elev... | 8.8 | HIGH | — | 0 |
| CVE-2026-27167 Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically ... | 0.0 | NONE | — | 0 |
| CVE-2026-28355 Canarytokens help track activity and actions on a network. Versions prior to `sha-7ff0e12` have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator ca... | N/A | NONE | — | 0 |
| CVE-2026-28352 Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28351 pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the co... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-28338 PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD ... | 6.8 | MEDIUM | — | 0 |
| CVE-2026-28288 Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registe... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-28272 Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a confi... | 8.1 | HIGH | — | 0 |
| CVE-2026-28271 Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration functionality allows bypassing of SSRF protections through DNS rebinding attacks. Maliciou... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28270 Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration allows uploading of arbitrary files without proper validation. Malicious administrators co... | 4.9 | MEDIUM | — | 0 |
| CVE-2026-28268 Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password r... | 9.8 | CRITICAL | — | 0 |
| CVE-2018-25160 HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an appli... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-3255 HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in ra... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28354 ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify ano... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28231 pillow_heif is a Python library for working with HEIF images and plugin for Pillow. Prior to version 1.3.0, an integer overflow in the encode path buffer validation of `_pillow_heif.c` allows an attac... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-27947 Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF ... | 8.8 | HIGH | — | 0 |
| CVE-2026-27836 phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF prote... | 7.5 | HIGH | — | 0 |
| CVE-2026-27832 Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `ad... | 8.8 | HIGH | — | 0 |
| CVE-2026-27824 calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban ke... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-27810 calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Serv... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-27793 Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, inc... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27792 Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and pri... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27734 Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "conta... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27707 Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth... | 7.3 | HIGH | — | 0 |
| CVE-2026-27583 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27582 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27581 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27580 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27573 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27501 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27500 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27201 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27200 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-26997 ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59 ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-22717 Out-of-bound read vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to obtain limited information disclosure from the ... | 2.7 | LOW | — | 0 |
| CVE-2026-2880 A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router no... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-27758 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a cross-site request forgery vulnerability in its management interface that allows attackers to induce authenticated users into submi... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27757 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication vulnerability that allows authenticated users to change account passwords without verifying the current password. A... | 7.1 | HIGH | — | 0 |
| CVE-2026-27756 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a reflected cross-site scripting vulnerability in the management interface where user input is not properly encoded before output. At... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-27755 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a weak session identifier generation vulnerability that allows attackers to forge authenticated sessions by computing predictable MD5... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-27754 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predictab... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-22716 Out-of-bound write vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to terminate certain Workstation processes. | 5.0 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.