Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2026-31162 An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the ttlWay parameter to /cgi-bin/cstecgi.cgi. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-31163 An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the dhcpMtu parameter to /cgi-bin/cstecgi.cgi. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-31166 An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-31167 An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the mode parameter to /cgi-bin/cstecgi.cgi. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-31168 An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the recHour parameter to /cgi-bin/cstecgi.cgi. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-31169 An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the week parameter to /cgi-bin/cstecgi.cgi. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-31173 An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the interval parameter to /cgi-bin/cstecgi.cgi. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33694 This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code executio... | N/A | NONE | — | 0 |
| CVE-2026-40894 OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-41078 OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-41173 The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies fro... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-41205 Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is ... | N/A | NONE | — | 0 |
| CVE-2026-41246 Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker ... | 8.1 | HIGH | — | 0 |
| CVE-2026-41247 elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background c... | N/A | NONE | — | 0 |
| CVE-2026-41259 Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and perfor... | N/A | NONE | — | 0 |
| CVE-2026-25874 LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels with... | N/A | NONE | — | 0 |
| CVE-2026-41137 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an at... | 8.8 | HIGH | — | 0 |
| CVE-2026-41265 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-41267 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint... | 8.1 | HIGH | — | 0 |
| CVE-2026-41268 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerabilit... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-41270 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Funct... | 7.1 | HIGH | — | 0 |
| CVE-2026-41272 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side... | 7.1 | HIGH | — | 0 |
| CVE-2026-41275 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the un... | 7.5 | HIGH | — | 0 |
| CVE-2026-41277 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated use... | 8.8 | HIGH | — | 0 |
| CVE-2026-41278 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitiza... | 7.5 | HIGH | — | 0 |
| CVE-2026-41279 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (n... | 7.5 | HIGH | — | 0 |
| CVE-2026-28525 SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP... | 6.8 | MEDIUM | — | 0 |
| CVE-2026-6941 radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malici... | 6.6 | MEDIUM | — | 0 |
| CVE-2026-6942 radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharac... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-26210 KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authen... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-29050 melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-29051 melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `mel... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-31952 Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API rout... | 7.6 | HIGH | — | 0 |
| CVE-2026-31955 Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions ... | 4.9 | MEDIUM | — | 0 |
| CVE-2026-31956 Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-32870 Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a secon... | N/A | NONE | — | 0 |
| CVE-2026-34587 Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the C... | N/A | NONE | — | 0 |
| CVE-2026-40099 Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined f... | N/A | NONE | — | 0 |
| CVE-2026-41325 Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined f... | N/A | NONE | — | 0 |
| CVE-2026-32952 go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash an... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-33076 Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote c... | N/A | NONE | — | 0 |
| CVE-2026-33077 Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxy_section_save interface has an arbitrary file rea... | N/A | NONE | — | 0 |
| CVE-2026-33317 OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, mis... | 8.7 | HIGH | — | 0 |
| CVE-2026-33318 Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to Open... | 8.8 | HIGH | — | 0 |
| CVE-2026-41316 ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution ... | 8.1 | HIGH | — | 0 |
| CVE-2026-41317 Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like explo... | N/A | NONE | — | 0 |
| CVE-2026-41318 AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsa... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-41485 Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with... | 7.7 | HIGH | — | 0 |
| CVE-2026-31547 In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix missing runtime PM reference in ccs_mode_store ccs_mode_store() calls xe_gt_reset() which internally invokes xe_pm_run... | N/A | NONE | — | 0 |
| CVE-2026-31551 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable. syzbot reported static_branch_dec() underflow in aql_enable_wri... | N/A | NONE | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.