Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2023-54343 QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. Attackers can ex... | 6.4 | MEDIUM | — | 0 |
| CVE-2020-37037 Avast SecureLine 5.5.522.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path ... | 7.8 | HIGH | — | 0 |
| CVE-2020-37045 Veritas NetBackup 7.0 contains an unquoted service path vulnerability in the NetBackup INET Daemon service that allows local users to potentially execute arbitrary code. Attackers can exploit the unqu... | 7.8 | HIGH | — | 0 |
| CVE-2026-25253 OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value. | 8.8 | HIGH | — | 0 |
| CVE-2026-1734 A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endp... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-1735 A weakness has been identified in Yealink MeetingBar A30 133.321.0.3. This issue affects some unknown processing of the component Diagnostic Handler. This manipulation causes command injection. It is ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1736 A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c of the co... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-13348 An improper access control vulnerability exists in ASUS Secure Delete Driver of ASUS Business Manager. This vulnerability can be triggered by a local user sending a specially crafted request, potentia... | N/A | NONE | — | 0 |
| CVE-2026-1737 A vulnerability was detected in Open5GS up to 2.7.6. The affected element is the function sgwc_s5c_handle_create_bearer_request of the file /src/sgwc/s5c-handler.c of the component CreateBearerRequest... | 5.3 | MEDIUM | — | 0 |
| CVE-2024-54263 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion.This issue affects Spir... | 7.5 | HIGH | — | 0 |
| CVE-2026-20401 In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no ... | 7.5 | HIGH | — | 0 |
| CVE-2026-20402 In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-20403 In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-20404 In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-7105 A vulnerability in danny-avila/librechat allows attackers to exploit the unrestricted Fork Function in `/api/convos/fork` to fork numerous contents rapidly. If the forked content includes a Mermaid gr... | N/A | NONE | — | 0 |
| CVE-2026-1751 A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain con... | 3.1 | LOW | — | 0 |
| CVE-2024-2356 A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post("/reins... | N/A | NONE | — | 0 |
| CVE-2024-4147 In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability... | 6.5 | MEDIUM | — | 0 |
| CVE-2024-5386 In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's acc... | 8.8 | HIGH | — | 0 |
| CVE-2024-5986 A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-con... | N/A | NONE | — | 0 |
| CVE-2025-6208 The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-sp... | N/A | NONE | — | 0 |
| CVE-2025-47402 Transient DOS when processing a received frame with an excessively large authentication information element. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-0921 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accide... | N/A | NONE | — | 0 |
| CVE-2026-1232 A medium-severity vulnerability has been identified in BeyondTrust Privilege Management for Windows versions <=25.7. Under certain conditions, a local authenticated user with elevated privileges may b... | N/A | NONE | — | 0 |
| CVE-2026-1770 Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting mal... | N/A | NONE | — | 0 |
| CVE-2026-0631 An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows an adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker... | 8.0 | HIGH | — | 0 |
| CVE-2025-70960 A stored cross-site scripting (XSS) vulnerability in the Forums module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-22221 An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to ... | 8.0 | HIGH | — | 0 |
| CVE-2026-22222 An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to... | 8.0 | HIGH | — | 0 |
| CVE-2026-22223 An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to ... | 8.0 | HIGH | — | 0 |
| CVE-2026-22224 A command injection vulnerability may be exploited after the admin's authentication in the cloud communication interface on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attack... | 7.2 | HIGH | — | 0 |
| CVE-2026-24737 jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript action... | 8.1 | HIGH | — | 0 |
| CVE-2026-24763 OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due... | 8.8 | HIGH | — | 0 |
| CVE-2026-25134 Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang par... | 8.8 | HIGH | — | 0 |
| CVE-2026-25137 The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This a... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-25142 SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox /... | 10.0 | CRITICAL | — | 0 |
| CVE-2025-61635 Vulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability is associated with program files includes/FancyCaptcha/ApiFancyCaptchaReload.Php. This issue affects ConfirmEdit: *. | N/A | NONE | — | 0 |
| CVE-2026-0950 The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugi... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-24694 The installer for Roland Cloud Manager ver.3.1.19 and prior insecurely loads Dynamic Link Libraries (DLLs), which could allow an attacker to execute arbitrary code with the privileges of the applicati... | N/A | NONE | — | 0 |
| CVE-2026-0617 The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and includi... | 7.2 | HIGH | — | 0 |
| CVE-2026-1058 The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when... | 7.1 | HIGH | — | 0 |
| CVE-2026-1065 The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist inclu... | 7.2 | HIGH | — | 0 |
| CVE-2026-1210 The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient i... | 6.4 | MEDIUM | — | 0 |
| CVE-2025-67852 A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. T... | 3.5 | LOW | — | 0 |
| CVE-2025-67853 A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user... | 7.5 | HIGH | — | 0 |
| CVE-2025-67855 A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitizatio... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-67857 A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compr... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-11598 In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopeni... | N/A | NONE | — | 0 |
| CVE-2026-1312 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, u... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-1814 Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, th... | N/A | NONE | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.