Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2026-25308 Missing Authorization vulnerability in wp.insider Simple Membership simple-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Membership: from... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25313 Missing Authorization vulnerability in Shahjahan Jewel FluentForm fluentform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentForm: from n/a through <= ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1760 A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive heade... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-15288 Tanium addressed an improper access controls vulnerability in Interact. | 3.1 | LOW | — | 0 |
| CVE-2026-24845 malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker regis... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-0963 An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-25063 gradle-completion provides Bash and Zsh completion support for Gradle. A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution w... | 7.8 | HIGH | — | 0 |
| CVE-2026-25116 Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote use... | 7.6 | HIGH | — | 0 |
| CVE-2026-25126 PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body’s `direction` value without runtime validat... | 7.1 | HIGH | — | 0 |
| CVE-2025-15322 Tanium addressed an improper access controls vulnerability in Tanium Server. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-0805 An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path tr... | 8.2 | HIGH | — | 0 |
| CVE-2026-1680 Improper access control in the WCF endpoint in Edgemo (now owned by Danoffice IT) Local Admin Service 1.2.7.23180 on Windows allows a local user to escalate their privileges to local administrator via... | 7.8 | HIGH | — | 0 |
| CVE-2026-25210 In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. | 6.9 | MEDIUM | — | 0 |
| CVE-2026-21418 Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local acc... | 7.8 | HIGH | — | 0 |
| CVE-2026-22277 Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local ac... | 7.8 | HIGH | — | 0 |
| CVE-2026-1699 In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This a... | 10.0 | CRITICAL | — | 0 |
| CVE-2026-0709 Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted ... | 7.2 | HIGH | — | 0 |
| CVE-2026-22623 Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages. | 7.2 | HIGH | — | 0 |
| CVE-2026-22624 Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-22625 Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files. | 4.6 | MEDIUM | — | 0 |
| CVE-2026-22626 Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages. | 4.9 | MEDIUM | — | 0 |
| CVE-2026-1682 A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executin... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-1683 A vulnerability has been found in Free5GC SMF up to 4.1.0. Affected by this vulnerability is the function HandlePfcpSessionReportRequest of the file internal/pfcp/handler/handler.go of the component P... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-1684 A vulnerability was found in Free5GC SMF up to 4.1.0. Affected by this issue is the function HandleReports of the file /internal/context/pfcp_reports.go of the component PFCP UDP Endpoint. The manipul... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25050 Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumera... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-66595 A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product is vulnerable to Cross-Site Request Forgery (CSRF). When a user accesses a link crafted by an at... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25128 fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerabi... | 7.5 | HIGH | — | 0 |
| CVE-2026-25129 PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working... | 6.7 | MEDIUM | — | 0 |
| CVE-2026-25141 Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25152 Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25153 Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node ... | 7.7 | HIGH | — | 0 |
| CVE-2026-25154 LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including ... | 6.1 | MEDIUM | — | 0 |
| CVE-2020-37051 Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' end... | 8.2 | HIGH | — | 0 |
| CVE-2020-37057 Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious S... | 8.2 | HIGH | — | 0 |
| CVE-2026-25156 HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s... | 7.3 | HIGH | — | 0 |
| CVE-2026-1741 A vulnerability was determined in EFM ipTIME A8004T 14.18.2. Affected is the function httpcon_check_session_url of the file /sess-bin/d.cgi of the component Debug Interface. This manipulation of the a... | 6.6 | MEDIUM | — | 0 |
| CVE-2026-25200 A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 S... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25201 An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1. | 8.8 | HIGH | — | 0 |
| CVE-2026-25202 The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server.This issue affects MagicINFO 9 Server: less than 21.1090.1. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-20711 Cross-site scripting vulnerability exists in E-mail function of Cybozu Garoon 5.0.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords. | 6.1 | MEDIUM | — | 0 |
| CVE-2026-22881 Cross-site scripting vulnerability exists in Message function of Cybozu Garoon 5.15.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-1761 A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit ... | 8.6 | HIGH | — | 0 |
| CVE-2026-22229 A command injection vulnerability may be exploited after the admin's authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2 and Deco BE25 v1.0. Succe... | 7.2 | HIGH | — | 0 |
| CVE-2025-12679 A vulnerability in Brocade SANnav before 2.4.0b prints the Password-Based Encryption (PBE) key in plaintext in the system audit log file. The vulnerability could allow a remote authenticated attacke... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-12680 Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated ... | 4.9 | MEDIUM | — | 0 |
| CVE-2025-36194 IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 may expose a limited amount of data to a peer partition in specific shared processor conf... | 2.8 | LOW | — | 0 |
| CVE-2025-36238 IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 could allow a local user with administration privileges to obtain sensitive information f... | 6.0 | MEDIUM | — | 0 |
| CVE-2025-36436 IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 is vulnerable to stored cross-site script... | 6.4 | MEDIUM | — | 0 |
| CVE-2025-66480 Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-69207 Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state p... | 5.4 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.