Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2025-62878 A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended ... | 9.9 | CRITICAL | — | 0 |
| CVE-2025-67601 A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -skip-verify flag to the Rancher CLI login command without also passing the –cacert ... | 8.3 | HIGH | — | 0 |
| CVE-2025-67860 A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials... | 3.8 | LOW | — | 0 |
| CVE-2026-22424 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Shaha shaha allows PHP Local File Inclusion.This issue affects Sha... | 8.1 | HIGH | — | 0 |
| CVE-2026-27704 The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub cli... | 7.5 | HIGH | — | 0 |
| CVE-2026-27730 esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to ... | 7.5 | HIGH | — | 0 |
| CVE-2026-27846 Due to missing authentication, a user with physical access to the device can misuse the mesh functionality for adding a new mesh device to the network to gain access to sensitive information, includi... | 6.2 | MEDIUM | — | 0 |
| CVE-2026-27847 Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-27848 Due to missing neutralization of special elements, OS commands can be injected via the handshake of a TLS-SRP connection, which are ultimately run as the root user. This issue affects MR9600: 1.0.4.20... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-3206 Improper Resource Shutdown or Release vulnerability in KrakenD, SLU KrakenD-CE (CircuitBreaker modules), KrakenD, SLU KrakenD-EE (CircuitBreaker modules). This issue affects KrakenD-CE: before 2.13.1;... | N/A | NONE | — | 0 |
| CVE-2026-27736 BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedire... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-27738 The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, th... | N/A | NONE | — | 0 |
| CVE-2026-27849 Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh netw... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-3189 A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the ar... | 3.1 | LOW | — | 0 |
| CVE-2026-25746 OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be explo... | 8.8 | HIGH | — | 0 |
| CVE-2026-25927 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API (e.g. upload or state save/load) accepts a ... | 7.1 | HIGH | — | 0 |
| CVE-2026-25929 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the document controller’s `patient_picture` context serves the patient’... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25930 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Layout-Based Form (LBF) printable view accepts `formid` and `visiti... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-3221 Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with access to the database to obtain sensitive user inform... | 4.9 | MEDIUM | — | 0 |
| CVE-2025-14103 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-ro... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-22721 VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative ac... | 6.2 | MEDIUM | — | 0 |
| CVE-2026-25942 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0–6) with a... | 7.5 | HIGH | — | 0 |
| CVE-2026-25952 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_s... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25953 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25954 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` retur... | 7.5 | HIGH | — | 0 |
| CVE-2026-2694 The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27493 n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, a second-order expression injection vulnerability existed in n8n's Form nodes that could allow an una... | 9.0 | CRITICAL | — | 0 |
| CVE-2026-27494 n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could use the Python Code node to... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-27495 n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could exploit a vulnerability in ... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-27798 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability occurs when processing an... | 4.0 | MEDIUM | — | 0 |
| CVE-2026-27830 c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` impleme... | N/A | NONE | — | 0 |
| CVE-2026-27831 rldns is an open source DNS server. Version 1.3 has a heap-based out-of-bounds read that leads to denial of service. Version 1.4 contains a patch for the issue. | 7.5 | HIGH | — | 0 |
| CVE-2026-27837 Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3a... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-27840 ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are sti... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27884 NetExec is a network execution tool. Prior to version 1.5.1, the module spider_plus improperly creates the output file and folder path when saving files from SMB shares. It does not take into account ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-27573 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27952 Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sand... | 8.8 | HIGH | — | 0 |
| CVE-2026-27954 Live Helper Chat is an open-source application that enables live support websites. In versions up to and including 4.52, three chat action endpoints (holdaction.php, blockuser.php, and transferchat.p... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27959 Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before th... | 7.5 | HIGH | — | 0 |
| CVE-2026-27961 Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vul... | 8.8 | HIGH | — | 0 |
| CVE-2026-27965 Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipu... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-27583 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27974 Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows ar... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-27975 Ajenti is a Linux and BSD modular server admin panel. Prior to version 2.2.13, an unauthenticated user could gain access to a server to execute arbitrary code on this server. This is fixed in the vers... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-2356 The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including,... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-1311 The Worry Proof Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.2.4 via the backup upload functionality. This makes it possible for authenticated at... | 8.8 | HIGH | — | 0 |
| CVE-2026-23703 The installer of FinalCode Client provided by Digital Arts Inc. contains an incorrect default permissions vulnerability. A non-administrative user may execute arbitrary code with SYSTEM privilege. | N/A | NONE | — | 0 |
| CVE-2026-25191 The installer of FinalCode Client provided by Digital Arts Inc. contains an issue with the DLL search path. If a user is directed to place a malicious DLL file and the installer to the same directory ... | N/A | NONE | — | 0 |
| CVE-2026-1692 A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-1693 The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 throug... | 7.5 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.