Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2026-23482 Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, al... | 7.5 | HIGH | — | 0 |
| CVE-2026-23484 Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33484 Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any... | 7.5 | HIGH | — | 0 |
| CVE-2026-33497 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpo... | 7.5 | HIGH | — | 0 |
| CVE-2026-30653 An issue in Free5GC v.4.2.0 and before allows a remote attacker to cause a denial of service via the function HandleAuthenticationFailure of the component AMF | 7.5 | HIGH | — | 0 |
| CVE-2026-30662 ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creat... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33313 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the co... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33315 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2F... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33332 NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files... | 7.5 | HIGH | — | 0 |
| CVE-2026-32509 Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey allows Object Injection.This issue affects Gracey: from n/a through < 1.4. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-32508 Deserialization of Untrusted Data vulnerability in Mikado-Themes Halstein halstein allows Object Injection.This issue affects Halstein: from n/a through < 1.8. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-32510 Deserialization of Untrusted Data vulnerability in Edge-Themes Kamperen kamperen allows Object Injection.This issue affects Kamperen: from n/a through < 1.3. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-32731 ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`, The `extract()` function in `gzip.js` constructs file-write paths using `fs.crea... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-32805 Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `san... | 7.5 | HIGH | — | 0 |
| CVE-2025-36051 IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 stores potentially sensitive information in configuration files that could be read by a local user. | 6.2 | MEDIUM | — | 0 |
| CVE-2026-1276 IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus alter... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-32006 OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and gro... | 3.1 | LOW | — | 0 |
| CVE-2026-33293 WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitizatio... | 8.1 | HIGH | — | 0 |
| CVE-2026-33294 WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents(... | 5.0 | MEDIUM | — | 0 |
| CVE-2026-33046 Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax... | 8.8 | HIGH | — | 0 |
| CVE-2026-4698 JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-4719 Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | 7.5 | HIGH | — | 0 |
| CVE-2026-4718 Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | 8.1 | HIGH | — | 0 |
| CVE-2026-32528 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in don-themes Riode riode allows Reflected XSS.This issue affects Riode: from n/a through < 1.6.29. | 7.1 | HIGH | — | 0 |
| CVE-2026-32523 Unrestricted Upload of File with Dangerous Type vulnerability in denishua WPJAM Basic wpjam-basic allows Using Malicious Files.This issue affects WPJAM Basic: from n/a through <= 6.9.2. | 9.9 | CRITICAL | — | 0 |
| CVE-2026-32520 Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through <= 1.0.4. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-32522 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system allows Path Traversal.This ... | 8.6 | HIGH | — | 0 |
| CVE-2026-32524 Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through <= 6.4.9. | 9.1 | CRITICAL | — | 0 |
| CVE-2026-3889 Spoofing issue in Thunderbird. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-43534 A path handling issue was addressed with improved validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.2 and iPadOS 26.2. A user with physical access to an iOS device may be able to... | 6.8 | MEDIUM | — | 0 |
| CVE-2026-20632 A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-20633 This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access user-sensitive data. | 5.5 | MEDIUM | — | 0 |
| CVE-2026-7041 A vulnerability was detected in 666ghj MiroFish up to 0.1.2. The impacted element is an unknown function of the file /console of the component Werkzeug Debugger PIN Handler. Performing a manipulation ... | 3.7 | LOW | — | 0 |
| CVE-2025-1787 Local admin could to leak information from the Genetec Update Service configuration web page. An authenticated, admin privileged, Windows user could exploit this vulnerability to gain elevated privile... | 4.2 | MEDIUM | — | 0 |
| CVE-2026-32507 Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through < 1.4. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-32545 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Taboola Taboola Pixel taboola-pixel allows Reflected XSS.This issue affects Taboola Pixel: from n/... | 7.1 | HIGH | — | 0 |
| CVE-2026-32503 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Trendustry trendustry allows PHP Local File Inclusion.This issue aff... | 8.1 | HIGH | — | 0 |
| CVE-2026-33287 LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` whic... | 7.5 | HIGH | — | 0 |
| CVE-2026-33660 n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could use the Merge node's "Comb... | 8.8 | HIGH | — | 0 |
| CVE-2026-33417 Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp c... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-30932 Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for sever... | 8.8 | HIGH | — | 0 |
| CVE-2026-28892 A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to modify protected parts of t... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-3689 OpenClaw Canvas Path Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of OpenClaw. Authentication ... | N/A | NONE | — | 0 |
| CVE-2026-3690 OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploi... | N/A | NONE | — | 0 |
| CVE-2026-28824 An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user dat... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-28825 An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to modify protected par... | 7.1 | HIGH | — | 0 |
| CVE-2026-28828 A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user data. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-28831 An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user dat... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-28835 A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. Mounting a maliciously crafted SMB network sha... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-2557 A vulnerability was detected in cskefu up to 8.0.1. Impacted is the function Upload of the file com/cskefu/cc/controller/resource/MediaController.java of the component File Upload. The manipulation re... | 3.5 | LOW | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.