Falhas do tipo CWE-669
59 resultadosCVE-2026-35542MEDIUMAn issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted backgEPSS 0.4%CVE-2025-54310MEDIUMqBittorrent before 5.1.2 does not prevent access to a local file that is referenced in a link URL. This affects rsswidget.cpp and searchjobwEPSS 0.4%CVE-2022-39225MEDIUMParse Server subject to Incorrect Resource Transfer Between SpheresEPSS 0.4%CVE-2026-42997HIGHAn issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be senEPSS 0.4%CVE-2026-24708HIGHAn issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a rooEPSS 0.4%CVE-2026-35544MEDIUMAn issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mailEPSS 0.4%CVE-2025-41645HIGHSMA: Sunny Portal demo system privilege escalationEPSS 0.3%CVE-2026-48846MEDIUMIn Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() vEPSS 0.3%CVE-2026-35545MEDIUMAn issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in EPSS 0.3%CVE-2025-54352LOWWordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: theEPSS 0.3%CVE-2024-38519HIGHyt-dlp and youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitizationEPSS 0.3%CVE-2026-48845MEDIUMIn Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to locaEPSS 0.3%CVE-2026-35540MEDIUMAn issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messEPSS 0.3%CVE-2025-59363HIGHIn One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should onlyEPSS 0.3%CVE-2019-0042MEDIUMIncorrect messages from Juniper Identity Management Service (JIMS) can trigger Denial of Service or firewall bypass conditions for SRX series devicesEPSS 0.3%CVE-2026-44599LOWTor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008.EPSS 0.3%CVE-2026-40552MEDIUMRemote Code Execution in mpGabinetEPSS 0.3%CVE-2026-44917MEDIUMOpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pEPSS 0.3%CVE-2026-12068HIGHAvira Password Manager credential disclosure via cross-origin autofill in FirefoxEPSS 0.3%CVE-2026-46448MEDIUMIn OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.EPSS 0.3%