Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-13426 2026-06-26 MEDIUM 5.4 The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended…
CVE-2026-50745 2026-06-26 MEDIUM 4.7 A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output…
CVE-2026-50744 2026-06-26 MEDIUM 4.3 A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the…
CVE-2026-50742 2026-06-26 MEDIUM 4.4 A stored XSS vulnerabilities exists in the `maintenance-acl-check.php` and `maintenance-banners-check.php` tools of Revive Adserver 6.0.7. The issue was caused by entity names being displayed without proper escaping when…
CVE-2026-50741 2026-06-26 HIGH 8.8 Bypass to the fix for CVE-2026-34916. Variants of such vectors have been also reported by phucrio and offsetmd. The fix can be bypassed either by sending a disallowed…
CVE-2026-50740 2026-06-26 MEDIUM 6.1 A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh parameter of the…
CVE-2026-50739 2026-06-26 MEDIUM 4.3 A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking campaigns and trackers through the `tracker-campaigns.php` script in…
CVE-2026-43920 2026-06-26 N/A 0.0 FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, which allowed unauthenticated…
CVE-2026-40941 2026-06-25 N/A 0.0 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue…
CVE-2026-40084 2026-06-25 MEDIUM 6.5 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read.…
CVE-2026-40083 2026-06-25 HIGH 7.2 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the…
CVE-2026-40080 2026-06-25 MEDIUM 6.1 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check…
CVE-2026-57667 2026-06-26 HIGH 8.5 Sales Representative SQL Injection in Groundhogg
CVE-2026-57660 2026-06-26 MEDIUM 5.3 Unauthenticated Broken Access Control in Booking and Rental Manager
CVE-2026-57654 2026-06-26 MEDIUM 6.5 Affiliate Broken Access Control in Affiliates Manager
CVE-2026-57648 2026-06-26 MEDIUM 4.3 Contributor Broken Access Control in Nelio Content
CVE-2026-57642 2026-06-26 HIGH 8.5 Contributor SQL Injection in Gallery
CVE-2026-57635 2026-06-26 MEDIUM 6.5 Unauthenticated Cross Site Request Forgery (CSRF) in FunnelKit Payment Gateway for Stripe WooCommerce
CVE-2026-57629 2026-06-26 MEDIUM 6.5 Contributor Cross Site Scripting (XSS) in StatCounter
CVE-2026-57431 2026-06-26 MEDIUM 6.5 Author Cross Site Scripting (XSS) in Featured Image
CVE-2026-57321 2026-06-26 HIGH 7.1 Contributor Arbitrary File Deletion in H5P
CVE-2026-57314 2026-06-26 HIGH 7.1 Unauthenticated Cross Site Scripting (XSS) in SureCart
CVE-2026-56068 2026-06-26 CRITICAL 9.3 Unauthenticated SQL Injection in JetEngine
CVE-2026-56061 2026-06-26 HIGH 7.5 Unauthenticated Broken Access Control in Subscriptions for WooCommerce
CVE-2026-56048 2026-06-26 MEDIUM 6.5 Unauthenticated Insecure Direct Object References (IDOR) in Payment Gateway Based Fees and Discounts for WooCommerce
CVE-2026-56041 2026-06-26 HIGH 7.1 Unauthenticated Cross Site Scripting (XSS) in Responsive Lightbox
CVE-2026-56034 2026-06-26 CRITICAL 9.3 Unauthenticated SQL Injection in Library Management System
CVE-2026-56028 2026-06-26 CRITICAL 9.8 Unauthenticated Privilege Escalation in Easy Elements for Elementor – Addons & Website Templates
CVE-2026-56008 2026-06-26 HIGH 8.8 Contributor Privilege Escalation in Fusion Builder
CVE-2026-54835 2026-06-26 HIGH 7.5 Unauthenticated Broken Access Control in Five Star Restaurant Menu
CVE-2026-54826 2026-06-26 HIGH 7.6 Subscriber Insecure Direct Object References (IDOR) in SupportCandy
CVE-2025-68075 2026-06-26 MEDIUM 6.5 Contributor Cross Site Scripting (XSS) in BNE Testimonials
CVE-2025-64637 2026-06-26 MEDIUM 5.3 Unauthenticated Content Injection in Auros Core
CVE-2026-1869 2026-06-26 MEDIUM 6.5 The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to unauthorized…
CVE-2026-40711 2026-06-26 HIGH 8.0 Dell Dell Container Storage Modules, version(s) csi-powerstore v2.16.0, csi-unity v2.16.0, csi-powerflex v2.16.0, csi-powermax v2.16.0, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command…
CVE-2026-13283 2026-06-25 HIGH 7.5 Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific UI gestures to…
CVE-2026-13282 2026-06-25 MEDIUM 6.8 Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially exploit heap corruption via physical access to the device.…
CVE-2026-13281 2026-06-25 HIGH 8.3 Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a…
CVE-2026-38637 2026-06-25 HIGH 7.5 An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2026-37454 2026-06-25 HIGH 7.5 Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the 3DES-ECB encryption
CVE-2026-37453 2026-06-25 HIGH 7.5 Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSI_SERVICE_2 pipe
CVE-2026-37452 2026-06-25 HIGH 7.5 Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component
CVE-2026-37149 2026-06-25 HIGH 7.7 GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability allows attackers to access sensitive database information via a crafted…
CVE-2026-6731 2026-06-25 N/A 0.0 X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN violates an issuing CA's DNS name constraints could…
CVE-2026-6681 2026-06-25 N/A 0.0 The PKCS#7 decode path ignores the caller-supplied output buffer size (outputSz), allowing decoded content to be written past the bounds of the provided buffer. This affects wolfSSL 5.9.0…
CVE-2026-6679 2026-06-25 N/A 0.0 A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to an integer truncation…
CVE-2026-6678 2026-06-25 N/A 0.0 Integer underflow in wc_PKCS7_DecryptOri when handling crafted Other Recipient Info, leading to incorrect length handling during decryption.
CVE-2026-6450 2026-06-25 N/A 0.0 A CRL critical extension bypass exists in ParseCRL_Extensions where critical extensions are not properly enforced, allowing a crafted CRL with an unhandled critical extension to be accepted. This…
CVE-2026-6412 2026-06-25 N/A 0.0 Certificate policy and RFC 8446 compliance concerns regarding the continued acceptance of SHA-1/MD5 in certificate processing.
CVE-2026-56445 2026-06-25 CRITICAL 9.1 The qrscp application's C-STORE handler uses a specific instance from attacker-supplied DICOM datasets directly in os.path.join() without sanitization, allowing file writes to arbitrary paths.
« Anterior Página 10 de 4502 Siguiente »