Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2024-8699 2025-05-15 HIGH 7.2 The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when…
CVE-2024-8703 2025-05-15 MEDIUM 6.1 The Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting…
CVE-2024-9709 2025-05-15 MEDIUM 5.4 The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in…
CVE-2024-9711 2025-05-15 MEDIUM 5.4 The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in…
CVE-2024-9765 2025-05-15 MEDIUM 6.5 The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory
CVE-2025-0687 2025-05-15 MEDIUM 6.1 The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to…
CVE-2025-4892 2025-05-18 MEDIUM 5.3 A vulnerability was found in code-projects Police Station Management System 1.0. It has been declared as critical. Affected by this vulnerability is the function criminal::remove of the file…
CVE-2025-0688 2025-05-15 MEDIUM 6.1 The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to…
CVE-2025-4889 2025-05-18 MEDIUM 5.3 A vulnerability has been found in code-projects Tourism Management System 1.0 and classified as critical. This vulnerability affects the function AddUser of the component User Registration. The manipulation…
CVE-2025-4888 2025-05-18 MEDIUM 5.3 A vulnerability, which was classified as critical, was found in code-projects Pharmacy Management System 1.0. This affects the function medicineType::take_order of the component Add Order Details. The manipulation…
CVE-2025-4745 2025-05-16 LOW 3.5 A vulnerability, which was classified as problematic, was found in code-projects Employee Record System 1.0. This affects an unknown part of the file current_employees.php. The manipulation of the…
CVE-2024-7774 2024-10-29 CRITICAL 9.1 A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files,…
CVE-2025-3996 2025-04-28 LOW 2.4 A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /home.htm of the…
CVE-2025-47273 2025-05-17 N/A 0.0 setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to…
CVE-2025-45997 2025-05-28 HIGH 8.6 Sourcecodester Web-based Pharmacy Product Management System v.1.0 has a file upload vulnerability. An attacker can upload a PHP file disguised as an image by modifying the Content-Type header…
CVE-2025-2812 2025-05-02 CRITICAL 9.8 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind SQL Injection.This issue affects Ticket Sales Automation:…
CVE-2022-41254 2022-09-21 MEDIUM 6.5 Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through…
CVE-2022-41253 2022-09-21 HIGH 8.8 A cross-site request forgery (CSRF) vulnerability in Jenkins CONS3RT Plugin 1.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through…
CVE-2022-41252 2022-09-21 MEDIUM 4.3 Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allows users with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
CVE-2022-41251 2022-09-21 MEDIUM 4.3 A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2022-41245 2022-09-21 HIGH 8.8 A cross-site request forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained…
CVE-2022-41244 2022-09-21 HIGH 8.1 Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to…
CVE-2022-41243 2022-09-21 HIGH 8.1 Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept…
CVE-2022-41242 2022-09-21 MEDIUM 5.4 A missing permission check in Jenkins extreme-feedback Plugin 1.7 and earlier allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and…
CVE-2022-41241 2022-09-21 CRITICAL 9.1 Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
CVE-2022-41240 2022-09-21 MEDIUM 5.4 Jenkins Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able…
CVE-2022-41239 2022-09-21 MEDIUM 5.4 Jenkins DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause, resulting in a…
CVE-2022-41237 2022-09-21 CRITICAL 9.8 Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
CVE-2022-41236 2022-09-21 HIGH 8.8 A cross-site request forgery (CSRF) vulnerability in Jenkins Security Inspector Plugin 117.v6eecc36919c2 and earlier allows attackers to replace the generated report stored in a per-session cache and displayed…
CVE-2022-41235 2022-09-21 MEDIUM 5.3 Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.
CVE-2022-41234 2022-09-21 HIGH 8.8 Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable…
CVE-2022-41233 2022-09-21 MEDIUM 4.3 Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, allowing attackers with Item/Read permission to obtain information about build artifacts of…
CVE-2022-41232 2022-09-21 HIGH 8.0 A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an…
CVE-2022-41231 2022-09-21 MEDIUM 5.7 Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted…
CVE-2022-41230 2022-09-21 MEDIUM 4.3 Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins…
CVE-2022-41229 2022-09-21 MEDIUM 5.4 Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step, resulting in a stored cross-site scripting (XSS)…
CVE-2025-3249 2025-04-04 MEDIUM 6.3 A vulnerability classified as critical was found in TOTOLINK A6000R 1.0.1-B20201211.2000. Affected by this vulnerability is the function apcli_cancel_wps of the file /usr/lib/lua/luci/controller/mtkwifi.lua. The manipulation leads to command…
CVE-2024-34257 2024-05-08 CRITICAL 9.8 TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in the apcliEncrypType parameter that allows unauthorized execution of arbitrary commands, allowing an attacker to obtain device administrator privileges.
CVE-2025-2050 2025-03-07 HIGH 7.3 A vulnerability classified as critical was found in PHPGurukul User Registration & Login and User Management System 3.3. Affected by this vulnerability is an unknown functionality of the…
CVE-2025-5277 2025-05-28 CRITICAL 9.6 aws-mcp-server MCP server is vulnerable to command injection. An attacker can craft a prompt that once accessed by the MCP client will run arbitrary commands on the host…
CVE-2025-4134 2025-05-28 HIGH 7.3 Lack of file validation in do_update_vps in Avast Business Antivirus for Linux 4.5 on Linux allows local user to spoof or tamper with the update file via an…
CVE-2025-40651 2025-05-28 N/A 0.0 Reflected Cross-Site Scripting (XSS) vulnerability in Real Easy Store. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious…
CVE-2025-4493 2025-05-28 MEDIUM 6.5 Improper privilege assignment in PAM JIT privilege sets in Devolutions Server allows a PAM user to perform PAM JIT requests on unauthorized groups by exploiting a user interface…
CVE-2025-5299 2025-05-28 HIGH 7.3 A vulnerability was found in SourceCodester Client Database Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /user_order_customer_update.php. The manipulation…
CVE-2025-5297 2025-05-28 MEDIUM 5.3 A vulnerability, which was classified as critical, has been found in SourceCodester Computer Store System 1.0. This issue affects the function Add of the file main.c. The manipulation…
CVE-2025-3864 2025-05-28 N/A 0.0 Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of…
CVE-2025-5295 2025-05-28 HIGH 7.3 A vulnerability classified as critical was found in FreeFloat FTP Server 1.0.0. This vulnerability affects unknown code of the component PORT Command Handler. The manipulation leads to buffer…
CVE-2025-40673 2025-05-28 N/A 0.0 A Missing Authorization vulnerability has been found in DinoRANK. This vulnerability allows an attacker to access invoices of any user via accessing endpoint '/facturas/YYYY-MM/SDRYYMM-XXXXX.pdf' because there is no…
CVE-2025-4963 2025-05-28 MEDIUM 6.4 The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input…
CVE-2025-1753 2025-05-28 HIGH 7.8 LLama-Index CLI version v0.12.20 contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the `--files` argument, which is directly passed into `os.system`. An…
« Anterior Página 1148 de 4308 Siguiente »