Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-15055 2026-01-09 HIGH 7.2 The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to…
CVE-2025-15019 2026-01-09 MEDIUM 6.4 The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt'…
CVE-2025-14980 2026-01-09 MEDIUM 6.5 The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for…
CVE-2025-14893 2026-01-09 MEDIUM 6.4 The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization…
CVE-2025-14782 2026-01-09 MEDIUM 5.3 The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1…
CVE-2025-14736 2026-01-09 CRITICAL 9.8 The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of…
CVE-2025-14720 2026-01-09 MEDIUM 5.3 The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all…
CVE-2025-14718 2026-01-09 MEDIUM 5.4 The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the…
CVE-2025-14574 2026-01-09 MEDIUM 5.3 The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it…
CVE-2026-0719 2026-01-08 HIGH 7.5 A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords,…
CVE-2025-13749 2026-01-09 MEDIUM 4.3 The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and…
CVE-2025-14886 2026-01-09 MEDIUM 5.3 The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all…
CVE-2026-22636 2026-01-09 N/A 0.0 Rejected reason: Not used
CVE-2026-22635 2026-01-09 N/A 0.0 Rejected reason: Not used
CVE-2026-22634 2026-01-09 N/A 0.0 Rejected reason: Not used
CVE-2026-22633 2026-01-09 N/A 0.0 Rejected reason: Not used
CVE-2026-22632 2026-01-09 N/A 0.0 Rejected reason: Not used
CVE-2026-22631 2026-01-09 N/A 0.0 Rejected reason: Not used
CVE-2026-22630 2026-01-09 N/A 0.0 Rejected reason: Not used
CVE-2025-66315 2026-01-09 MEDIUM 4.3 There is a configuration defect vulnerability in the version server of ZTE MF258K Pro products. Due to improper directory permission settings, an attacker can execute write permissions in…
CVE-2026-22714 2026-01-09 N/A 0.0 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki…
CVE-2026-0732 2026-01-09 MEDIUM 6.3 A vulnerability was found in D-Link DI-8200G 17.12.20A1. This affects an unknown function of the file /upgrade_filter.asp. The manipulation of the argument path results in command injection. The…
CVE-2026-0731 2026-01-08 MEDIUM 5.3 A vulnerability has been found in TOTOLINK WA1200 5.9c.2914. The impacted element is an unknown function of the file cstecgi.cgi of the component HTTP Request Handler. The manipulation…
CVE-2025-15464 2026-01-08 HIGH 7.5 Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.
CVE-2025-14025 2026-01-08 HIGH 8.5 A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability…
CVE-2026-0730 2026-01-08 LOW 2.4 A flaw has been found in PHPGurukul Staff Leave Management System 1.0. The affected element is the function ADD_STAFF/UPDATE_STAFF of the file /staffleave/slms/slms/adminviews.py of the component SVG File…
CVE-2026-0729 2026-01-08 MEDIUM 4.7 A vulnerability was detected in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /intern/admin/add_activity.php. Performing a manipulation of the argument Title results…
CVE-2025-68718 2026-01-08 MEDIUM 5.4 KAYSUS KS-WR1200 routers with firmware 107 expose SSH and TELNET services on the LAN interface with hardcoded root credentials (root:12345678). The administrator cannot disable these services or change…
CVE-2025-14436 2026-01-08 HIGH 7.2 The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient…
CVE-2026-22588 2026-01-08 MEDIUM 6.5 Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability…
CVE-2026-0728 2026-01-08 MEDIUM 4.7 A security vulnerability has been detected in code-projects Intern Membership Management System 1.0. This issue affects some unknown processing of the file /intern/admin/delete_admin.php. Such manipulation of the argument…
CVE-2025-68719 2026-01-08 HIGH 8.8 KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint…
CVE-2025-68717 2026-01-08 CRITICAL 9.4 KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or…
CVE-2025-68716 2026-01-08 HIGH 8.4 KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot…
CVE-2026-0671 2026-01-08 MEDIUM 6.1 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki -…
CVE-2025-14505 2026-01-08 MEDIUM 5.6 The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has…
CVE-2026-21875 2026-01-08 CRITICAL 9.8 ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a…
CVE-2026-21869 2026-01-08 HIGH 8.8 llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the n_discard parameter is parsed directly from JSON input in the llama.cpp server's…
CVE-2026-21859 2026-01-08 MEDIUM 5.8 Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to…
CVE-2026-21858 2026-01-08 CRITICAL 10.0 n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of…
CVE-2026-21694 2026-01-08 MEDIUM 6.8 Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private…
CVE-2026-21851 2026-01-07 MEDIUM 5.3 MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal (Zip Slip) vulnerability exists…
CVE-2026-22047 2026-01-07 HIGH 8.8 iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2…
CVE-2026-0747 2026-01-08 LOW 3.3 Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password…
CVE-2025-68715 2026-01-08 N/A 0.0 An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated…
CVE-2025-66916 2026-01-08 CRITICAL 9.4 The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/check-node-expression can execute QLExpress expressions, but it does not filter user input, allowing attackers to use the File…
CVE-2025-66913 2026-01-08 CRITICAL 9.8 JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver,…
CVE-2025-61550 2026-01-08 MEDIUM 5.4 Cross-Site Scripting (XSS) is present on the ctl00_Content01_fieldValue parameters on the /psp/appNet/TemplateOrder/TemplatePreview.aspx endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. User-supplied input is stored and…
CVE-2025-61549 2026-01-08 MEDIUM 6.1 Cross-Site Scripting (XSS) is present on the LoginID parameter on the /PSP/app/web/reg/reg_display.asp endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. Unsanitized user input is reflected…
CVE-2025-61548 2026-01-08 CRITICAL 9.8 SQL Injection is present on the hfInventoryDistFormID parameter in the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. Unsanitized user input is incorporated directly…
« Anterior Página 118 de 3933 Siguiente »