Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-1575 2026-03-21 MEDIUM 6.4 The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `itemscope` shortcode in all versions up to, and including, 1.0 due to insufficient…
CVE-2026-1503 2026-03-21 MEDIUM 4.3 The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing…
CVE-2026-1397 2026-03-21 MEDIUM 6.4 The PQ Addons – Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in all versions up to, and including, 1.0.0 due…
CVE-2026-1393 2026-03-21 MEDIUM 4.3 The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is…
CVE-2026-1392 2026-03-21 MEDIUM 4.3 The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce…
CVE-2026-1390 2026-03-21 MEDIUM 4.3 The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on…
CVE-2026-1378 2026-03-21 MEDIUM 4.3 The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation…
CVE-2026-1313 2026-03-21 HIGH 8.3 The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.20. This is due to the plugin making…
CVE-2026-1278 2026-03-21 MEDIUM 4.4 The Mandatory Field plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.8 due to insufficient input sanitization…
CVE-2026-1275 2026-03-21 MEDIUM 6.4 The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4.…
CVE-2026-1253 2026-03-21 MEDIUM 5.3 The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchat_update_auth_ajax' and…
CVE-2026-1247 2026-03-21 MEDIUM 4.4 The Survey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and…
CVE-2026-1093 2026-03-21 MEDIUM 6.4 The WPFAQBlock– FAQ & Accordion Plugin For Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'wpfaqblock' shortcode in all versions…
CVE-2026-0609 2026-03-21 MEDIUM 6.4 The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in…
CVE-2025-14037 2026-03-21 HIGH 8.1 The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to…
CVE-2025-13910 2026-03-21 MEDIUM 6.1 The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the `wwa_auth` AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient…
CVE-2024-13785 2026-03-21 MEDIUM 5.6 The The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including,…
CVE-2026-4302 2026-03-21 HIGH 7.2 The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin…
CVE-2026-32899 2026-03-21 MEDIUM 4.3 OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass configured DM…
CVE-2026-32898 2026-03-21 MEDIUM 5.4 OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers…
CVE-2026-32897 2026-03-21 LOW 3.7 OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use…
CVE-2026-32896 2026-03-21 MEDIUM 4.8 OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can…
CVE-2026-32895 2026-03-21 MEDIUM 5.4 OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack…
CVE-2026-32067 2026-03-21 LOW 3.7 OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across…
CVE-2026-32065 2026-03-21 MEDIUM 4.8 OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime…
CVE-2026-32064 2026-03-21 HIGH 7.7 OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host…
CVE-2026-32058 2026-03-21 LOW 2.6 OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers…
CVE-2026-32057 2026-03-21 MEDIUM 5.9 OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node…
CVE-2026-32056 2026-03-21 HIGH 7.5 OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers…
CVE-2026-32055 2026-03-21 HIGH 7.6 OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks pointing to…
CVE-2026-32054 2026-03-21 MEDIUM 6.5 OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root…
CVE-2026-32053 2026-03-21 MEDIUM 6.5 OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe…
CVE-2026-32052 2026-03-21 MEDIUM 6.4 OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline…
CVE-2026-32051 2026-03-21 HIGH 8.8 OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows authenticated callers with operator.write scope to invoke owner-only tool surfaces including gateway and cron through agent…
CVE-2026-32050 2026-03-21 LOW 3.7 OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied.…
CVE-2026-32049 2026-03-21 HIGH 7.5 OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized…
CVE-2026-32048 2026-03-21 HIGH 7.5 OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a…
CVE-2026-32046 2026-03-21 MEDIUM 5.3 OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers…
CVE-2026-32045 2026-03-21 MEDIUM 5.9 OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit…
CVE-2026-32044 2026-03-21 MEDIUM 5.5 OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious…
CVE-2026-32043 2026-03-21 MEDIUM 6.5 OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers…
CVE-2026-32042 2026-03-21 HIGH 8.8 OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers…
CVE-2026-4083 2026-03-21 MEDIUM 6.4 The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The…
CVE-2026-3864 2026-03-20 MEDIUM 6.5 A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes…
CVE-2026-3577 2026-03-21 MEDIUM 4.4 The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the backup title alias (`val` parameter) in the `update_kbd_bkup_alias` AJAX action in all versions…
CVE-2026-3572 2026-03-21 MEDIUM 6.1 The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to…
CVE-2026-3567 2026-03-21 MEDIUM 5.3 The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two…
CVE-2026-3516 2026-03-21 MEDIUM 6.4 The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_cl_map_iframe' parameter in all versions up to, and including, 3.0.18. This is due to…
CVE-2026-3474 2026-03-21 MEDIUM 4.9 The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including,…
CVE-2026-3368 2026-03-21 HIGH 7.2 The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due…
« Anterior Página 150 de 4211 Siguiente »