Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-15110 2025-12-27 MEDIUM 4.7 A vulnerability has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. Affected is the function Upload of the file Admin/Home/Controller/ProductImageController.class.php of the component Backend. Such manipulation of the…
CVE-2025-14180 2025-12-27 N/A 0.0 In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an…
CVE-2025-14178 2025-12-27 MEDIUM 6.5 In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element…
CVE-2025-14177 2025-12-27 N/A 0.0 In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn…
CVE-2025-15109 2025-12-27 HIGH 7.3 A flaw has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. This impacts an unknown function of the file Public/javascripts/admin/plupload-2.1.2/examples/upload.php. This manipulation causes unrestricted upload. It is possible…
CVE-2025-15108 2025-12-27 LOW 3.7 A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of…
CVE-2025-54322 2025-12-27 CRITICAL 10.0 Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.
CVE-2025-15107 2025-12-27 LOW 3.7 A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret…
CVE-2025-15106 2025-12-27 MEDIUM 6.3 A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing…
CVE-2025-15105 2025-12-27 LOW 3.7 A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results…
CVE-2025-68952 2025-12-27 N/A 0.0 Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution (RCE) vulnerability has been identified in Eigent. This vulnerability allows an attacker to execute arbitrary…
CVE-2025-68948 2025-12-27 N/A 0.0 SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This…
CVE-2025-68927 2025-12-27 N/A 0.0 Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST…
CVE-2025-59946 2025-12-27 HIGH 7.5 NanoMQ MQTT Broker (NanoMQ) is an Edge Messaging Platform. Prior to version 0.24.2, there is a classical data racing issue about sub info list which could result in…
CVE-2025-68932 2025-12-27 N/A 0.0 FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response…
CVE-2025-68474 2025-12-27 N/A 0.0 ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrc_vendor_msg() function of the ESP-IDF BlueDroid AVRCP…
CVE-2025-68473 2025-12-27 N/A 0.0 ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the ESP-IDF Bluetooth host stack (BlueDroid), the function…
CVE-2025-68148 2025-12-27 MEDIUM 4.3 FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for…
CVE-2025-66203 2025-12-27 CRITICAL 9.9 StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to…
CVE-2025-68697 2025-12-26 HIGH 7.1 n8n is an open source workflow automation platform. Prior to version 2.0.0, in self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated…
CVE-2025-68668 2025-12-26 CRITICAL 9.9 n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An…
CVE-2025-67729 2025-12-26 HIGH 8.8 LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True…
CVE-2025-61914 2025-12-26 HIGH 7.3 n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the “Respond to Webhook”…
CVE-2024-44065 2025-12-26 CRITICAL 9.8 Time-based blind SQL Injection vulnerability in Cloudlog v2.6.15 at the endpoint /index.php/logbookadvanced/search in the qsoresults parameter.
CVE-2025-66737 2025-12-26 MEDIUM 6.5 Yealink T21P_E2 Phone 52.84.0.15 is vulnerable to Directory Traversal. A remote normal privileged attacker can read arbitrary files via a crafted request result read function of the diagnostic…
CVE-2025-67015 2025-12-26 HIGH 7.5 Incorrect access control in Comtech EF Data CDM-625 / CDM-625A Advanced Satellite Modem with firmware v2.5.1 allows attackers to change the Administrator password and escalate privileges via sending…
CVE-2025-67014 2025-12-26 HIGH 7.5 Incorrect access control in DEV Systemtechnik GmbH DEV 7113 RF over Fiber Distribution System 32-0078 H.01 allows unauthenticated attackers to access an administrative endpoint.
CVE-2025-67013 2025-12-26 MEDIUM 6.5 The web management interface in ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 does not implement Cross-Site Request Forgery (CSRF) protection mechanisms (no tokens, no…
CVE-2025-66738 2025-12-26 MEDIUM 6.5 An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.
CVE-2025-67349 2025-12-26 MEDIUM 6.1 A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as an admin and navigating to the "Add Page" function, the application fails to properly…
CVE-2025-66947 2025-12-26 MEDIUM 6.5 SQL injection vulnerability in krishanmuraiji SMS v.1.0, within the /studentms/admin/edit-class-detail.php via the editid GET parameter. An attacker can trigger controlled delays using SQL SLEEP() to infer database contents.…
CVE-2025-57403 2025-12-26 HIGH 7.5 Cola Dnslog v1.3.2 is vulnerable to Directory Traversal. When a DNS query for a TXT record is processed, the application concatenates the requested URL (or a portion of…
CVE-2025-65885 2025-12-26 MEDIUM 5.1 An issue was discovered in the Delight Custom Firmware (CFW) for Nokia Symbian Belle devices on Nokia 808 (Delight v1.8), Nokia N8 (Delight v6.7), Nokia E7 (Delight v1.3),…
CVE-2025-25341 2025-12-26 HIGH 7.5 A vulnerability exists in the libxmljs 1.0.11 when parsing a specially crafted XML document. Accessing the internal _ref property on entity_ref and entity_decl nodes causes a segmentation fault,…
CVE-2024-42718 2025-12-26 HIGH 7.5 A path traversal vulnerability in Croogo CMS 4.0.7 allows remote attackers to read arbitrary files via a specially crafted path in the 'edit-file' parameter.
CVE-2024-29720 2025-12-26 MEDIUM 6.2 An issue in Terra Informatica Software, Inc Sciter v.4.4.7.0 allows a local attacker to obtain sensitive information via the adopt component of the Sciter video rendering function.
CVE-2025-13158 2025-12-26 N/A 0.0 Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed…
CVE-2025-64645 2025-12-26 HIGH 7.7 IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link.
CVE-2025-36230 2025-12-26 MEDIUM 5.4 IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the…
CVE-2025-36229 2025-12-26 LOW 3.1 IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers.
CVE-2025-36228 2025-12-26 LOW 3.8 IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading…
CVE-2025-15099 2025-12-26 HIGH 7.3 A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of…
CVE-2025-15093 2025-12-26 MEDIUM 4.3 A security flaw has been discovered in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The affected element is an unknown function of the file src/main/java/com/flycms/web/system/IndexAdminController.java of the component Admin Login.…
CVE-2025-15092 2025-12-26 HIGH 8.8 A vulnerability was identified in UTT 进取 512W up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/ConfigExceptMSN. Such manipulation of the argument remark leads to…
CVE-2025-15091 2025-12-26 HIGH 8.8 A vulnerability was determined in UTT 进取 512W up to 1.7.7-171114. This issue affects the function strcpy of the file /goform/formPictureUrl. This manipulation of the argument importpictureurl causes…
CVE-2025-36192 2025-12-26 MEDIUM 6.7 IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW…
CVE-2025-14687 2025-12-26 MEDIUM 4.3 IBM Db2 Intelligence Center 1.1.0, 1.1.1, 1.1.2 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms.
CVE-2025-13915 2025-12-26 CRITICAL 9.8 IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.
CVE-2025-1721 2025-12-26 MEDIUM 5.9 IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
CVE-2025-12771 2025-12-26 HIGH 7.8 IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code…
« Anterior Página 168 de 3934 Siguiente »