Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-2579 2026-03-17 HIGH 7.5 The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and…
CVE-2026-4289 2026-03-17 HIGH 7.3 A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This affects an unknown function of the file /rest/preSetTemplate/getRecByTemplateId. The manipulation of the…
CVE-2026-4288 2026-03-17 HIGH 7.3 A weakness has been identified in Tiandy Easy7 Integrated Management Platform 7.17.0. The impacted element is an unknown function of the file /rest/devStatus/getDevDetailedInfo of the component Endpoint. Executing…
CVE-2026-4287 2026-03-17 HIGH 7.3 A security flaw has been discovered in Tiandy Easy7 Integrated Management Platform 7.17.0. The affected element is an unknown function of the file /rest/devStatus/queryResources of the component Endpoint.…
CVE-2026-4285 2026-03-17 LOW 2.7 A vulnerability was identified in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433. Impacted is the function recognizeMarkdown of the file yudao-module-digitalcourse/yudao-module-digitalcourse-biz/src/main/java/cn/iocoder/yudao/module/digitalcourse/util/Pdf2MdUtil.java. Such manipulation of the argument fileUrl leads to path…
CVE-2026-4284 2026-03-16 MEDIUM 4.7 A vulnerability was determined in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433. This issue affects the function downloadFile of the file - yudao-module-digitalcourse/yudao-module-digitalcourse-biz/src/main/java/cn/iocoder/yudao/module/digitalcourse/util/PPTUtil.java of the component PPT File Handler. This…
CVE-2026-4177 2026-03-16 CRITICAL 9.1 YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names…
CVE-2026-21991 2026-03-16 MEDIUM 5.5 A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names.
CVE-2026-2454 2026-03-16 MEDIUM 5.8 Mattermost versions 11.3.x
CVE-2026-29522 2026-03-16 N/A 0.0 ZwickRoell Test Data Management versions prior to 3.0.8 contain a local file inclusion (LFI) vulnerability in the /server/node_upgrade_srv.js endpoint. An unauthenticated attacker can supply directory traversal sequences via the…
CVE-2026-26230 2026-03-16 LOW 3.8 Mattermost versions 10.11.x
CVE-2026-1629 2026-03-16 MEDIUM 4.3 Mattermost versions 10.11.x
CVE-2025-69902 2026-03-16 CRITICAL 9.8 A command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to execute arbitrary commands via injecting arbitrary shell metacharacters.
CVE-2025-50881 2026-03-16 HIGH 8.8 The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the…
CVE-2026-30882 2026-03-16 MEDIUM 6.1 Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword…
CVE-2026-30881 2026-03-16 HIGH 8.8 Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST…
CVE-2026-30876 2026-03-16 N/A 0.0 Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo is vulnerable to user enumeration with valid/invalid username. This issue has been patched in version 1.11.36.
CVE-2026-30875 2026-03-16 HIGH 8.8 Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to…
CVE-2026-28430 2026-03-16 N/A 0.0 Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via…
CVE-2026-26304 2026-03-16 MEDIUM 4.3 Mattermost versions 11.3.x
CVE-2025-69693 2026-03-16 MEDIUM 5.4 Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but…
CVE-2026-32261 2026-03-16 N/A 0.0 Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0…
CVE-2025-69809 2026-03-16 CRITICAL 9.8 A write-what-where condition in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to write arbitrary values to memory, enabling arbitrary code execution via a crafted packet.
CVE-2025-69808 2026-03-16 CRITICAL 9.1 An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to access sensitive information and cause a Denial of Service (DoS) via supplying a crafted…
CVE-2025-69727 2026-03-16 MEDIUM 5.3 An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URLs to user profile images…
CVE-2025-69196 2026-03-16 N/A 0.0 FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the…
CVE-2026-4269 2026-03-16 HIGH 7.5 A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to…
CVE-2026-4254 2026-03-16 CRITICAL 9.8 A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation…
CVE-2026-4253 2026-03-16 MEDIUM 4.7 A security flaw has been discovered in Tenda AC8 16.03.50.11. This affects the function route_set_user_policy_rule of the file /cgi-bin/UploadCfg of the component Web Interface. The manipulation of the…
CVE-2026-4224 2026-03-16 N/A 0.0 When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.
CVE-2026-3644 2026-03-16 N/A 0.0 The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input…
CVE-2026-28498 2026-03-16 N/A 0.0 Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the…
CVE-2026-28490 2026-03-16 N/A 0.0 Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library…
CVE-2026-27962 2026-03-16 CRITICAL 9.1 Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated…
CVE-2026-23862 2026-03-16 HIGH 7.8 Dell ThinOS 10 versions prior to ThinOS 2602_10.0573, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with local…
CVE-2026-23489 2026-03-16 CRITICAL 9.1 Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code…
CVE-2025-69768 2026-03-16 HIGH 7.5 SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component
CVE-2025-66687 2026-03-16 HIGH 7.5 Doom Launcher 3.8.1.0 is vulnerable to Directory Traversal due to missing file path validation during the extraction of game files
CVE-2026-4270 2026-03-16 MEDIUM 5.5 Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may…
CVE-2026-4252 2026-03-16 CRITICAL 9.8 A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation leads to reliance on ip…
CVE-2026-4251 2026-03-16 LOW 2.5 A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat.…
CVE-2026-30405 2026-03-16 N/A 0.0 An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute
CVE-2025-65734 2026-03-16 MEDIUM 5.4 An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading…
CVE-2026-4276 2026-03-16 N/A 0.0 LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that allows attackers to forge log entries.
CVE-2026-4250 2026-03-16 LOW 2.5 A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the…
CVE-2026-32587 2026-03-16 MEDIUM 5.4 Missing Authorization vulnerability in Saad Iqbal WP EasyPay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP EasyPay: from n/a through 4.2.11.
CVE-2026-32583 2026-03-16 MEDIUM 5.3 Missing Authorization vulnerability in Webnus Inc. Modern Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modern Events Calendar: from n/a through 7.29.0.
CVE-2025-69784 2026-03-16 HIGH 8.8 A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By…
CVE-2025-69783 2026-03-16 HIGH 7.8 A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction…
CVE-2025-62319 2026-03-16 CRITICAL 9.8 Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead…
« Anterior Página 172 de 4215 Siguiente »