Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

CVE ID	Publicado	Severidad	CVSS	Descripción
CVE-2026-8427	2026-05-21	N/A	0.0	Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score…
CVE-2026-8416	2026-05-21	N/A	0.0	Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score…
CVE-2026-8415	2026-05-21	N/A	0.0	Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of…
CVE-2026-8414	2026-05-21	N/A	0.0	Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of…
CVE-2026-8413	2026-05-21	N/A	0.0	Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of…
CVE-2026-8412	2026-05-21	N/A	0.0	Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of…
CVE-2026-8411	2026-05-21	N/A	0.0	Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of…
CVE-2026-8410	2026-05-21	N/A	0.0	Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score…
CVE-2026-8409	2026-05-21	N/A	0.0	Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score…
CVE-2026-8337	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private…
CVE-2026-8327	2026-05-21	N/A	0.0	Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update() without…
CVE-2026-8245	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (). Any…
CVE-2026-8240	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages…
CVE-2026-8239	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a…
CVE-2026-8238	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from…
CVE-2026-8237	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including…
CVE-2026-8236	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site…
CVE-2026-8139	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a…
CVE-2026-7890	2026-05-21	N/A	0.0	In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS…
CVE-2026-7887	2026-05-21	N/A	0.0	For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid…
CVE-2026-7886	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file…
CVE-2026-7882	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the…
CVE-2026-7881	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to…
CVE-2026-7879	2026-05-21	N/A	0.0	In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be…
CVE-2026-6960	2026-05-21	CRITICAL	9.8	The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and…
CVE-2026-4929	2026-05-21	N/A	0.0	Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and…
CVE-2026-4093	2026-05-21	N/A	0.0	In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is…
CVE-2026-46473	2026-05-21	HIGH	7.5	Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
CVE-2026-22678	2026-05-21	MEDIUM	5.4	Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to…
CVE-2026-8428	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate('do_update'). The form is rendered…
CVE-2026-8426	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/. An attacker who controls the remote package returned for a known marketplace…
CVE-2026-8421	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, …
CVE-2026-8417	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and…
CVE-2026-8352	2026-05-21	N/A	0.0	Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been…
CVE-2026-8350	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk…
CVE-2026-8205	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details…
CVE-2026-8204	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be…
CVE-2026-8203	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that…
CVE-2026-8197	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation helper…
CVE-2026-8140	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before fetching…
CVE-2026-8135	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to…
CVE-2026-8134	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer…
CVE-2026-6826	2026-05-21	N/A	0.0	Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID…
CVE-2026-47102	2026-05-21	HIGH	8.8	LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account,…
CVE-2026-47101	2026-05-21	HIGH	8.8	LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes…
CVE-2026-4843	2026-05-21	MEDIUM	4.3	The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions…
CVE-2026-47114	2026-05-21	HIGH	8.8	IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the iina://open custom URL…
CVE-2026-34926	2026-05-21	MEDIUM	6.7	A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code…
CVE-2026-4055	2026-05-21	MEDIUM	4.3	Mattermost versions 11.5.x
CVE-2026-4858	2026-05-21	HIGH	8.0	Mattermost versions 11.6.x

« Anterior Página 183 de 4502 Siguiente »

Vulnerabilidades CVE

Vulnerabilidades CVE

Soluciones

Recursos

Legal y Soporte