Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-40903 2026-05-19 MEDIUM 5.9 A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can…
CVE-2025-40904 2026-05-19 MEDIUM 6.5 A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push…
CVE-2026-8951 2026-05-19 MEDIUM 6.5 Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.
CVE-2026-33234 2026-05-19 MEDIUM 5.0 AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogpt_platform/backend/backend/blocks/email_block.py accepts a user-supplied smtp_server (string)…
CVE-2026-27130 2026-05-18 CRITICAL 9.9 Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem:…
CVE-2026-8945 2026-05-19 HIGH 7.5 Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.
CVE-2026-8814 2026-05-19 MEDIUM 5.3 Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to decompressing PNG zTXt metadata without enforcing a built-in…
CVE-2026-8813 2026-05-19 HIGH 7.5 This affects versions of the package exifreader before 4.39.0. A crafted image containing an ICC mluc tag can set an attacker-controlled record count together with a zero record…
CVE-2026-45495 2026-05-18 HIGH 8.8 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
CVE-2026-8851 2026-05-18 HIGH 8.1 SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database…
CVE-2026-37982 2026-05-19 MEDIUM 6.8 A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email…
CVE-2026-37979 2026-05-19 MEDIUM 6.5 A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled…
CVE-2026-33233 2026-05-19 HIGH 7.6 AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads…
CVE-2026-30950 2026-05-18 HIGH 7.1 AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If…
CVE-2026-29963 2026-05-18 HIGH 7.5 HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths…
CVE-2026-27891 2026-05-18 HIGH 7.2 FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the…
CVE-2026-29962 2026-05-18 HIGH 7.5 HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file…
CVE-2023-24215 2026-05-18 CRITICAL 9.1 Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request.
CVE-2026-45494 2026-05-18 MEDIUM 5.4 Microsoft Edge (Chromium-based) Spoofing Vulnerability
CVE-2026-33232 2026-05-19 HIGH 7.5 AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.4.2 through 0.6.51 are vulnerable to an unauthenticated Denial of Service (DoS)…
CVE-2026-33052 2026-05-19 N/A 0.0 Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the "add_profile_threshold" permission to create a global profile…
CVE-2026-27737 2026-05-18 MEDIUM 6.5 BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a…
CVE-2026-26978 2026-05-18 N/A 0.0 FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise…
CVE-2026-2611 2026-05-19 CRITICAL 9.6 In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a…
CVE-2026-32323 2026-05-19 HIGH 7.3 Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation…
CVE-2026-32312 2026-05-19 N/A 0.0 GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized…
CVE-2026-4137 2026-05-18 HIGH 7.0 In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable…
CVE-2026-25244 2026-05-18 CRITICAL 9.8 WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to…
CVE-2026-22810 2026-05-18 HIGH 8.2 Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer…
CVE-2026-45492 2026-05-18 MEDIUM 5.4 Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-7860 2026-05-19 N/A 0.0 A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the…
CVE-2026-45442 2026-05-19 MEDIUM 4.3 Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Presto Player: from n/a through 4.1.3.
CVE-2026-44408 2026-05-19 MEDIUM 6.3 There is an unauthorized access vulnerability in ZTE MU5250. Due to improper permission control of the Web interface, an unauthorized attacker can  modify configuration through the interface.
CVE-2026-32994 2026-05-19 MEDIUM 5.3 The /api/v1/autotranslate.translateMessage endpoint in versions
CVE-2026-22069 2026-05-19 HIGH 7.3 A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface.
CVE-2026-8827 2026-05-19 N/A 0.0 The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore…
CVE-2026-8727 2026-05-19 N/A 0.0 The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading…
CVE-2026-8726 2026-05-19 N/A 0.0 The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL…
CVE-2026-46725 2026-05-19 N/A 0.0 The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP…
CVE-2026-46724 2026-05-19 N/A 0.0 The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server…
CVE-2026-46723 2026-05-19 N/A 0.0 The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data…
CVE-2026-46722 2026-05-19 N/A 0.0 The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files…
CVE-2026-46721 2026-05-19 N/A 0.0 The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a…
CVE-2025-14575 2026-05-19 N/A 0.0 An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of Qt Network (qtbase) in Qt Qt Framework (Unix) allows a local attacker to load a rogue…
CVE-2026-42100 2026-05-19 N/A 0.0 Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service (DoS) attack to be executed by sending an specially crafted SQL query. This causes…
CVE-2026-42099 2026-05-19 N/A 0.0 Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves…
CVE-2026-42098 2026-05-19 N/A 0.0 Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior…
CVE-2026-42097 2026-05-19 N/A 0.0 Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST…
CVE-2026-42096 2026-05-19 N/A 0.0 Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary…
CVE-2026-27964 2026-05-18 LOW 3.9 FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability through the fsNick cookie parameter. The application reflects…
« Anterior Página 193 de 4501 Siguiente »