Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-44446 2026-05-13 HIGH 8.8 ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which…
CVE-2026-44445 2026-05-13 N/A 0.0 ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the…
CVE-2026-44442 2026-05-13 CRITICAL 9.9 ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond…
CVE-2026-44441 2026-05-13 MEDIUM 5.0 ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which…
CVE-2026-44440 2026-05-13 MEDIUM 6.5 ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')…
CVE-2026-44439 2026-05-13 N/A 0.0 PlaywrightCapture is a simple replacement for splash using playwright. Prior to 1.39.6, PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page…
CVE-2026-44437 2026-05-13 N/A 0.0 The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing…
CVE-2026-44426 2026-05-13 MEDIUM 6.5 ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/namespaces/:tenant returns the full namespace object — including the members list (user IDs, e-mails, roles), settings, and device…
CVE-2026-44425 2026-05-13 MEDIUM 5.4 ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded…
CVE-2026-44424 2026-05-13 MEDIUM 6.5 ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to…
CVE-2026-44423 2026-05-13 MEDIUM 6.5 ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated…
CVE-2026-44369 2026-05-13 N/A 0.0 CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an…
CVE-2026-44195 2026-05-13 MEDIUM 5.3 OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication…
CVE-2026-44194 2026-05-13 CRITICAL 9.1 OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management…
CVE-2026-44193 2026-05-13 CRITICAL 9.1 OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. This…
CVE-2026-42463 2026-05-13 N/A 0.0 SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. Prior to 1.8.0, SQLBot contains a Cross-Workspace IDOR (Insecure Direct Object Reference) and Authorization Bypass…
CVE-2026-40328 2026-05-13 N/A 0.0 Rejected reason: This CVE is a duplicate of another CVE.
CVE-2026-40327 2026-05-13 N/A 0.0 Rejected reason: This CVE is a duplicate of another CVE.
CVE-2026-32993 2026-05-13 HIGH 8.3 Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
CVE-2026-32992 2026-05-13 HIGH 8.2 SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.
CVE-2026-29205 2026-05-13 HIGH 8.6 Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.
CVE-2026-8328 2026-05-13 N/A 0.0 The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]),…
CVE-2026-45714 2026-05-13 CRITICAL 9.1 CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and…
CVE-2026-45708 2026-05-13 HIGH 7.2 CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw into the Invoice Editor. The next time any admin clicks…
CVE-2026-45229 2026-05-13 HIGH 8.8 Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object…
CVE-2026-45228 2026-05-13 MEDIUM 5.4 Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without escaping.…
CVE-2026-45055 2026-05-13 HIGH 8.1 CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant…
CVE-2026-45054 2026-05-13 MEDIUM 4.9 CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled $_GET['sort'] array without…
CVE-2026-45053 2026-05-13 CRITICAL 9.1 CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The…
CVE-2026-44418 2026-05-13 N/A 0.0 EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL queries…
CVE-2026-44381 2026-05-13 N/A 0.0 MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event…
CVE-2026-44380 2026-05-13 N/A 0.0 MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization…
CVE-2026-44379 2026-05-13 N/A 0.0 MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a…
CVE-2026-44377 2026-05-13 CRITICAL 9.1 CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The…
CVE-2026-44376 2026-05-13 MEDIUM 6.1 CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php,…
CVE-2026-44373 2026-05-13 MEDIUM 5.3 Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal (..%2f) in the URL, causing…
CVE-2026-44372 2026-05-13 N/A 0.0 Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an…
CVE-2026-44368 2026-05-13 N/A 0.0 PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via a binary expansion loop whose execution time depends…
CVE-2026-42602 2026-05-13 HIGH 8.1 azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for…
CVE-2026-42561 2026-05-13 HIGH 7.5 Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously…
CVE-2026-42304 2026-05-13 HIGH 7.5 Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource…
CVE-2026-39428 2026-05-13 MEDIUM 4.8 CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript…
CVE-2026-39358 2026-05-13 HIGH 7.2 CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_admin, and sort_customer) of the…
CVE-2026-21821 2026-05-13 HIGH 8.3 The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security…
CVE-2025-27853 2026-05-13 N/A 0.0 The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with…
CVE-2025-27852 2026-05-13 N/A 0.0 The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an attacker on the…
CVE-2025-27851 2026-05-13 N/A 0.0 The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the WDU utilizes WebSockets…
CVE-2025-27850 2026-05-13 N/A 0.0 The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks is uploaded, the…
CVE-2026-44292 2026-05-13 MEDIUM 5.3 protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the…
CVE-2026-44293 2026-05-13 HIGH 8.8 protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled…
« Anterior Página 2 de 4294 Siguiente »