Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-55838 2026-06-26 MEDIUM 4.3 RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless…
CVE-2026-55188 2026-06-26 HIGH 8.2 RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler…
CVE-2026-55448 2026-06-26 MEDIUM 6.3 mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credential_command from local project config before any trust decision, then executes that…
CVE-2026-52780 2026-06-26 CRITICAL 9.6 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE). This vulnerability is fixed in 17.3.3 and…
CVE-2026-50136 2026-06-26 HIGH 7.4 Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace…
CVE-2026-47205 2026-06-26 MEDIUM 5.9 Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.36.0 until 1.36.9, 1.37.5, and 1.38.3, a Use-After-Free (UAF) vulnerability leading to a sudden…
CVE-2026-47778 2026-06-26 MEDIUM 4.4 Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where…
CVE-2026-48529 2026-06-26 MEDIUM 6.0 GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton…
CVE-2026-44736 2026-06-26 MEDIUM 6.5 OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated user to retrieve relations — and the subject (title) of work…
CVE-2026-44734 2026-06-26 MEDIUM 6.5 OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, a Missing Authorization vulnerability exists in OpenProject's CostReportsController. The rename and update actions allow any authenticated…
CVE-2026-44696 2026-06-26 MEDIUM 5.7 OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS…
CVE-2026-29509 2026-06-26 MEDIUM 5.4 Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level…
CVE-2026-13434 2026-06-26 MEDIUM 4.9 A flaw was found in KubeVirt's network annotation generator. When a tenant creates a VirtualMachineInstance with a Multus network configuration, the supplied networkName value is written verbatim into…
CVE-2025-32394 2026-06-26 N/A 0.0 AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.32, there is a DoS vulnerability in AITextSummarizerBlock. Malicious users can…
CVE-2026-13422 2026-06-27 MEDIUM 4.3 The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the…
CVE-2026-13335 2026-06-27 MEDIUM 6.4 The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, and including, 1.2.6…
CVE-2026-13333 2026-06-27 MEDIUM 6.5 The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, and including, 4.5.5…
CVE-2026-11356 2026-06-27 MEDIUM 4.4 The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings in all versions up to, and including,…
CVE-2025-59868 2026-06-27 MEDIUM 5.5 HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then attempt additional attacks…
CVE-2023-37524 2026-06-27 HIGH 7.7 HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service.  Since .NET Framework 4.5 has reached end-of-life and no…
CVE-2024-23581 2026-06-26 MEDIUM 6.7 The HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application.
CVE-2026-56414 2026-06-26 HIGH 7.2 A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating file type, structure,…
CVE-2026-55975 2026-06-26 HIGH 7.2 A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to the device's certificate generation interface, which are incorporated into…
CVE-2026-33560 2026-06-26 HIGH 7.1 The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file…
CVE-2026-31928 2026-06-26 HIGH 8.1 The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using…
CVE-2026-28701 2026-06-26 CRITICAL 9.8 Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.
CVE-2026-55069 2026-06-26 HIGH 8.7 Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who…
CVE-2026-53576 2026-06-26 CRITICAL 10.0 Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /configs…
CVE-2026-50767 2026-06-26 N/A 0.0 A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to…
CVE-2026-50766 2026-06-26 N/A 0.0 A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System through 25.11 allows an authenticated remote attacker with edit_items permission to…
CVE-2026-50765 2026-06-26 N/A 0.0 Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject…
CVE-2026-49984 2026-06-26 HIGH 7.7 Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows-style backslashes to…
CVE-2026-49869 2026-06-26 CRITICAL 10.0 Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because…
CVE-2026-45807 2026-06-26 HIGH 7.7 Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard…
CVE-2026-38571 2026-06-26 N/A 0.0 Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603)…
CVE-2026-36908 2026-06-26 N/A 0.0 A stack overflow in the AP4_Array::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
CVE-2026-36907 2026-06-26 N/A 0.0 A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
CVE-2026-36478 2026-06-26 N/A 0.0 An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via the DnsServerApp.exe, DnsServerApp.dll, TechnitiumLibrary.Net/Dns/DnsClient.cs components
CVE-2026-57661 2026-06-26 MEDIUM 5.4 Subscriber Broken Access Control in WPComplete
CVE-2026-57655 2026-06-26 HIGH 8.2 Unauthenticated Cross Site Request Forgery (CSRF) in Child Theme Wizard
CVE-2026-57649 2026-06-26 MEDIUM 4.3 Subscriber Broken Access Control in Shoppable Images Lite
CVE-2026-57643 2026-06-26 HIGH 8.5 Contributor SQL Injection in WP Post Author
CVE-2026-57636 2026-06-26 HIGH 8.5 Contributor SQL Injection in wpForo Forum
CVE-2026-57630 2026-06-26 MEDIUM 5.3 Unauthenticated Insecure Direct Object References (IDOR) in Blocksy Companion Pro
CVE-2026-57617 2026-06-26 MEDIUM 6.5 Contributor Cross Site Scripting (XSS) in SeedProd Pro < 6.19.5 versions.
CVE-2026-57322 2026-06-26 HIGH 7.1 Unauthenticated Cross Site Scripting (XSS) in weMail
CVE-2026-57315 2026-06-26 HIGH 8.5 Contributor Remote Code Execution (RCE) in Blocksy Companion Pro
CVE-2026-56069 2026-06-26 HIGH 7.5 Unauthenticated Insecure Direct Object References (IDOR) in Toolset Forms
CVE-2026-56062 2026-06-26 CRITICAL 9.3 Unauthenticated SQL Injection in Quotes llama
CVE-2026-56055 2026-06-26 HIGH 8.8 Subscriber PHP Object Injection in RealHomes
« Anterior Página 2 de 4502 Siguiente »