Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-34369 2026-03-27 MEDIUM 5.3 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources…
CVE-2026-29180 2026-03-27 N/A 0.0 Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from…
CVE-2026-26061 2026-03-27 N/A 0.0 Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker…
CVE-2026-26060 2026-03-27 N/A 0.0 Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after…
CVE-2025-69986 2026-03-27 HIGH 7.2 A buffer overflow vulnerability exists in the ONVIF GetStreamUri function of LSC Indoor Camera V7.6.32. The application fails to validate the length of the Protocol parameter inside the…
CVE-2025-15612 2026-03-27 MEDIUM 4.8 Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform…
CVE-2026-4968 2026-03-27 MEDIUM 4.3 A vulnerability was determined in SourceCodester Diary App 1.0. The affected element is an unknown function of the file diary.php. Executing a manipulation can lead to cross-site request…
CVE-2026-4966 2026-03-27 MEDIUM 6.3 A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. Impacted is an unknown function of the file /admin/mod_room/index.php?view=edit. Executing a manipulation of the argument ID…
CVE-2026-4965 2026-03-27 HIGH 7.3 A vulnerability was detected in letta-ai letta 0.16.4. This issue affects the function resolve_type of the file letta/functions/ast_parsers.py of the component Incomplete Fix CVE-2025-6101. Performing a manipulation results…
CVE-2026-3529 2026-03-26 MEDIUM 6.1 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before…
CVE-2026-34368 2026-03-27 MEDIUM 5.3 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method…
CVE-2026-30568 2026-03-27 N/A 0.0 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to sanitize the input,…
CVE-2026-30567 2026-03-27 N/A 0.0 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_product.php file via the "limit" parameter. The application fails to sanitize the input, allowing…
CVE-2026-3528 2026-03-26 MEDIUM 6.1 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.
CVE-2025-15617 2026-03-27 MEDIUM 6.5 Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token…
CVE-2026-4964 2026-03-27 MEDIUM 6.3 A security vulnerability has been detected in letta-ai letta 0.16.4. This vulnerability affects the function _convert_message_create_to_message of the file letta/helpers/message_helper.py of the component File URL Handler. Such manipulation…
CVE-2026-4963 2026-03-27 MEDIUM 6.3 A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code…
CVE-2026-4962 2026-03-27 HIGH 7.0 A security flaw has been discovered in UltraVNC up to 1.6.4.0. Affected by this issue is some unknown functionality in the library version.dll of the component Service. The…
CVE-2026-4961 2026-03-27 HIGH 8.8 A vulnerability was identified in Tenda AC6 15.03.05.16. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. The manipulation…
CVE-2026-4960 2026-03-27 HIGH 8.8 A vulnerability was determined in Tenda AC6 15.03.05.16. Affected is the function fromWizardHandle of the file /goform/WizardHandle of the component POST Request Handler. Executing a manipulation of the…
CVE-2026-34411 2026-03-27 MEDIUM 5.3 Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information,…
CVE-2026-34362 2026-03-27 MEDIUM 5.4 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing…
CVE-2026-34247 2026-03-27 MEDIUM 5.4 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for…
CVE-2026-34245 2026-03-27 MEDIUM 6.3 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming permission to create or…
CVE-2026-33770 2026-03-27 N/A 0.0 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly…
CVE-2026-33767 2026-03-27 N/A 0.0 WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement…
CVE-2026-32859 2026-03-27 MEDIUM 5.4 ByteDance Deer-Flow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious HTML or…
CVE-2026-32857 2026-03-26 HIGH 8.6 Firecrawl version 2.8.0 and prior contain a server-side request forgery (SSRF) protection bypass vulnerability in the Playwright scraping service where network policy validation is applied only to the…
CVE-2026-30571 2026-03-27 N/A 0.0 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_category.php file via the "limit" parameter. The application fails to sanitize the input, allowing…
CVE-2026-30570 2026-03-27 N/A 0.0 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in the view_sales.php file via the "limit" parameter. The application fails to sanitize the input, allowing…
CVE-2026-30569 2026-03-27 N/A 0.0 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the "limit" parameter. The application fails to…
CVE-2026-28369 2026-03-27 HIGH 8.7 A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request…
CVE-2026-28368 2026-03-27 HIGH 8.7 A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream…
CVE-2026-28367 2026-03-27 HIGH 8.7 A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling…
CVE-2026-27876 2026-03-27 CRITICAL 9.1 A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in…
CVE-2025-15616 2026-03-27 MEDIUM 6.7 Wazuh wazuh-agent and wazuh-manager versions 2.1.0 before 4.8.0 contain multiple shell injection and untrusted search path vulnerabilities that allow attackers to execute arbitrary commands through various components including…
CVE-2025-15615 2026-03-27 MEDIUM 5.8 Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cause a denial of…
CVE-2025-15381 2026-03-27 HIGH 8.1 In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including…
CVE-2026-4959 2026-03-27 HIGH 7.3 A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the…
CVE-2026-4958 2026-03-27 LOW 3.1 A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects the function ReplayServer.on_connect/ReplayServer.send_data of the file XAgentServer/application/websockets/replayer.py of the component WebSocket Endpoint. Such manipulation of the argument…
CVE-2026-32984 2026-03-27 LOW 3.5 Wazuh authd contains a heap-buffer overflow vulnerability that allows attackers to cause memory corruption and malformed heap data by sending specially crafted input. Attackers can exploit this vulnerability…
CVE-2026-32983 2026-03-27 MEDIUM 5.8 Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cause a denial of…
CVE-2026-30534 2026-03-27 N/A 0.0 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in admin/manage_category.php via the "id" parameter.
CVE-2026-30533 2026-03-27 N/A 0.0 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/manage_product.php file via the "id" parameter.
CVE-2026-30532 2026-03-27 N/A 0.0 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/view_product.php file via the "id" parameter.
CVE-2026-30531 2026-03-27 N/A 0.0 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_category action). The application fails to properly sanitize user input…
CVE-2026-30527 2026-03-27 N/A 0.0 A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly…
CVE-2026-30302 2026-03-27 N/A 0.0 The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible…
CVE-2025-69988 2026-03-27 MEDIUM 6.5 BS Producten Petcam 33.1.0.0818 is vulnerable to Incorrect Access Control. An unauthenticated attacker in physical proximity can associate with this open network. Once connected, the attacker gains access…
CVE-2023-7340 2026-03-27 LOW 3.5 Wazuh authd contains a heap-buffer overflow vulnerability that allows attackers to cause memory corruption and malformed heap data by sending specially crafted input. Attackers can exploit this vulnerability…
« Anterior Página 2 de 4098 Siguiente »