Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-40891 2025-12-18 MEDIUM 4.7 A Stored HTML Injection vulnerability was discovered in the Time Machine Snapshot Diff functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially…
CVE-2025-14618 2025-12-18 MEDIUM 4.3 The Sweet Energy Efficiency plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on the 'sweet_energy_efficiency_action' AJAX handler…
CVE-2025-14437 2025-12-18 HIGH 7.5 The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible…
CVE-2025-14277 2025-12-18 MEDIUM 4.3 The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.9 via the import_elementor_template AJAX…
CVE-2025-13110 2025-12-18 MEDIUM 4.3 The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the…
CVE-2025-10910 2025-12-18 N/A 0.0 A flaw in the binding process of Govee’s cloud platform and devices allows a remote attacker to bind an existing, online Govee device to the attacker’s account, resulting…
CVE-2025-40602 2025-12-18 MEDIUM 6.6 A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
CVE-2025-64997 2025-12-18 N/A 0.0 Insufficient permission validation in Checkmk versions prior to 2.4.0p17 and 2.3.0p42 allow low-privileged users to view agent information via the REST API, which could lead to information disclosure.
CVE-2025-14364 2025-12-18 HIGH 8.8 The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the…
CVE-2025-13730 2025-12-18 MEDIUM 6.4 The OpenID Connect Generic Client plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'openid_connect_generic_auth_url' shortcode in all versions up to, and including, 3.10.0 due…
CVE-2025-58935 2025-12-18 N/A 0.0 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Lunna lunna allows PHP Local File Inclusion.This issue affects Lunna: from…
CVE-2025-43529 2025-12-17 HIGH 8.8 A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2,…
CVE-2025-20393 2025-12-17 CRITICAL 10.0 Cisco is aware of a potential vulnerability.  Cisco is currently investigating and will update these details as appropriate as more information becomes available.
CVE-2025-14319 2025-12-17 N/A 0.0 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2025-14268 2025-12-17 N/A 0.0 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2025-59374 2025-12-17 N/A 0.0 "UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific…
CVE-2025-67895 2025-12-17 CRITICAL 9.8 Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2.…
CVE-2025-53919 2025-12-17 HIGH 7.8 An issue was discovered in the Portrait Dell Color Management application through 3.3.008 for Dell monitors, It creates a temporary folder, with weak permissions, during installation and uninstallation.…
CVE-2025-67165 2025-12-17 CRITICAL 9.8 An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.
CVE-2025-67164 2025-12-17 CRITICAL 9.9 An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2025-66921 2025-12-17 HIGH 7.2 A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the…
CVE-2025-65185 2025-12-17 LOW 2.8 There is a username enumeration via local user login in Entrinsik Informer v5.10.1 which allows malicious users to enumerate users by entering an OTP code and new password…
CVE-2025-14828 2025-12-17 N/A 0.0 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been…
CVE-2025-14817 2025-12-17 MEDIUM 6.5 The component com.transsion.tranfacmode.entrance.main.MainActivity in com.transsion.tranfacmode has no permission control and can be accessed by third-party apps which can construct intents to directly open adb debugging functionality without user…
CVE-2024-29371 2025-12-17 HIGH 7.5 In jose4j before 0.9.5, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When…
CVE-2025-67285 2025-12-17 HIGH 7.3 A SQL injection vulnerability was found in the '/cts/admin/?page=zone' file of ITSourcecode COVID Tracking System Using QR-Code v1.0. The reason for this issue is that attackers inject malicious…
CVE-2025-65855 2025-12-17 MEDIUM 6.6 The OTA firmware update mechanism in Netun Solutions HelpFlash IoT (firmware v18_178_221102_ASCII_PRO_1R5_50) uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate…
CVE-2025-53398 2025-12-17 N/A 0.0 The Portrait Dell Color Management application 3.3.8 for Dell monitors has Insecure Permissions,
CVE-2025-44005 2025-12-17 CRITICAL 10.0 An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
CVE-2025-26381 2025-12-17 N/A 0.0 Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.
CVE-2024-29370 2025-12-17 MEDIUM 5.3 In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally…
CVE-2025-43873 2025-12-17 N/A 0.0 Successful exploitation of these vulnerabilities could allow an attacker to modify firmware and gain full access to the device.
CVE-2025-14727 2025-12-17 HIGH 8.3 A vulnerability exists in NGINX Ingress Controller's nginx.org/rewrite-target annotation validation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2022-23851 2025-12-17 CRITICAL 9.8 Netaxis API Orchestrator (APIO) before 0.19.3 allows server side template injection (SSTI).
CVE-2025-65834 2025-12-16 CRITICAL 9.8 Meltytech Shotcut 25.10.31 is vulnerable to Buffer Overflow. A memory access violation occurs when processing MLT project files with manipulated width and height parameters. By setting these values…
CVE-2025-65593 2025-12-16 HIGH 8.8 nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality.
CVE-2025-62864 2025-12-16 CRITICAL 9.8 Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM MMCommunicate service that…
CVE-2025-62863 2025-12-16 CRITICAL 9.8 Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM PCIe driver that…
CVE-2025-52196 2025-12-16 HIGH 7.5 Server-Side Request Forgery (SSRF) vulnerability in Ctera Portal 8.1.x (8.1.1417.24) allows remote attackers to induce the server to make arbitrary HTTP requests via a crafted HTML file containing…
CVE-2025-14266 2025-12-17 N/A 0.0 CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web…
CVE-2025-14765 2025-12-16 HIGH 8.8 Use after free in WebGPU in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity:…
CVE-2025-14095 2025-12-17 MEDIUM 6.8 A "Privilege boundary violation" vulnerability is identified affecting multiple Radiometer Products. Exploitation of this vulnerability gives a user with physical access to the analyzer, the possibility to gain…
CVE-2025-62690 2025-12-17 LOW 3.1 Mattermost versions 10.11.x
CVE-2025-62190 2025-12-17 MEDIUM 4.3 Mattermost versions 11.0.x
CVE-2025-61736 2025-12-17 N/A 0.0 Successful exploitation of this vulnerability could result in the product failing to re-establish communication once the certificate expires.
CVE-2025-14097 2025-12-17 HIGH 7.2 A vulnerability in the application software of multiple Radiometer products may allow remote code execution and unauthorized device management when specific internal conditions are met. Exploitation requires that…
CVE-2025-14096 2025-12-17 HIGH 8.4 A vulnerability exists in multiple Radiometer products that allow an attacker with physical access to the analyzer possibility to extract credential information. The vulnerability is due to a…
CVE-2025-13352 2025-12-17 LOW 3.0 Mattermost versions 10.11.x
CVE-2025-14101 2025-12-17 HIGH 7.1 Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers.This issue affects PaperWork: from 5.2.0.9427 before 6.0.
CVE-2025-14347 2025-12-17 MEDIUM 6.3 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. OBS (Student Affairs Information System)0 allows Reflected XSS.This issue affects OBS…
« Anterior Página 200 de 3934 Siguiente »