Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-30919 2026-03-10 HIGH 7.6 facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , stored XSS (also known as persistent or second-order XSS) occurs…
CVE-2026-30918 2026-03-10 HIGH 7.6 facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from…
CVE-2026-30917 2026-03-10 N/A 0.0 Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that…
CVE-2026-30916 2026-03-10 N/A 0.0 Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an attacker may be able to bypass escaping for the shell being used. This can result,…
CVE-2026-30913 2026-03-10 MEDIUM 4.6 Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink.…
CVE-2026-30887 2026-03-10 CRITICAL 9.9 OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites.…
CVE-2026-30885 2026-03-10 N/A 0.0 WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker…
CVE-2026-30870 2026-03-10 MEDIUM 6.5 PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when…
CVE-2026-30869 2026-03-10 CRITICAL 9.3 SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server…
CVE-2026-30862 2026-03-10 CRITICAL 9.0 Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root…
CVE-2026-2364 2026-03-10 HIGH 7.3 If a legitimate user confirms a self-update prompt or initiate an installation of a CODESYS Development System, a low privileged local attacker can gain elevated rights due to…
CVE-2026-29773 2026-03-10 MEDIUM 4.3 Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises…
CVE-2026-28513 2026-03-10 HIGH 8.5 Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code…
CVE-2026-28512 2026-03-10 HIGH 7.1 Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation…
CVE-2026-28281 2026-03-10 HIGH 7.1 InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute…
CVE-2026-28267 2026-03-10 MEDIUM 5.5 Multiple i-フィルター products are configured with improper file access permission settings. Files may be created or overwritten in the system directory or backup directory by a non-administrative user.
CVE-2026-27689 2026-03-10 HIGH 7.7 Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with…
CVE-2026-27688 2026-03-10 MEDIUM 5.0 Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific…
CVE-2026-27687 2026-03-10 MEDIUM 5.8 Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company.…
CVE-2026-27686 2026-03-10 MEDIUM 5.9 Due to a Missing Authorization Check in SAP Business Warehouse (Service API), an authenticated attacker could perform unauthorized actions via an affected RFC function module. Successful exploitation could…
CVE-2026-27685 2026-03-10 CRITICAL 9.1 SAP NetWeaver Enterprise Portal Administration is vulnerable if a privileged user uploads untrusted or malicious content that, upon deserialization, could result in a high impact on the confidentiality,…
CVE-2026-27684 2026-03-10 MEDIUM 6.4 SAP NetWeaver Feedback Notifications Service contains a SQL injection vulnerability that allows an authenticated attacker to inject arbitrary SQL code through user-controlled input fields. The application concatenates these…
CVE-2026-24317 2026-03-10 MEDIUM 5.0 SAP GUI for Windows allows DLL files to be loaded from arbitrary directories within the application. An unauthenticated attacker could exploit this vulnerability by persuading a victim to…
CVE-2026-24316 2026-03-10 MEDIUM 6.4 SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary internal or external endpoints. The report is…
CVE-2026-24313 2026-03-10 MEDIUM 5.0 SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing system information to be disclosed. This vulnerability…
CVE-2026-24311 2026-03-10 MEDIUM 5.6 The SAP Customer Checkout application exhibits certain design characteristics that involve locally storing operational data using reversible protection mechanisms. Access to this data, combined with user?initiated interaction, may…
CVE-2026-24310 2026-03-10 LOW 3.5 Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module and read the sensitive information from database…
CVE-2026-24309 2026-03-10 MEDIUM 6.4 Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module to read, modify or insert entries into…
CVE-2026-1920 2026-03-10 MEDIUM 5.3 The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the…
CVE-2026-1919 2026-03-10 MEDIUM 5.3 The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple…
CVE-2026-1508 2026-03-10 MEDIUM 4.3 The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete…
CVE-2026-0953 2026-03-10 CRITICAL 9.8 The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due…
CVE-2026-0489 2026-03-10 MEDIUM 6.1 Due to insufficient validation of user-controlled input in the URLs query parameter. SAP Business One Job Service could allow an unauthenticated attacker to inject specially crafted input which…
CVE-2025-36173 2026-03-10 MEDIUM 6.1 Affected Product(s)Version(s)InfoSphere Data Architect9.2.1
CVE-2025-36105 2026-03-10 MEDIUM 4.4 IBM Planning Analytics Advanced Certified Containers 3.1.0 through 3.1.4 could allow a local privileged user to obtain sensitive information from environment variables.
CVE-2025-2399 2026-03-10 MEDIUM 5.9 Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Mitsubishi Electric CNC M800V Series M800VW and M800VS, M80V Series M80V and M80VW, M800 Series M800W…
CVE-2025-11158 2026-03-10 CRITICAL 9.1 Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary…
CVE-2026-29113 2026-03-10 N/A 0.0 Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts…
CVE-2026-28495 2026-03-10 CRITICAL 9.6 GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP…
CVE-2026-27825 2026-03-10 CRITICAL 9.0 MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, the `confluence_download_attachment` MCP tool accepts a `download_path` parameter that…
CVE-2026-26123 2026-03-10 MEDIUM 5.5 Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.
CVE-2025-70128 2026-03-10 N/A 0.0 A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied…
CVE-2025-48611 2026-03-10 CRITICAL 10.0 In DeviceId of DeviceId.java, there is a possible desync in persistence due to a missing bounds check. This could lead to local escalation of privilege with no additional…
CVE-2025-36227 2026-03-10 MEDIUM 5.4 IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.  This could allow an attacker…
CVE-2025-36226 2026-03-10 MEDIUM 5.4 IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus…
CVE-2025-13219 2026-03-10 MEDIUM 5.9 IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server…
CVE-2026-28292 2026-03-10 CRITICAL 9.8 `simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE…
CVE-2026-27826 2026-03-10 HIGH 8.2 MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP…
CVE-2026-27281 2026-03-10 MEDIUM 5.5 DNG SDK versions 1.7.1 2471 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability…
CVE-2026-27280 2026-03-10 HIGH 7.8 DNG SDK versions 1.7.1 2471 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.…
« Anterior Página 201 de 4221 Siguiente »