Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-29515 2026-03-11 N/A 0.0 MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary…
CVE-2026-3453 2026-03-11 HIGH 8.1 The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on…
CVE-2026-2324 2026-03-11 MEDIUM 6.1 The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This…
CVE-2026-1781 2026-03-11 MEDIUM 6.5 The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is due to the plugin trusting…
CVE-2025-12473 2026-03-11 MEDIUM 6.1 The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization…
CVE-2026-2569 2026-03-11 MEDIUM 6.4 The Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via PDF page labels in all versions…
CVE-2025-22850 2026-03-10 N/A 0.0 Time-of-check time-of-use race condition in the UEFI PdaSmm module for some Intel(R) reference platforms may allow an information disclosure. System software adversary with a privileged user combined with…
CVE-2025-22444 2026-03-10 N/A 0.0 Exposure of resource to wrong sphere in the UEFI PdaSmm module for some Intel(R) reference platforms may allow an information disclosure. System software adversary with a privileged user…
CVE-2025-20105 2026-03-10 N/A 0.0 Improper input validation in some UEFI firmware SMM module for the Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined…
CVE-2025-20096 2026-03-10 N/A 0.0 Improper input validation in the UEFI firmware for some Intel Reference Platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a…
CVE-2025-20073 2026-03-10 N/A 0.0 Improper buffer restrictions in the UEFI DXE module for some Intel(R) Reference Platforms within UEFI may allow an information disclosure. System software adversary with a privileged user combined…
CVE-2025-20068 2026-03-10 N/A 0.0 Improper input validation in the UEFI ImcErrorHandler module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with…
CVE-2025-20064 2026-03-10 N/A 0.0 Improper input validation in the UEFI FlashUcAcmSmm module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with…
CVE-2025-20028 2026-03-10 N/A 0.0 Time-of-check time-of-use race condition in the WheaERST SMM module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined…
CVE-2025-20027 2026-03-10 N/A 0.0 Improper input validation in the UEFI WheaERST module for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with…
CVE-2025-20005 2026-03-10 N/A 0.0 Improper buffer restrictions in some UEFI firmware for some Intel(R) reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a…
CVE-2026-31838 2026-03-10 N/A 0.0 Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy…
CVE-2026-31837 2026-03-10 N/A 0.0 Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes…
CVE-2026-31834 2026-03-10 HIGH 7.2 Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users…
CVE-2026-31833 2026-03-10 MEDIUM 6.7 Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions.…
CVE-2026-31832 2026-03-10 MEDIUM 5.4 Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to…
CVE-2026-31830 2026-03-10 HIGH 7.5 sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when…
CVE-2026-31827 2026-03-10 N/A 0.0 Alienbin is an anonymous code and text sharing web service. In 1.0.0 and earlier, the /save endpoint in server.js drops and recreates the MongoDB TTL index on the…
CVE-2026-31826 2026-03-10 N/A 0.0 pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage.…
CVE-2026-31825 2026-03-10 MEDIUM 5.3 Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker…
CVE-2026-31817 2026-03-10 HIGH 8.5 OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The…
CVE-2026-31815 2026-03-10 MEDIUM 5.3 Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property…
CVE-2026-31812 2026-03-10 N/A 0.0 Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using…
CVE-2026-28807 2026-03-10 N/A 0.0 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static function is vulnerable…
CVE-2026-28806 2026-03-10 N/A 0.0 Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device…
CVE-2026-31808 2026-03-10 MEDIUM 5.3 file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser.…
CVE-2026-31801 2026-03-10 HIGH 7.7 zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference}…
CVE-2026-30954 2026-03-10 N/A 0.0 LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticated users to attach other users' private tags and…
CVE-2026-30953 2026-03-10 HIGH 7.7 LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create()…
CVE-2026-30952 2026-03-10 N/A 0.0 liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute…
CVE-2026-30951 2026-03-10 HIGH 7.5 Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path…
CVE-2026-30837 2026-03-10 HIGH 7.5 Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating…
CVE-2025-70802 2026-03-10 N/A 0.0 Tenda G1V3.1si V16.01.7.8 Firmware V16.01.7.8 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root.
CVE-2025-70798 2026-03-10 N/A 0.0 Tenda i24V3.0si V3.0.0.5 Firmware V3.0.0.5 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root.
CVE-2025-66413 2026-03-10 HIGH 7.4 Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a…
CVE-2025-13213 2026-03-10 MEDIUM 5.4 IBM Aspera Orchestrator 3.0.0 through 4.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to…
CVE-2026-3582 2026-03-10 N/A 0.0 An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve…
CVE-2026-2713 2026-03-10 HIGH 7.4 IBM Trusteer Rapport installer 3.5.2309.290 IBM Trusteer Rapport could allow a local attacker to execute arbitrary code on the system, caused by DLL uncontrolled search path element vulnerability.…
CVE-2026-2266 2026-03-10 N/A 0.0 An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did…
CVE-2026-29793 2026-03-10 N/A 0.0 Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as…
CVE-2026-29792 2026-03-10 N/A 0.0 Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET…
CVE-2026-3370 2026-03-10 N/A 0.0 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been…
CVE-2026-31802 2026-03-10 N/A 0.0 node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using…
CVE-2026-31816 2026-03-09 CRITICAL 9.1 Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API…
CVE-2026-30926 2026-03-10 HIGH 7.1 SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader)…
« Anterior Página 206 de 4221 Siguiente »