Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-4873 2026-05-13 MEDIUM 5.9 A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via…
CVE-2026-41051 2026-05-13 MEDIUM 5.0 csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories.
CVE-2026-44577 2026-05-13 MEDIUM 5.9 Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization…
CVE-2026-5545 2026-05-13 MEDIUM 6.5 libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl…
CVE-2026-8463 2026-05-13 MEDIUM 5.3 Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes encoded_len - 1…
CVE-2026-45411 2026-05-13 CRITICAL 9.8 vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When…
CVE-2026-45033 2026-05-13 N/A 0.0 GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious…
CVE-2026-41410 2026-05-13 N/A 0.0 Rejected reason: REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-40520. Reason: This candidate is a duplicate of CVE-2026-40520. Notes: All CVE users should reference CVE-2026-40520 instead…
CVE-2026-37429 2026-05-13 MEDIUM 6.5 qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access sensitive database information,…
CVE-2026-37428 2026-05-13 MEDIUM 6.5 qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information,…
CVE-2026-5773 2026-05-13 HIGH 7.5 libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection…
CVE-2026-34686 2026-05-12 HIGH 8.7 Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker…
CVE-2026-44455 2026-05-13 MEDIUM 4.7 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag…
CVE-2026-44456 2026-05-13 MEDIUM 6.5 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length…
CVE-2026-44457 2026-05-13 MEDIUM 5.3 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance…
CVE-2026-44458 2026-05-13 MEDIUM 4.3 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not…
CVE-2026-44459 2026-05-13 LOW 3.8 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in…
CVE-2026-44240 2026-05-12 HIGH 7.5 basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised…
CVE-2026-44232 2026-05-12 N/A 0.0 DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks. Prior to 1.3.0, every IPv6 category bypasses is_url_safe. This vulnerability is…
CVE-2026-44225 2026-05-12 CRITICAL 9.3 Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access…
CVE-2026-44221 2026-05-12 CRITICAL 9.0 ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database…
CVE-2026-44217 2026-05-12 N/A 0.0 sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry…
CVE-2026-42889 2026-05-12 CRITICAL 9.1 Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without…
CVE-2026-40902 2026-05-12 HIGH 7.5 PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers…
CVE-2026-44246 2026-05-12 HIGH 7.2 nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is vulnerable to Agentic…
CVE-2026-44224 2026-05-12 N/A 0.0 Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the…
CVE-2026-0265 2026-05-13 N/A 0.0 An authentication bypass vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to bypass authentication controls when Cloud Authentication Service (CAS) is enabled.…
CVE-2026-0264 2026-05-13 N/A 0.0 A buffer overflow vulnerability in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS® Software allows an unauthenticated attacker with network access to cause a…
CVE-2026-0263 2026-05-13 N/A 0.0 A buffer overflow vulnerability in the IKEv2 processing of Palo Alto Networks PAN-OS® software allows an unauthenticated network-based attacker to execute arbitrary code with elevated privileges on the…
CVE-2026-0237 2026-05-13 N/A 0.0 An improper protection of alternate path vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to an internal automation bridge. This allows a…
CVE-2026-44582 2026-05-13 LOW 3.7 Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in…
CVE-2026-44581 2026-05-13 MEDIUM 4.7 Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable…
CVE-2026-44580 2026-05-13 MEDIUM 6.1 Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be…
CVE-2026-44579 2026-05-13 HIGH 7.5 Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable…
CVE-2026-44578 2026-05-13 HIGH 8.6 Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to…
CVE-2026-42191 2026-05-12 MEDIUM 6.5 OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set…
CVE-2026-6276 2026-05-13 HIGH 7.5 Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without…
CVE-2026-6253 2026-05-13 MEDIUM 5.9 curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to…
CVE-2026-44854 2026-05-12 HIGH 7.2 Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to upload arbitrary files to…
CVE-2024-51394 2026-05-13 MEDIUM 5.5 Buffer Overflow vulnerability in Ardupiot Copter Latest commit 92693e023793133e49a035daf37c14433e484778 allows a local attacker to cause a denial of service via the AP_MSP::loop, AP_MSP, AP_MSP.cpp components.
CVE-2026-44223 2026-05-12 MEDIUM 6.5 vLLM is an inference and serving engine for large language models (LLMs). From to before 0.20.0, the extract_hidden_states speculative decoding proposer in vLLM returns a tensor with an…
CVE-2026-44222 2026-05-12 MEDIUM 6.5 vLLM is an inference and serving engine for large language models (LLMs). From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLM’s multimodal processing.…
CVE-2026-44341 2026-05-12 MEDIUM 5.3 GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating…
CVE-2026-44307 2026-05-12 N/A 0.0 Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__…
CVE-2026-44302 2026-05-12 HIGH 7.5 Snappier is a high performance C# implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream…
CVE-2026-42196 2026-05-12 N/A 0.0 django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use…
CVE-2026-41195 2026-05-12 MEDIUM 5.0 mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the…
CVE-2026-44347 2026-05-12 MEDIUM 5.8 Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it…
CVE-2026-44245 2026-05-12 MEDIUM 6.1 Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and…
CVE-2026-44301 2026-05-12 N/A 0.0 Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured…
« Anterior Página 206 de 4495 Siguiente »