Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-44015 2026-05-12 HIGH 8.5 Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creating a…
CVE-2026-42268 2026-05-12 N/A 0.0 ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range)…
CVE-2026-44304 2026-05-12 HIGH 8.1 Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP…
CVE-2026-2695 2026-05-13 MEDIUM 6.3 A command injection vulnerability was discovered in TeamViewer DEX Platform On-Premises (former 1E DEX Platform On-Premises) prior to version 9.2. Improper input validation allows authenticated users with at least questioner…
CVE-2026-40863 2026-05-12 HIGH 7.5 PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate…
CVE-2026-21015 2026-05-13 MEDIUM 5.5 Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique identifier.
CVE-2026-21016 2026-05-13 MEDIUM 5.5 Incorrect privilege assignment in LocationManager prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.
CVE-2026-21018 2026-05-13 MEDIUM 6.7 Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary code.
CVE-2026-21020 2026-05-13 HIGH 7.8 Improper export of android application components in OmaCP prior to SMR May-2026 Release 1 allows local attackers to trigger privileged functions.
CVE-2026-21021 2026-05-13 MEDIUM 6.8 Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged activity.
CVE-2026-21022 2026-05-13 MEDIUM 5.5 Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.
CVE-2020-37221 2026-05-13 HIGH 8.4 Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in…
CVE-2026-44305 2026-05-12 MEDIUM 6.8 Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled (LDAP_USE_TLS = True), Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global…
CVE-2026-40699 2026-05-13 MEDIUM 6.5 A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information.  Note: Software versions which have…
CVE-2026-40462 2026-05-13 MEDIUM 6.5 Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information.  Note: Software versions which…
CVE-2020-37226 2026-05-13 HIGH 7.1 Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can…
CVE-2020-37225 2026-05-13 MEDIUM 6.4 Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in plugin settings. Attackers…
CVE-2020-37224 2026-05-13 HIGH 7.1 Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can…
CVE-2020-37223 2026-05-13 HIGH 7.8 IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service that allows local attackers to escalate privileges to SYSTEM level. Attackers can place a malicious…
CVE-2020-37222 2026-05-13 HIGH 7.2 Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoint. Attackers…
CVE-2020-37220 2026-05-13 HIGH 7.5 Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Attackers can query the /api/system/deviceinfo…
CVE-2020-37219 2026-05-13 HIGH 7.5 Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter. Attackers can send GET requests to the…
CVE-2020-37218 2026-05-13 HIGH 8.2 Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch…
CVE-2020-37217 2026-05-13 MEDIUM 4.3 Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML…
CVE-2020-37174 2026-05-13 MEDIUM 5.5 WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design tab textfields.…
CVE-2020-37169 2026-05-13 MEDIUM 5.5 WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send…
CVE-2020-37168 2026-05-13 CRITICAL 9.8 Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract…
CVE-2026-44220 2026-05-12 LOW 3.2 ciguard is a static security auditor for CI/CD pipelines. From 0.8.0 to 0.8.1 , the discover_pipeline_files() function in src/ciguard/discovery.py walks a directory tree following symlinks, with cycle protection…
CVE-2026-44219 2026-05-12 LOW 3.7 ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum-bytes cap.…
CVE-2026-44218 2026-05-12 LOW 3.0 ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a…
CVE-2026-44295 2026-05-13 HIGH 8.7 protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating…
CVE-2026-44288 2026-05-13 MEDIUM 5.3 protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them…
CVE-2026-44572 2026-05-13 LOW 3.7 Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal…
CVE-2026-44479 2026-05-13 MEDIUM 5.5 Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent),…
CVE-2026-44470 2026-05-13 N/A 0.0 The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude…
CVE-2026-44467 2026-05-13 N/A 0.0 The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH…
CVE-2026-44664 2026-05-13 MEDIUM 6.1 fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values…
CVE-2026-44665 2026-05-13 MEDIUM 6.1 fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value…
CVE-2026-42557 2026-05-13 N/A 0.0 jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button…
CVE-2026-42290 2026-05-13 HIGH 7.8 protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing…
CVE-2026-42266 2026-05-13 HIGH 8.8 jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed…
CVE-2025-32425 2026-05-13 N/A 0.0 AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. In AutoGPT, the execution process is recorded to…
CVE-2025-29338 2026-05-13 N/A 0.0 NXP moal.ko Wi-Fi driver 5.1.7.10 FW version from v17.92.1.p149.43 To v17.92.1.p149.157 was discovered to contain a buffer overflow via the mod_para parameter in the woal_init_module_param function.
CVE-2026-42338 2026-05-12 N/A 0.0 ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it…
CVE-2024-55045 2026-05-13 N/A 0.0 Firmament-Autopilot FMT-Firmware commit de5aec was discovered to contain a buffer overflow via the task_mavobc_entry function at /comm/task_comm.c.
CVE-2026-8367 2026-05-13 MEDIUM 4.8 aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they…
CVE-2026-6282 2026-05-13 HIGH 8.1 A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files…
CVE-2026-6281 2026-05-13 HIGH 8.8 A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on…
CVE-2026-42946 2026-05-13 MEDIUM 6.5 A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle…
CVE-2026-42937 2026-05-13 MEDIUM 6.5 Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view…
« Anterior Página 207 de 4495 Siguiente »