Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-30831 2026-03-06 N/A 0.0 Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer…
CVE-2026-2446 2026-03-06 CRITICAL 9.8 The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such…
CVE-2026-29110 2026-03-06 LOW 2.2 Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debug mode Cryptomator might leak cleartext paths into the log file. This can reveal meta…
CVE-2026-29089 2026-03-06 HIGH 8.8 TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, PostgreSQL uses the search_path setting to locate unqualified database…
CVE-2026-29087 2026-03-06 HIGH 7.5 @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL…
CVE-2026-28514 2026-03-06 N/A 0.0 Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's…
CVE-2026-26122 2026-03-05 MEDIUM 6.5 Initialization of a resource with an insecure default in Azure Compute Gallery allows an authorized attacker to disclose information over a network.
CVE-2025-69651 2026-03-06 N/A 0.0 GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If…
CVE-2025-69646 2026-03-06 N/A 0.0 Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause…
CVE-2025-69645 2026-03-06 N/A 0.0 Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result…
CVE-2025-69644 2026-03-06 N/A 0.0 An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the…
CVE-2026-1128 2026-03-06 MEDIUM 4.3 The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove…
CVE-2026-28287 2026-03-05 HIGH 8.8 FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings…
CVE-2025-70229 2026-03-05 CRITICAL 9.8 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSchedule.
CVE-2025-70230 2026-03-05 CRITICAL 9.8 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetDDNS.
CVE-2025-70231 2026-03-05 CRITICAL 9.8 D-Link DIR-513 version 1.10 contains a critical-level vulnerability. When processing POST requests related to verification codes in /goform/formLogin, it enters /goform/getAuthCode but fails to filter the value of…
CVE-2025-70232 2026-03-05 CRITICAL 9.8 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetMACFilter.
CVE-2025-70233 2026-03-05 CRITICAL 9.8 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetEnableWizard.
CVE-2026-29783 2026-03-06 N/A 0.0 The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can…
CVE-2026-29613 2026-03-05 MEDIUM 5.9 OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding…
CVE-2026-29611 2026-03-05 HIGH 7.5 OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary…
CVE-2026-29082 2026-03-06 HIGH 7.3 Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting…
CVE-2026-29075 2026-03-06 HIGH 8.3 Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml…
CVE-2026-29064 2026-03-06 HIGH 8.2 Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf…
CVE-2026-29610 2026-03-05 HIGH 8.8 OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping.…
CVE-2026-29606 2026-03-05 MEDIUM 6.5 OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker…
CVE-2026-28484 2026-03-05 N/A 0.0 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2026-28482 2026-03-05 HIGH 7.1 OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like…
CVE-2026-28481 2026-03-05 MEDIUM 6.5 OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens…
CVE-2026-28477 2026-03-05 HIGH 7.1 OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can…
CVE-2026-28476 2026-03-05 HIGH 8.3 OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that accepts user-provided base URLs for authentication without proper validation. Attackers…
CVE-2026-28473 2026-03-05 HIGH 8.1 OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command.…
CVE-2026-28472 2026-03-05 HIGH 8.1 OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not…
CVE-2026-28471 2026-03-05 MEDIUM 5.3 OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM allowlist matching could be bypassed by exact-matching against sender…
CVE-2026-28469 2026-03-05 HIGH 7.5 OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the…
CVE-2026-28468 2026-03-05 HIGH 7.7 OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to…
CVE-2026-28467 2026-03-05 MEDIUM 6.5 OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers who…
CVE-2026-28466 2026-03-05 CRITICAL 9.9 OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass…
CVE-2026-28465 2026-03-05 MEDIUM 5.9 OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can…
CVE-2026-28464 2026-03-05 MEDIUM 5.9 OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the…
CVE-2026-28459 2026-03-05 HIGH 7.1 OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers…
CVE-2026-28458 2026-03-05 HIGH 8.1 OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require…
CVE-2026-28457 2026-03-05 MEDIUM 6.1 OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills…
CVE-2026-28456 2026-03-05 HIGH 7.2 OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic…
CVE-2026-28454 2026-03-05 HIGH 7.5 OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust…
CVE-2026-28451 2026-03-05 HIGH 8.3 OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function…
CVE-2026-28450 2026-03-05 MEDIUM 6.8 OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway…
CVE-2026-28448 2026-03-05 HIGH 7.3 OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when…
CVE-2026-28447 2026-03-05 HIGH 8.1 OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft…
CVE-2026-28446 2026-03-05 CRITICAL 9.4 OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist policy validation that accepts empty caller IDs and…
« Anterior Página 215 de 4221 Siguiente »