Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-45691 2026-03-05 HIGH 7.5 An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied…
CVE-2026-23925 2026-03-06 N/A 0.0 An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized…
CVE-2026-2830 2026-03-06 MEDIUM 6.1 The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’…
CVE-2026-2331 2026-03-06 CRITICAL 9.8 An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory…
CVE-2026-2330 2026-03-06 CRITICAL 9.4 An attacker may access restricted filesystem areas on the device via the CROWN REST interface due to incomplete whitelist enforcement. Certain directories intended for internal testing were not…
CVE-2026-29183 2026-03-06 CRITICAL 9.3 SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled…
CVE-2026-29074 2026-03-06 HIGH 7.5 SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before…
CVE-2026-29073 2026-03-06 N/A 0.0 SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights,…
CVE-2026-29062 2026-03-06 N/A 0.0 jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when…
CVE-2026-29059 2026-03-06 N/A 0.0 Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file…
CVE-2026-29068 2026-03-06 N/A 0.0 PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, there is a stack buffer overflow vulnerability when pjmedia-codec parses an…
CVE-2026-29065 2026-03-06 N/A 0.0 changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite…
CVE-2026-29058 2026-03-06 CRITICAL 9.8 AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the…
CVE-2026-29049 2026-03-06 MEDIUM 4.3 melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit…
CVE-2026-29048 2026-03-06 N/A 0.0 HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of version 1.18.0. Due to inconsistent output…
CVE-2026-29042 2026-03-06 N/A 0.0 Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it…
CVE-2026-29039 2026-03-06 N/A 0.0 changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via…
CVE-2026-29038 2026-03-06 MEDIUM 6.1 changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint…
CVE-2026-28804 2026-03-06 N/A 0.0 pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes.…
CVE-2026-28802 2026-03-06 N/A 0.0 Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg:…
CVE-2026-28801 2026-03-06 MEDIUM 6.6 Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, any ahk code contained inside of a pattern or path file is…
CVE-2026-28800 2026-03-06 MEDIUM 6.4 Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, anyone with Discord Remote Control set up in a non-private channel gives…
CVE-2026-28799 2026-03-06 N/A 0.0 PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c)…
CVE-2026-28795 2026-03-06 N/A 0.0 OpenChatBI is an intelligent chat-based BI tool powered by large language models, designed to help users query, analyze, and visualize data through natural language conversations. Prior to version…
CVE-2026-28438 2026-03-06 N/A 0.0 CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements (ALTER…
CVE-2026-29084 2026-03-06 MEDIUM 4.6 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied…
CVE-2026-29061 2026-03-06 MEDIUM 5.4 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows…
CVE-2026-29060 2026-03-06 MEDIUM 5.0 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests…
CVE-2026-28794 2026-03-06 N/A 0.0 oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the…
CVE-2026-28787 2026-03-06 HIGH 8.2 OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side.…
CVE-2026-28785 2026-03-06 N/A 0.0 Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially…
CVE-2026-28685 2026-03-06 MEDIUM 6.5 Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access…
CVE-2026-28683 2026-03-06 HIGH 8.7 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink…
CVE-2026-28682 2026-03-06 MEDIUM 6.4 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state…
CVE-2026-28681 2026-03-06 HIGH 8.1 Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version…
CVE-2026-28680 2026-03-06 CRITICAL 9.3 Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them…
CVE-2026-28679 2026-03-06 HIGH 8.6 Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prior to version 1.21.0, when a user requests a download, the application does not verify…
CVE-2026-28677 2026-03-06 HIGH 8.2 OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, the URL ingest pipeline accepted user-controlled remote…
CVE-2026-28676 2026-03-06 HIGH 8.8 OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, multiple storage helpers used path construction patterns…
CVE-2026-28675 2026-03-06 MEDIUM 5.3 OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, some endpoints returned raw exception strings to…
CVE-2026-28509 2026-03-06 MEDIUM 6.3 LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a…
CVE-2026-28508 2026-03-06 N/A 0.0 Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint…
CVE-2026-28507 2026-03-06 N/A 0.0 Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue…
CVE-2026-28429 2026-03-06 HIGH 7.5 Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points…
CVE-2026-28428 2026-03-06 MEDIUM 5.3 Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform…
CVE-2026-27605 2026-03-06 MEDIUM 6.3 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows…
CVE-2026-27603 2026-03-06 N/A 0.0 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter…
CVE-2026-27005 2026-03-06 N/A 0.0 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker…
CVE-2026-25888 2026-03-06 HIGH 8.8 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a…
CVE-2026-25887 2026-03-06 HIGH 7.2 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a…
« Anterior Página 218 de 4222 Siguiente »