Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-67686 2025-12-11 N/A 0.0 Rejected reason: Not used
CVE-2025-14157 2025-12-11 MEDIUM 6.5 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated…
CVE-2025-13978 2025-12-11 MEDIUM 4.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated…
CVE-2025-12716 2025-12-11 HIGH 8.7 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have…
CVE-2025-12562 2025-12-11 HIGH 7.5 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated…
CVE-2025-10163 2025-12-11 MEDIUM 6.5 The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘starting_with’ parameter of the catlist shortcode in all versions up to, and including,…
CVE-2025-14485 2025-12-11 MEDIUM 5.0 A weakness has been identified in EFM ipTIME A3004T 14.19.0. This vulnerability affects the function show_debug_screen of the file /sess-bin/timepro.cgi of the component Administrator Password Handler. This manipulation…
CVE-2025-13764 2025-12-11 CRITICAL 9.8 The WP CarDealer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.16. This is due to the 'WP_CarDealer_User::process_register' function not restricting…
CVE-2025-11467 2025-12-11 MEDIUM 5.8 The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all…
CVE-2025-67720 2025-12-11 MEDIUM 6.5 Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them…
CVE-2025-67719 2025-12-11 N/A 0.0 Ibexa is a composable end-to-end DXP (Digital Experience Platform). Versions 5.0.0-beta1 through 5.0.3 do not have password validation. During the transition from v4 to v5 an error was…
CVE-2025-67718 2025-12-11 N/A 0.0 Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow…
CVE-2025-67717 2025-12-11 N/A 0.0 ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their…
CVE-2025-67716 2025-12-11 MEDIUM 5.7 The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could…
CVE-2025-67713 2025-12-11 N/A 0.0 Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like…
CVE-2025-67648 2025-12-11 HIGH 7.1 Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page…
CVE-2025-67646 2025-12-11 LOW 3.5 TableProgressTracking is a MediaWiki extension to track progress against specific criterion. Versions 1.2.0 and below do not enforce CSRF token validation in the REST API. As a result,…
CVE-2025-67644 2025-12-11 HIGH 7.3 LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection…
CVE-2025-67514 2025-12-11 N/A 0.0 Rejected reason: Vulnerability is dependency-based.
CVE-2025-67512 2025-12-11 N/A 0.0 Rejected reason: The vulnerability is dependency-based.
CVE-2025-67513 2025-12-10 N/A 0.0 FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default,…
CVE-2025-67510 2025-12-10 CRITICAL 9.4 Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() +…
CVE-2025-67509 2025-12-10 HIGH 8.2 Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be…
CVE-2025-67505 2025-12-10 HIGH 8.4 Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This…
CVE-2025-67490 2025-12-10 MEDIUM 5.4 The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client…
CVE-2025-13923 2025-12-10 N/A 0.0 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2025-12731 2025-12-10 N/A 0.0 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2025-66033 2025-12-10 MEDIUM 5.3 Okta Java Management SDK facilitates interactions with the Okta management API. In versions 21.0.0 through 24.0.0, specific multithreaded implementations may encounter memory issues as threads are not properly…
CVE-2025-66628 2025-12-10 HIGH 7.5 ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9 and prior, the TIM (PSX TIM) image parser contains a critical integer…
CVE-2025-66472 2025-12-10 N/A 0.0 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki…
CVE-2025-65295 2025-12-10 N/A 0.0 Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware…
CVE-2025-65291 2025-12-10 N/A 0.0 Aqara Hub devices including Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, Camera Hub G3 4.1.9_0027 fail to validate server certificates in TLS connections for discovery services and CoAP gateway…
CVE-2024-58280 2025-12-10 N/A 0.0 CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ',php' to Extensions_userfiles and…
CVE-2025-67461 2025-12-10 MEDIUM 5.0 External control of file name or path in Zoom Rooms for macOS before version 6.6.0 may allow an authenticated user to conduct a disclosure of information via local…
CVE-2025-67460 2025-12-10 HIGH 7.8 Protection Mechanism Failure of Software Downgrade in Zoom Rooms for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via local access.
CVE-2025-65950 2025-12-10 N/A 0.0 WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute…
CVE-2025-65832 2025-12-10 N/A 0.0 The mobile application insecurely handles information stored within memory. By performing a memory dump on the application after a user has logged out and terminated it, Wi-Fi credentials…
CVE-2025-65830 2025-12-10 N/A 0.0 Due to a lack of certificate validation, all traffic from the mobile application can be intercepted. As a result, an adversary located "upstream" can decrypt the TLS traffic,…
CVE-2025-65828 2025-12-10 N/A 0.0 An unauthenticated attacker within proximity of the Meatmeet device can issue several commands over Bluetooth Low Energy (BLE) to these devices which would result in a Denial of…
CVE-2025-65827 2025-12-10 N/A 0.0 The mobile application is configured to allow clear text traffic to all domains and communicates with an API server over HTTP. As a result, an adversary located "upstream"…
CVE-2025-65826 2025-12-10 N/A 0.0 The mobile application was found to contain stored credentials for the network it was developed on. If an attacker retrieved this, and found the physical location of the…
CVE-2025-65825 2025-12-10 N/A 0.0 The firmware on the basestation of the Meatmeet is not encrypted. An adversary with physical access to the Meatmeet device can disassemble the device, connect over UART, and…
CVE-2025-65824 2025-12-10 N/A 0.0 An unauthenticated attacker within proximity of the Meatmeet device can perform an unauthorized Over The Air (OTA) firmware upgrade using Bluetooth Low Energy (BLE), resulting in the firmware…
CVE-2025-65823 2025-12-10 N/A 0.0 The Meatmeet Pro was found to be shipped with hardcoded Wi-Fi credentials in the firmware, for the test network it was developed on. If an attacker retrieved this,…
CVE-2025-65822 2025-12-10 N/A 0.0 The ESP32 system on a chip (SoC) that powers the Meatmeet Pro was found to have JTAG enabled. By leaving JTAG enabled on an ESP32 in a commercial…
CVE-2025-65821 2025-12-10 N/A 0.0 As UART download mode is still enabled on the ESP32 chip on which the firmware runs, an adversary can dump the flash from the device and retrieve sensitive…
CVE-2025-65820 2025-12-10 N/A 0.0 An issue was discovered in Meatmeet Android Mobile Application 1.1.2.0. An exported activity can be spawned with the mobile application which opens a hidden page. This page, which…
CVE-2025-65512 2025-12-10 N/A 0.0 A Server-Side Request Forgery (SSRF) vulnerability was discovered in the webpage-to-markdown conversion feature of markdownify-mcp v0.0.2 and before. This vulnerability allows an attacker to bypass private IP restrictions…
CVE-2025-65807 2025-12-10 CRITICAL 9.8 An issue in sd command v1.0.0 and before allows attackers to escalate privileges to root via a crafted command.
CVE-2025-65803 2025-12-10 MEDIUM 6.5 An integer overflow in the psdParser::ReadImageData function of FreeImage v3.18.0 and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted PSD file.
« Anterior Página 224 de 3934 Siguiente »