Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-20373 2025-11-26 LOW 2.7 In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new “Data…
CVE-2025-13084 2025-11-26 HIGH 7.6 The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to…
CVE-2025-11461 2025-11-26 N/A 0.0 Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.
CVE-2025-65239 2025-11-26 MEDIUM 4.3 Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs.
CVE-2025-65238 2025-11-26 N/A 0.0 Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access…
CVE-2025-65237 2025-11-26 N/A 0.0 A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via…
CVE-2025-65236 2025-11-26 N/A 0.0 OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.php endpoint.
CVE-2025-65956 2025-11-26 MEDIUM 6.5 Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any…
CVE-2025-65235 2025-11-26 N/A 0.0 OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function.
CVE-2025-63938 2025-11-26 MEDIUM 6.5 Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.
CVE-2025-64063 2025-11-25 CRITICAL 9.8 Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests…
CVE-2025-46175 2025-11-26 N/A 0.0 Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java.
CVE-2025-66258 2025-11-26 N/A 0.0 Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an…
CVE-2025-66257 2025-11-26 N/A 0.0 Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker…
CVE-2025-66026 2025-11-26 MEDIUM 6.1 REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into…
CVE-2025-66022 2025-11-26 CRITICAL 9.6 FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary…
CVE-2025-66021 2025-11-26 N/A 0.0 OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version…
CVE-2025-64704 2025-11-25 MEDIUM 4.7 WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to version 2.4.4, WAMR is susceptible to a segmentation fault in v128.store instruction. This issue has…
CVE-2025-62354 2025-11-26 CRITICAL 9.8 Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in…
CVE-2025-62703 2025-11-25 HIGH 8.8 Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2…
CVE-2025-56396 2025-11-26 N/A 0.0 An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user.
CVE-2025-50402 2025-11-26 N/A 0.0 FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter string fac_password.
CVE-2025-50399 2025-11-26 N/A 0.0 FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter password.
CVE-2025-46174 2025-11-26 N/A 0.0 Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.
CVE-2025-45311 2025-11-26 N/A 0.0 Insecure permissions in fail2ban-client v0.11.2 allows attackers with limited sudo privileges to perform arbitrary operations as root.
CVE-2025-3747 2025-11-26 N/A 0.0 Rejected reason: This CVE ID was duplicated of CVE-2025-32801
CVE-2025-64065 2025-11-25 HIGH 8.8 The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure.…
CVE-2025-64062 2025-11-25 HIGH 8.8 The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to…
CVE-2025-59390 2025-11-26 CRITICAL 9.8 Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is…
CVE-2025-63735 2025-11-25 MEDIUM 6.1 A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp.
CVE-2025-51746 2025-11-25 CRITICAL 9.8 An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks.
CVE-2025-51745 2025-11-25 CRITICAL 9.8 An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks.
CVE-2025-51744 2025-11-25 CRITICAL 9.8 An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks.
CVE-2025-51743 2025-11-25 CRITICAL 9.8 An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks.
CVE-2025-51742 2025-11-25 CRITICAL 9.8 An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to…
CVE-2025-13601 2025-11-26 HIGH 7.7 A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very…
CVE-2025-12061 2025-11-26 HIGH 8.6 The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL…
CVE-2025-9191 2025-11-26 MEDIUM 6.3 The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes…
CVE-2025-9163 2025-11-26 MEDIUM 6.1 The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization…
CVE-2025-13674 2025-11-26 MEDIUM 5.5 BPv7 dissector crash in Wireshark 4.6.0 allows denial of service
CVE-2025-13735 2025-11-26 HIGH 7.4 Out-of-bounds Read vulnerability in ASR1903、ASR3901 in ASR Lapwing_Linux on Linux (nr_fw modules). This vulnerability is associated with program files Code/nr_fw/DLP/src/NrCgi.C. This issue affects Lapwing_Linux: before 2025/11/26.
CVE-2025-9558 2025-11-26 HIGH 7.6 There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without…
CVE-2025-9557 2025-11-26 HIGH 7.6 ‭An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to‬ ‭a crash and a…
CVE-2025-59820 2025-11-26 MEDIUM 6.7 In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a number…
CVE-2025-55174 2025-11-26 LOW 3.2 In KDE Skanpage before 25.08.0, an attempt at file overwrite can result in the contents of the new file at the beginning followed by the partial contents of…
CVE-2025-64983 2025-11-26 HIGH 8.0 Smart Video Doorbell firmware versions prior to 2.01.078 contain an active debug code vulnerability that allows an attacker to connect via Telnet and gain access to the device.
CVE-2025-66235 2025-11-26 N/A 0.0 Rejected reason: Not used
CVE-2025-66234 2025-11-26 N/A 0.0 Rejected reason: Not used
CVE-2025-66233 2025-11-26 N/A 0.0 Rejected reason: Not used
CVE-2025-66232 2025-11-26 N/A 0.0 Rejected reason: Not used
« Anterior Página 268 de 3934 Siguiente »