Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-41456 2026-04-21 N/A 0.0 Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious…
CVE-2026-40865 2026-04-21 N/A 0.0 Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user…
CVE-2026-40614 2026-04-21 N/A 0.0 PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due…
CVE-2026-40608 2026-04-21 MEDIUM 6.2 Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore,…
CVE-2026-40599 2026-04-21 N/A 0.0 ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty…
CVE-2026-40594 2026-04-21 MEDIUM 4.8 pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request…
CVE-2026-37748 2026-04-21 HIGH 7.2 Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php. The move_uploaded_file() function is called without any MIME type, extension, or content…
CVE-2026-22751 2026-04-21 MEDIUM 4.8 Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through…
CVE-2017-20230 2026-04-21 CRITICAL 10.0 Storable versions before 3.05 for Perl has a stack overflow. The retrieve_hook function stored the length of the class name into a signed integer but in read operations…
CVE-2026-31019 2026-04-21 HIGH 8.8 In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An…
CVE-2026-31014 2026-04-21 MEDIUM 6.3 Dovestones Softwares AD Self Update
CVE-2026-31013 2026-04-21 MEDIUM 6.1 Dovestones Softwares ADPhonebook
CVE-2026-41194 2026-04-21 MEDIUM 5.4 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}`. It removes stored OAuth…
CVE-2026-41192 2026-04-21 HIGH 7.1 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in…
CVE-2026-5652 2026-04-21 CRITICAL 9.0 An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions…
CVE-2026-6729 2026-04-20 MEDIUM 6.3 HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by…
CVE-2026-40606 2026-04-21 MEDIUM 4.8 mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the…
CVE-2026-40604 2026-04-21 N/A 0.0 ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.6, the opfilter Endpoint Security system extension (bundle ID uk.craigbass.clearancekit.opfilter) can be suspended with…
CVE-2026-40602 2026-04-21 MEDIUM 5.6 The Home Assistant Command-line interface (hass-cli) is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead…
CVE-2026-40591 2026-04-21 HIGH 7.1 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves…
CVE-2026-40590 2026-04-21 MEDIUM 4.3 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax…
CVE-2026-40585 2026-04-21 HIGH 7.4 blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a…
CVE-2026-40569 2026-04-21 CRITICAL 9.0 FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (`connectionIncomingSave()`…
CVE-2026-40566 2026-04-21 MEDIUM 4.1 FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of…
CVE-2026-33432 2026-04-20 N/A 0.0 Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an…
CVE-2026-29644 2026-04-21 MEDIUM 5.3 XiangShan (open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) has improper gating of its distributed CSR write-enable path, allowing illegal CSR write attempts to alter custom PMA (Physical Memory…
CVE-2026-21571 2026-04-21 N/A 0.0 This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.   This RCE (Remote…
CVE-2026-6743 2026-04-21 LOW 3.5 A vulnerability has been found in WebSystems WebTOTUM 2026. This impacts an unknown function of the component Calendar. The manipulation leads to cross site scripting. The attack may…
CVE-2026-41191 2026-04-21 HIGH 7.1 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, `MailboxesController::updateSave()` persists `chat_start_new` outside the allowed-field filter. A user with only the mailbox `sig`…
CVE-2026-41190 2026-04-21 HIGH 7.1 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, direct conversation view correctly blocks users who are neither the…
CVE-2026-41189 2026-04-21 HIGH 7.1 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through `ThreadPolicy::edit()`, which checks mailbox access but does not apply…
CVE-2026-40592 2026-04-21 MEDIUM 5.9 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user can view the…
CVE-2026-40584 2026-04-21 N/A 0.0 RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries…
CVE-2026-40576 2026-04-21 CRITICAL 9.4 excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE…
CVE-2026-40574 2026-04-21 MEDIUM 6.8 OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement…
CVE-2026-40161 2026-04-21 HIGH 7.7 Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to 1.10.0, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token…
CVE-2026-40050 2026-04-21 CRITICAL 9.8 CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale. This vulnerability only requires mitigation by customers that host specific versions of…
CVE-2026-38835 2026-04-21 N/A 0.0 Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands…
CVE-2026-35451 2026-04-21 MEDIUM 5.7 Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation…
CVE-2026-30452 2026-04-21 N/A 0.0 Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with…
CVE-2026-29179 2026-04-21 LOW 3.3 October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in…
CVE-2026-27937 2026-04-21 LOW 3.1 October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget…
CVE-2026-26274 2026-04-21 MEDIUM 6.6 October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database…
CVE-2026-26067 2026-04-21 MEDIUM 4.9 October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor…
CVE-2026-25542 2026-04-21 MEDIUM 6.5 Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString.…
CVE-2026-24189 2026-04-21 HIGH 8.2 NVIDIA CUDA-Q contains a vulnerability in an endpoint, where an unauthenticated attacker could cause an out-of-bounds read by sending a maliciously crafted request. A successful exploit of this…
CVE-2026-24177 2026-04-21 HIGH 7.7 NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure.
CVE-2026-24176 2026-04-21 MEDIUM 4.3 NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.
CVE-2025-15638 2026-04-21 CRITICAL 10.0 Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt…
CVE-2019-25714 2026-04-21 N/A 0.0 Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by…
« Anterior Página 277 de 4464 Siguiente »