Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-62189 2025-11-21 MEDIUM 4.3 LogStare Collector contains an incorrect authorization vulnerability in UserRegistration. If exploited, a non-administrative user may create a new user account by sending a crafted HTTP request.
CVE-2025-61949 2025-11-21 MEDIUM 5.4 LogStare Collector contains a stored cross-site scripting vulnerability in UserManagement. If crafted user information is stored, an arbitrary script may be executed on the web browser of the…
CVE-2025-58097 2025-11-21 MEDIUM 5.5 The installation directory of LogStare Collector is configured with incorrect access permissions. A non-administrative user may manipulate files within the installation directory and execute arbitrary code with the…
CVE-2025-9825 2025-11-21 MEDIUM 5.0 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users…
CVE-2025-13499 2025-11-21 HIGH 7.8 Kafka dissector crash in Wireshark 4.6.0 and 4.4.0 to 4.4.10 allows denial of service
CVE-2025-12169 2025-11-21 MEDIUM 4.3 The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX…
CVE-2025-12085 2025-11-21 MEDIUM 4.3 The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function…
CVE-2025-12023 2025-11-21 MEDIUM 4.3 The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_restore_data() function…
CVE-2025-12022 2025-11-21 MEDIUM 4.3 The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_restore_trash' AJAX…
CVE-2025-11368 2025-11-21 MEDIUM 5.3 The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing…
CVE-2025-64310 2025-11-21 CRITICAL 9.8 EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force…
CVE-2025-64762 2025-11-21 N/A 0.0 The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do…
CVE-2025-64755 2025-11-21 N/A 0.0 Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only…
CVE-2025-64751 2025-11-21 N/A 0.0 OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34
CVE-2025-62426 2025-11-21 MEDIUM 6.5 vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chat_template_kwargs request parameter…
CVE-2025-62372 2025-11-21 N/A 0.0 vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by…
CVE-2025-62164 2025-11-21 HIGH 8.8 vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service)…
CVE-2025-13485 2025-11-21 HIGH 7.3 A security flaw has been discovered in itsourcecode Online File Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=login. The manipulation of the argument…
CVE-2025-64655 2025-11-20 HIGH 8.8 Improper authorization in Dynamics OmniChannel SDK Storage Containers allows an unauthorized attacker to elevate privileges over a network.
CVE-2025-62459 2025-11-20 HIGH 8.3 Microsoft Defender Portal Spoofing Vulnerability
CVE-2025-62207 2025-11-20 HIGH 8.6 Azure Monitor Elevation of Privilege Vulnerability
CVE-2025-36072 2025-11-20 HIGH 8.8 IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused…
CVE-2025-13087 2025-11-20 MEDIUM 6.2 A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request…
CVE-2025-64770 2025-11-20 MEDIUM 6.8 The affected products allow unauthenticated access to Open Network Video Interface Forum (ONVIF) services, which may allow an attacker unauthorized access to camera configuration information.
CVE-2025-62674 2025-11-20 MEDIUM 6.8 The affected product allows unauthenticated access to Real Time Streaming Protocol (RTSP) services, which may allow an attacker unauthorized access to camera configuration information.
CVE-2025-55124 2025-11-20 MEDIUM 6.1 Improper neutralisation of input in Revive Adserver 6.0.0+ causes a reflected XSS attack in the banner-zone.php script.
CVE-2025-55123 2025-11-20 LOW 3.5 Improper neutralization of input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes manager accounts to be able to craft XSS attacks to their own advertiser users.
CVE-2025-52671 2025-11-20 MEDIUM 4.3 Debug information disclosure in the SQL error message to in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to acquire information about the software, PHP…
CVE-2025-52670 2025-11-20 HIGH 7.1 Missing authorization check in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes users on the system to delete banners owned by other accounts
CVE-2025-52669 2025-11-20 MEDIUM 4.3 Insecure design policies in the user management system of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to have access to the contact name and…
CVE-2025-52668 2025-11-20 HIGH 8.7 Improper input neutralization in the stats-conversions.php script in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes potential information disclosure and session hijacking via a stored XSS attack.
CVE-2025-52667 2025-11-20 LOW 3.5 Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 and 5.5.2 and earlier versions causes a stored XSS attack to be possible for a logged in…
CVE-2025-52666 2025-11-20 LOW 2.7 Improper neutralisation of format characters in the settings of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an administrator user to disable the admin user console due…
CVE-2025-48987 2025-11-20 MEDIUM 6.3 Improper Neutralization of Input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes a potential reflected XSS attack.
CVE-2025-48986 2025-11-20 HIGH 8.8 Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an logged in attacker to change other users' email address and potentialy take over their accounts…
CVE-2025-35029 2025-11-20 LOW 3.5 Medical Informatics Engineering Enterprise Health has a stored cross site scripting vulnerability that allows an authenticated attacker to add arbitrary content in the 'Demographic Information' page. This content…
CVE-2025-63700 2025-11-20 HIGH 7.5 An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage.
CVE-2025-55128 2025-11-20 MEDIUM 6.5 HackerOne community member Dao Hoang Anh (yoyomiski) has reported an uncontrolled resource consumption vulnerability in the “userlog-index.php”. An attacker with access to the admin interface could request an…
CVE-2025-55127 2025-11-20 MEDIUM 5.4 HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace…
CVE-2025-55126 2025-11-20 MEDIUM 6.5 HackerOne community member Dang Hung Vi (vidang04) has reported a stored XSS vulnerability involving the navigation box at the top of advertiser-related pages, with campaign names being the…
CVE-2025-10571 2025-11-20 CRITICAL 9.6 Authentication Bypass Using an Alternate Path or Channel vulnerability in ABB ABB Ability Edgenius.This issue affects ABB Ability Edgenius: 3.2.0.0, 3.2.1.1.
CVE-2025-63889 2025-11-20 HIGH 7.5 The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.
CVE-2025-64027 2025-11-20 MEDIUM 6.1 Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message…
CVE-2025-63848 2025-11-20 MEDIUM 6.1 Stored cross site scripting (xss) vulnerability in SWISH prolog thru 2.2.0 allowing attackers to execute arbitrary code via crafted web IDE notebook.
CVE-2025-60799 2025-11-20 MEDIUM 6.1 phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject',…
CVE-2025-60798 2025-11-20 MEDIUM 6.5 phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $_REQUEST['query'] directly to the browseQuery function without proper…
CVE-2025-60797 2025-11-20 MEDIUM 6.5 phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization…
CVE-2025-60738 2025-11-20 HIGH 7.5 An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via…
CVE-2025-60794 2025-11-20 MEDIUM 6.5 Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of…
CVE-2025-52410 2025-11-20 MEDIUM 6.5 Institute-of-Current-Students v1.0 contains a time-based blind SQL injection vulnerability in the mydetailsstudent.php endpoint. The `myds` GET parameter is not adequately sanitized before being used in SQL queries.
« Anterior Página 278 de 3934 Siguiente »