Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-13085 2025-11-19 MEDIUM 4.3 The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is…
CVE-2025-12535 2025-11-19 MEDIUM 5.3 The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic…
CVE-2025-12056 2025-11-19 N/A 0.0 Out-of-bounds Read in Shelly Pro 3EM (before v1.4.4) allows Overread Buffers.
CVE-2025-11243 2025-11-19 N/A 0.0 Allocation of Resources Without Limits or Throttling vulnerability in Shelly Pro 4PM (before v1.6) allows Excessive Allocation via network.
CVE-2025-13145 2025-11-19 HIGH 7.2 The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This…
CVE-2025-13054 2025-11-19 MEDIUM 6.4 The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppb-embed…
CVE-2025-12878 2025-11-19 MEDIUM 6.4 The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wfop_phone` shortcode in all versions up to, and including,…
CVE-2025-12842 2025-11-19 MEDIUM 5.3 The Booking Plugin for WordPress Appointments – Time Slot plugin for WordPress is vulnerable to unauthorized email sending in versions up to, and including, 1.4.7 due to missing…
CVE-2025-12822 2025-11-19 MEDIUM 4.3 The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mo_jwt_generate_new_api_key' function in…
CVE-2025-12814 2025-11-19 MEDIUM 5.3 The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to unauthorized modification of data due to n incorrect capability check on the siteseo_reset_settings function in all versions…
CVE-2025-12751 2025-11-19 MEDIUM 4.3 The WSChat – WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in…
CVE-2025-12710 2025-11-19 MEDIUM 6.4 The Pet-Manager – Petfinder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kwm-petfinder shortcode in all versions up to, and including, 3.6.1 due to insufficient…
CVE-2025-12646 2025-11-19 HIGH 7.5 The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'dayofyear' parameter in all versions up to, and including, 1.5.4 due to insufficient escaping on…
CVE-2025-12359 2025-11-19 MEDIUM 5.4 The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.3 via the 'get_image_size_by_url' function. This is…
CVE-2025-12174 2025-11-19 MEDIUM 6.5 The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'directorist_prepare_listings_export_file' and…
CVE-2025-12426 2025-11-19 MEDIUM 5.3 The Quiz Maker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.7.0.80. This is due to the plugin exposing quiz…
CVE-2025-12349 2025-11-19 MEDIUM 5.3 The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to…
CVE-2025-6251 2025-11-19 MEDIUM 6.4 The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item['field_id'] in all versions up to, and including, 1.7.1036 due to insufficient…
CVE-2025-13051 2025-11-19 N/A 0.0 When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name…
CVE-2025-12777 2025-11-19 MEDIUM 5.3 The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly…
CVE-2025-12770 2025-11-19 MEDIUM 5.3 The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using…
CVE-2025-12427 2025-11-19 MEDIUM 5.3 The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and…
CVE-2025-12852 2025-11-19 N/A 0.0 DLL Loading vulnerability in NEC Corporation RakurakuMusen Start EX All Verisons allows a attacker to manipulate the PC environment to cause unintended operations on the user's device.
CVE-2025-65093 2025-11-18 MEDIUM 5.5 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a boolean-based blind SQL injection vulnerability was identified in the LibreNMS application at the /ajax_output.php…
CVE-2025-65015 2025-11-18 N/A 0.0 joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0…
CVE-2025-65014 2025-11-18 LOW 3.7 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS…
CVE-2025-65013 2025-11-18 MEDIUM 6.2 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a reflected cross-site scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage…
CVE-2025-65012 2025-11-18 N/A 0.0 Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a…
CVE-2025-64515 2025-11-18 MEDIUM 4.3 Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be…
CVE-2025-64325 2025-11-18 N/A 0.0 Emby Server is a personal media server. Prior to version 4.8.1.0 and prior to Beta version 4.9.0.0-beta, a malicious user can send an authentication request with a manipulated…
CVE-2025-64324 2025-11-18 N/A 0.0 KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107…
CVE-2025-62406 2025-11-18 HIGH 8.1 Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering…
CVE-2025-54990 2025-11-18 MEDIUM 5.3 XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted…
CVE-2025-63229 2025-11-18 MEDIUM 5.4 The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains a reflected Cross-Site Scripting (XSS) vulnerability in the /main0.php endpoint. By injecting a malicious JavaScript payload into…
CVE-2025-63217 2025-11-18 CRITICAL 9.8 The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from…
CVE-2025-63216 2025-11-18 CRITICAL 10.0 The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from…
CVE-2025-63215 2025-11-18 HIGH 7.2 The Sound4 IMPACT web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of…
CVE-2025-12119 2025-11-18 MEDIUM 6.8 A mongoc_bulk_operation_t may read invalid memory if large options are passed.
CVE-2025-63828 2025-11-18 MEDIUM 6.1 Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session…
CVE-2025-63695 2025-11-18 CRITICAL 9.8 DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.
CVE-2025-63694 2025-11-18 CRITICAL 9.8 DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage.
CVE-2025-54321 2025-11-18 CRITICAL 9.8 In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit…
CVE-2025-56643 2025-11-18 CRITICAL 9.1 Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be…
CVE-2025-63228 2025-11-18 CRITICAL 9.8 The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unauthenticated file upload vulnerability in the /upload_file.php endpoint. An attacker can exploit this by sending a…
CVE-2025-63227 2025-11-18 HIGH 7.2 The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unrestricted file upload vulnerability in the /patch.php endpoint. An attacker with administrative credentials can upload arbitrary…
CVE-2025-63693 2025-11-18 MEDIUM 5.4 The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to…
CVE-2025-37162 2025-11-18 MEDIUM 6.5 A vulnerability in the command line interface of affected devices could allow an authenticated remote attacker to conduct a command injection attack. Successful exploitation could allow an attacker…
CVE-2025-37161 2025-11-18 HIGH 7.5 A vulnerability in the web-based management interface of affected products could allow an unauthenticated remote attacker to cause a denial of service. Successful exploitation could allow an attacker…
CVE-2025-64076 2025-11-18 HIGH 7.5 Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to Out-of-Bounds Read (CWE-191, CWE-125): An…
CVE-2025-63258 2025-11-18 MEDIUM 6.5 A remote command execution (RCE) vulnerability was discovered in all H3C ERG3/ERG5 series routers and XiaoBei series routers, cloud gateways, and wireless access points (versions R0162P07, UAP700-WPT330-E2265, UAP672-WPT330-R2262,…
« Anterior Página 282 de 3934 Siguiente »