Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-56043 2026-06-26 HIGH 7.1 Unauthenticated Cross Site Scripting (XSS) in Customer Reviews for WooCommerce
CVE-2026-57620 2026-06-26 MEDIUM 6.5 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS. This issue affects Exclusive Addons Elementor: from n/a…
CVE-2026-54353 2026-06-26 HIGH 8.5 Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a…
CVE-2026-54351 2026-06-26 HIGH 8.2 Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution…
CVE-2026-54350 2026-06-26 CRITICAL 10.0 Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or…
CVE-2026-56035 2026-06-26 HIGH 8.6 Unauthenticated Multiple Vulnerabilities in BitFire Security
CVE-2026-56029 2026-06-26 HIGH 7.5 Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway
CVE-2026-56010 2026-06-26 HIGH 8.8 Subscriber Privilege Escalation in Abandoned Cart Pro for WooCommerce
CVE-2026-54837 2026-06-26 HIGH 7.5 Unauthenticated Broken Access Control in Intranet & Private Site – All-In-One Intranet
CVE-2026-54827 2026-06-26 CRITICAL 9.3 Unauthenticated SQL Injection in Real Estate 7
CVE-2026-52885 2026-06-26 N/A 0.0 Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check).…
CVE-2026-52884 2026-06-26 HIGH 7.8 Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that…
CVE-2026-50137 2026-06-26 N/A 0.0 Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource id (ds_...) can…
CVE-2026-50132 2026-06-26 HIGH 7.3 Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external…
CVE-2026-48800 2026-06-26 HIGH 7.8 Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the tag text content inside in shortcuts.xml is read by NppXml::value(aNode) (Parameters.cpp:3658) in the feedUserCmds() function…
CVE-2026-48778 2026-06-26 HIGH 7.8 Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation,…
CVE-2026-48770 2026-06-26 MEDIUM 5.0 Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to…
CVE-2026-46710 2026-06-26 N/A 0.0 Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes…
CVE-2026-46604 2026-06-26 N/A 0.0 The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.
CVE-2026-39031 2026-06-26 N/A 0.0 Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the…
CVE-2026-38641 2026-06-26 N/A 0.0 An issue in the DSO::mmap_and_copy function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via loading a crafted shared library.
CVE-2026-38639 2026-06-26 N/A 0.0 An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of Service (DoS) via parsing a crafted input.
CVE-2026-24547 2026-06-26 MEDIUM 5.3 Unauthenticated Broken Access Control in SiteGround Email Marketing
CVE-2025-66123 2026-06-26 MEDIUM 5.3 Unauthenticated Insecure Direct Object References (IDOR) in BookPro
CVE-2026-30041 2026-06-26 HIGH 7.5 An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying…
CVE-2026-30040 2026-06-26 MEDIUM 6.5 A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to cause a execute arbitrary code in the context of the current process via…
CVE-2026-57920 2026-06-26 HIGH 7.7 Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
CVE-2026-57940 2026-06-26 N/A 0.0 HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any…
CVE-2026-8797 2026-06-26 N/A 0.0 An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges.
CVE-2026-8661 2026-06-26 MEDIUM 4.8 Server-Side Cross-Site Scripting and Server-Side Request Forgery vulnerability in the markdown_to_pdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux allows remote attackers to execute…
CVE-2026-32833 2026-06-26 HIGH 8.8 Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into…
CVE-2026-22879 2026-06-25 HIGH 8.1 vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer overflow vulnerability
CVE-2021-47987 2026-06-25 HIGH 7.5 Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork…
CVE-2025-7958 2026-06-26 N/A 0.0 A Code Injection vulnerability existed in Trellix Network Security CM and NX. A locally authenticated admin user can execute arbitrary code using the web interface and Alert artifact…
CVE-2026-54479 2026-06-25 HIGH 7.3 The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session…
CVE-2026-50176 2026-06-25 HIGH 7.5 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force…
CVE-2026-44622 2026-06-25 MEDIUM 6.5 Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
CVE-2026-40702 2026-06-25 CRITICAL 9.4 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or…
CVE-2026-55189 2026-06-26 HIGH 7.7 RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly…
CVE-2026-52785 2026-06-26 CRITICAL 9.9 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to request historic…
CVE-2026-52784 2026-06-26 HIGH 8.8 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "user[admin]". This vulnerability is fixed…
CVE-2026-52783 2026-06-26 HIGH 8.2 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the deterministic key…
CVE-2026-52782 2026-06-26 CRITICAL 9.9 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects//settings/project_storages/ via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources.…
CVE-2026-52781 2026-06-26 MEDIUM 6.4 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants elements unrestricted data-* attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into…
CVE-2026-52779 2026-06-26 MEDIUM 5.4 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a…
CVE-2026-49991 2026-06-26 HIGH 8.6 RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability…
CVE-2026-49355 2026-06-26 MEDIUM 4.3 OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to a private/inaccessible project.…
CVE-2026-47193 2026-06-26 HIGH 7.5 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This…
CVE-2026-46386 2026-06-26 CRITICAL 9.9 OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer =…
CVE-2026-44735 2026-06-26 MEDIUM 6.5 OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any…
« Anterior Página 3 de 4502 Siguiente »