Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-33508 2026-03-24 N/A 0.0 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component…
CVE-2026-33498 2026-03-24 N/A 0.0 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send…
CVE-2026-33429 2026-03-24 N/A 0.0 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe…
CVE-2026-33421 2026-03-24 N/A 0.0 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket…
CVE-2026-33417 2026-03-24 MEDIUM 6.5 Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but…
CVE-2026-33409 2026-03-24 N/A 0.0 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability…
CVE-2026-33323 2026-03-24 N/A 0.0 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and…
CVE-2026-30932 2026-03-24 N/A 0.0 Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for…
CVE-2026-2417 2026-03-24 N/A 0.0 A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands…
CVE-2026-29772 2026-03-24 MEDIUM 5.9 Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit.…
CVE-2026-23924 2026-03-24 N/A 0.0 Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read…
CVE-2026-23923 2026-03-24 N/A 0.0 An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.
CVE-2026-23921 2026-03-24 N/A 0.0 A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query…
CVE-2026-23920 2026-03-24 N/A 0.0 Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are…
CVE-2026-23919 2026-03-24 N/A 0.0 For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator…
CVE-2026-1995 2026-03-24 HIGH 7.8 IDrive’s id_service.exe process runs with elevated privileges and regularly reads from several files under the C:\ProgramData\IDrive\ directory. The UTF16-LE encoded contents of these files are used as arguments…
CVE-2026-33407 2026-03-24 N/A 0.0 Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The…
CVE-2026-33401 2026-03-24 N/A 0.0 Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left…
CVE-2026-33400 2026-03-24 MEDIUM 5.4 Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user…
CVE-2026-33399 2026-03-24 HIGH 7.7 Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection…
CVE-2026-33162 2026-03-24 N/A 0.0 Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections…
CVE-2026-33161 2026-03-24 N/A 0.0 Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can…
CVE-2026-33160 2026-03-24 N/A 0.0 Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call…
CVE-2026-33159 2026-03-24 N/A 0.0 Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config…
CVE-2026-33158 2026-03-24 N/A 0.0 Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can…
CVE-2026-33157 2026-03-24 N/A 0.0 Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be…
CVE-2026-32854 2026-03-24 N/A 0.0 LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause…
CVE-2026-32853 2026-03-24 N/A 0.0 LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information…
CVE-2026-26830 2026-03-25 CRITICAL 9.8 pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell…
CVE-2026-23514 2026-03-25 HIGH 8.8 Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade…
CVE-2025-59707 2026-03-25 N/A 0.0 In N2W before 4.3.2 and 4.4.x before 4.4.1, there is potential remote code execution and account credentials theft because of a spoofing vulnerability.
CVE-2025-59706 2026-03-25 N/A 0.0 In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution.
CVE-2026-4816 2026-03-25 N/A 0.0 A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by…
CVE-2026-4815 2026-03-25 N/A 0.0 A SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to retrieve, create, update and delete database via 'calls[0][message_ids][]' parameter in '/supportboard/include/ajax.php'…
CVE-2026-3591 2026-03-25 MEDIUM 5.4 A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an…
CVE-2026-3119 2026-03-25 MEDIUM 6.5 Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has…
CVE-2026-3104 2026-03-25 HIGH 7.5 A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0…
CVE-2026-28529 2026-03-25 N/A 0.0 cryptodev-linux version 1.14 and prior contain a page reference handling flaw in the get_userbuf function of the /dev/crypto device driver that allows local users to trigger use-after-free conditions.…
CVE-2026-1519 2026-03-25 HIGH 7.5 If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are…
CVE-2025-40842 2026-03-25 N/A 0.0 Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Scripting (XSS) vulnerability which, if exploited, can lead to unauthorized disclosure and modification of certain information.
CVE-2025-40841 2026-03-25 N/A 0.0 Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead to unauthorized modification of certain information.
CVE-2025-27260 2026-03-25 N/A 0.0 Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special Elements vulnerability which, if exploited, can lead to unauthorized modification of certain information
CVE-2024-51346 2026-03-25 HIGH 7.7 An issue in Eufy Homebase 2 version 3.3.4.1h allows a local attacker to obtain sensitive information via the cryptographic scheme.
CVE-2026-31788 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space…
CVE-2026-23395 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier…
CVE-2026-23394 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: af_unix: Give up GC if MSG_PEEK intervened. Igor Ushakov reported that GC purged the receive queue of an…
CVE-2026-23393 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called…
CVE-2026-23392 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error…
CVE-2026-23391 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while…
CVE-2026-23390 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow The dma_map_sg tracepoint can trigger a perf buffer overflow…
« Anterior Página 31 de 4108 Siguiente »