Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-25974 2026-02-10 N/A 0.0 Rejected reason: Not used
CVE-2026-25973 2026-02-10 N/A 0.0 Rejected reason: Not used
CVE-2026-1529 2026-02-09 HIGH 8.1 A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token…
CVE-2026-1486 2026-02-09 HIGH 8.8 A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing…
CVE-2025-14778 2026-02-09 MEDIUM 5.4 A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with…
CVE-2026-25878 2026-02-09 N/A 0.0 FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and…
CVE-2026-25876 2026-02-09 N/A 0.0 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). For example, this…
CVE-2026-25810 2026-02-09 N/A 0.0 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks).
CVE-2026-25809 2026-02-09 N/A 0.0 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There…
CVE-2026-25806 2026-02-09 N/A 0.0 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using…
CVE-2026-25791 2026-02-09 HIGH 7.5 Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side…
CVE-2026-25765 2026-02-09 MEDIUM 5.8 Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to…
CVE-2026-25761 2026-02-09 HIGH 8.8 Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection…
CVE-2026-25740 2026-02-09 N/A 0.0 captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings. In 25.05 and earlier, when programs.captive-browser is enabled, any user of the…
CVE-2026-25639 2026-02-09 HIGH 7.5 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects…
CVE-2026-25528 2026-02-09 MEDIUM 5.8 LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An…
CVE-2026-2246 2026-02-09 LOW 3.3 A security vulnerability has been detected in AprilRobotics apriltag up to 3.4.5. Affected by this vulnerability is the function apriltag_detector_detect of the file apriltag.c. The manipulation leads to…
CVE-2026-2245 2026-02-09 LOW 3.3 A vulnerability was identified in CCExtractor up to 183. This affects the function parse_PAT/parse_PMT in the library src/lib_ccx/ts_tables.c of the component MPEG-TS File Parser. Such manipulation leads to…
CVE-2026-25598 2026-02-09 N/A 0.0 Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub…
CVE-2026-25498 2026-02-09 N/A 0.0 Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where…
CVE-2026-25497 2026-02-09 N/A 0.0 Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL…
CVE-2026-25496 2026-02-09 N/A 0.0 Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type…
CVE-2026-25495 2026-02-09 N/A 0.0 Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the…
CVE-2026-25494 2026-02-09 N/A 0.0 Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a…
CVE-2026-25493 2026-02-09 N/A 0.0 Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and…
CVE-2026-25492 2026-02-09 N/A 0.0 Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs…
CVE-2026-25491 2026-02-09 N/A 0.0 Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed…
CVE-2026-25480 2026-02-09 MEDIUM 6.5 Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating…
CVE-2026-25479 2026-02-09 MEDIUM 6.5 Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters…
CVE-2026-25478 2026-02-09 HIGH 7.4 Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for…
CVE-2026-25231 2026-02-09 HIGH 7.5 FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 3.3.0, the application contains an unauthenticated file read vulnerability due to the lack of access…
CVE-2026-25230 2026-02-09 MEDIUM 4.6 FileRise is a self-hosted web file manager / WebDAV server. Prior to 3.3.0, an HTML Injection vulnerability allows an authenticated user to modify the DOM and add e.g.…
CVE-2026-25057 2026-02-09 CRITICAL 9.1 MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment…
CVE-2026-24900 2026-02-09 MEDIUM 6.5 MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses//assignments//submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a…
CVE-2026-24777 2026-02-09 MEDIUM 6.7 OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible…
CVE-2026-2242 2026-02-09 LOW 3.3 A vulnerability was determined in janet-lang janet up to 1.40.1. This impacts the function janetc_if of the file src/core/specials.c. Executing a manipulation can lead to out-of-bounds read. The…
CVE-2026-2241 2026-02-09 LOW 3.3 A vulnerability was found in janet-lang janet up to 1.40.1. This affects the function os_strftime of the file src/core/os.c. Performing a manipulation results in out-of-bounds read. The attack…
CVE-2026-21419 2026-02-09 MEDIUM 6.6 Dell Display and Peripheral Manager (Windows) versions prior to 2.2 contain an Improper Link Resolution Before File Access ('Link Following') vulnerability in the Installer and Service. A low…
CVE-2025-7432 2026-02-09 N/A 0.0 DPA countermeasures in Silicon Labs' Series 2 devices are not reseeded under certain conditions.  This may allow an attacker to eventually extract secret keys through a DPA attack.
CVE-2025-66630 2026-02-09 N/A 0.0 Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure…
CVE-2026-2240 2026-02-09 LOW 3.3 A vulnerability has been found in janet-lang janet up to 1.40.1. The impacted element is the function janetc_pop_funcdef of the file src/core/compile.c. Such manipulation leads to out-of-bounds read.…
CVE-2026-24095 2026-02-09 N/A 0.0 Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p21, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows users with the "Use WATO" permission to access the "Analyze configuration" page…
CVE-2026-24098 2026-02-09 MEDIUM 6.5 Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags…
CVE-2026-22922 2026-02-09 MEDIUM 6.5 Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without…
CVE-2026-23903 2026-02-09 MEDIUM 5.3 Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue.…
CVE-2025-63354 2026-02-09 MEDIUM 4.6 Hitron HI3120 v7.2.4.5.2b1 allows stored XSS via the Parental Control option when creating a new filter. The device fails to properly handle inputs, allowing an attacker to inject…
CVE-2026-0398 2026-02-09 MEDIUM 5.3 Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.
CVE-2026-24027 2026-02-09 MEDIUM 5.3 Crafted zones can lead to increased incoming network traffic.
CVE-2025-59024 2026-02-09 MEDIUM 6.5 Crafted delegations or IP fragments can poison cached delegations in Recursor.
CVE-2025-59023 2026-02-09 HIGH 8.2 Crafted delegations or IP fragments can poison cached delegations in Recursor.
« Anterior Página 323 de 4236 Siguiente »