Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-35533 2026-04-07 HIGH 7.7 mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs.…
CVE-2026-34080 2026-04-07 N/A 0.0 xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but…
CVE-2026-33439 2026-04-07 N/A 0.0 Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the…
CVE-2026-33034 2026-04-07 HIGH 7.5 An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE`…
CVE-2026-32712 2026-04-07 MEDIUM 5.4 Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in…
CVE-2026-29181 2026-04-07 HIGH 7.5 OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an…
CVE-2026-27949 2026-04-07 LOW 2.0 Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a…
CVE-2025-24818 2026-04-07 HIGH 8.0 Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application.
CVE-2026-5741 2026-04-07 HIGH 7.3 A weakness has been identified in suvarchal docker-mcp-server up to 0.1.0. The impacted element is the function stop_container/remove_container/pull_image of the file src/index.ts of the component HTTP Interface. This…
CVE-2026-5739 2026-04-07 HIGH 7.3 A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of…
CVE-2026-3566 2026-04-07 N/A 0.0 Rejected reason: After further discussion, the issue was determined to not meet the criteria for CVE assignment.
CVE-2026-39841 2026-04-07 N/A 0.0 Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo…
CVE-2026-39840 2026-04-07 N/A 0.0 Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo…
CVE-2026-39839 2026-04-07 N/A 0.0 Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo…
CVE-2026-39838 2026-04-07 N/A 0.0 Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements.This issue affects .
CVE-2026-39837 2026-04-07 N/A 0.0 Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension:…
CVE-2026-39395 2026-04-07 MEDIUM 4.3 Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed…
CVE-2026-39382 2026-04-07 N/A 0.0 dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep…
CVE-2026-39381 2026-04-07 N/A 0.0 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns…
CVE-2026-39376 2026-04-07 HIGH 7.5 FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a tag, it recursively…
CVE-2026-39374 2026-04-07 MEDIUM 6.5 Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY…
CVE-2026-39373 2026-04-07 MEDIUM 5.3 JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The…
CVE-2026-39371 2026-04-07 HIGH 8.1 RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method.…
CVE-2026-39370 2026-04-07 HIGH 7.1 WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4,…
CVE-2026-39369 2026-04-07 HIGH 7.6 WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and…
CVE-2026-39368 2026-04-07 MEDIUM 6.5 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored…
CVE-2026-39367 2026-04-07 MEDIUM 5.4 WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles…
CVE-2026-39366 2026-04-07 MEDIUM 6.5 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay…
CVE-2026-39365 2026-04-07 N/A 0.0 Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file…
CVE-2026-39364 2026-04-07 N/A 0.0 Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g.,…
CVE-2026-39363 2026-04-07 N/A 0.0 Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket…
CVE-2026-39361 2026-04-07 HIGH 7.7 OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding…
CVE-2026-39356 2026-04-07 HIGH 7.5 Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier…
CVE-2026-39343 2026-04-07 HIGH 7.2 ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST…
CVE-2026-39339 2026-04-07 CRITICAL 9.1 ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API…
CVE-2026-39329 2026-04-07 HIGH 8.8 ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL…
CVE-2026-39322 2026-04-07 N/A 0.0 PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session…
CVE-2026-39326 2026-04-07 HIGH 8.8 ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled…
CVE-2026-39317 2026-04-07 HIGH 8.8 ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in ChurchCRM's SettingsIndividual.php where user-controlled array keys from the type POST parameter are…
CVE-2026-35572 2026-04-07 N/A 0.0 ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in…
CVE-2026-32864 2026-04-07 HIGH 7.8 There is a memory corruption vulnerability due to an out-of-bounds read in mgcore_SH_25_3!aligned_free() in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful…
CVE-2026-32863 2026-04-07 HIGH 7.8 There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful…
CVE-2026-32862 2026-04-07 HIGH 7.8 There is a memory corruption vulnerability due to an out-of-bounds write in ResFileFactory::InitResourceMgr() in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful…
CVE-2026-32861 2026-04-07 HIGH 7.8 There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVCLASS file in NI LabVIEW.  This vulnerability may result in information disclosure or…
CVE-2026-32860 2026-04-07 HIGH 7.8 There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVLIB file in NI LabVIEW.  This vulnerability may result in information disclosure or…
CVE-2025-69515 2026-04-07 N/A 0.0 An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting…
CVE-2025-56015 2026-04-07 N/A 0.0 In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint.
CVE-2025-14859 2026-04-07 N/A 0.0 The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to…
CVE-2025-14858 2026-04-07 N/A 0.0 The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check…
CVE-2025-14857 2026-04-07 N/A 0.0 An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails…
« Anterior Página 327 de 4463 Siguiente »