Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-24660 2026-04-07 HIGH 8.1 A heap-based buffer overflow vulnerability exists in the x3f_load_huffman functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker…
CVE-2026-24450 2026-04-07 HIGH 8.1 An integer overflow vulnerability exists in the uncompressed_fp_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can…
CVE-2025-70844 2026-04-07 N/A 0.0 yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of…
CVE-2026-21413 2026-04-07 CRITICAL 9.8 A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer…
CVE-2026-20911 2026-04-07 CRITICAL 9.8 A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer…
CVE-2026-20889 2026-04-07 CRITICAL 9.8 A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker…
CVE-2026-20884 2026-04-07 HIGH 8.1 An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can…
CVE-2026-1900 2026-04-07 MEDIUM 6.5 The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates.
CVE-2025-15611 2026-04-07 MEDIUM 5.4 The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery…
CVE-2025-14944 2026-04-07 MEDIUM 5.3 The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on…
CVE-2025-14821 2026-04-07 HIGH 7.8 A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant…
CVE-2024-36058 2026-04-07 N/A 0.0 The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library…
CVE-2026-5745 2026-04-07 MEDIUM 5.5 A flaw was found in libarchive. A NULL pointer dereference vulnerability exists in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a malformed ACL string…
CVE-2026-5359 2026-04-07 N/A 0.0 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been…
CVE-2026-4292 2026-04-07 LOW 2.7 An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via…
CVE-2026-35571 2026-04-07 MEDIUM 4.8 Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator…
CVE-2026-35567 2026-04-07 HIGH 8.8 ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRole POST parameter in src/MemberRoleChange.php is used in an SQL query without proper integer validation, allowing authenticated…
CVE-2026-35534 2026-04-07 HIGH 7.6 ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer…
CVE-2026-35526 2026-04-07 HIGH 7.5 Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task…
CVE-2026-35521 2026-04-07 HIGH 8.8 FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution…
CVE-2026-35520 2026-04-07 HIGH 8.8 FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution…
CVE-2026-35519 2026-04-07 HIGH 8.8 FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution…
CVE-2026-35518 2026-04-07 HIGH 8.8 FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution…
CVE-2026-35517 2026-04-07 HIGH 8.8 FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution…
CVE-2026-35516 2026-04-07 MEDIUM 5.0 LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from…
CVE-2026-35515 2026-04-07 N/A 0.0 Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline…
CVE-2026-35492 2026-04-07 MEDIUM 6.5 Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base…
CVE-2026-35491 2026-04-07 MEDIUM 6.1 FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that…
CVE-2026-35490 2026-04-07 CRITICAL 9.8 changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In…
CVE-2026-35488 2026-04-07 HIGH 8.1 Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but…
CVE-2026-35487 2026-04-07 MEDIUM 5.3 text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_prompt() allows reading any .txt file on the…
CVE-2026-35486 2026-04-07 HIGH 7.5 text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get() with zero validation…
CVE-2026-35448 2026-04-06 LOW 3.7 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring…
CVE-2026-35399 2026-04-06 N/A 0.0 WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup filename. This could…
CVE-2026-35394 2026-04-06 HIGH 8.3 Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without…
CVE-2026-35185 2026-04-06 N/A 0.0 HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token),…
CVE-2026-35181 2026-04-06 MEDIUM 4.3 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table…
CVE-2026-35176 2026-04-06 HIGH 7.1 openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in POFParser::parseSection() that allows out-of-bounds heap memory access when parsing a crafted…
CVE-2026-33816 2026-04-07 N/A 0.0 Memory-safety vulnerability in github.com/jackc/pgx/v5.
CVE-2026-33815 2026-04-07 N/A 0.0 Memory-safety vulnerability in github.com/jackc/pgx/v5.
CVE-2026-33033 2026-04-07 MEDIUM 6.5 An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding:…
CVE-2026-30460 2026-04-07 N/A 0.0 Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.
CVE-2026-1079 2026-04-07 N/A 0.0 A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor…
CVE-2026-1078 2026-04-07 N/A 0.0 An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or…
CVE-2025-52908 2026-04-07 N/A 0.0 An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Incorrect…
CVE-2025-24817 2026-04-07 N/A 0.0 Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application.
CVE-2024-36057 2026-04-07 N/A 0.0 Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to…
CVE-2025-54324 2026-04-06 HIGH 7.5 An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500,…
CVE-2025-54601 2026-04-06 HIGH 7.0 An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor amd Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000.…
CVE-2025-58349 2026-04-06 CRITICAL 9.1 An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500,…
« Anterior Página 330 de 4463 Siguiente »