Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-0963 2026-01-30 CRITICAL 9.9 An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via…
CVE-2026-0805 2026-01-30 HIGH 8.2 An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
CVE-2025-12899 2026-01-30 MEDIUM 6.5 A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory…
CVE-2026-25097 2026-01-30 N/A 0.0 Rejected reason: Not used
CVE-2026-25096 2026-01-30 N/A 0.0 Rejected reason: Not used
CVE-2026-25095 2026-01-30 N/A 0.0 Rejected reason: Not used
CVE-2026-25094 2026-01-30 N/A 0.0 Rejected reason: Not used
CVE-2026-25093 2026-01-30 N/A 0.0 Rejected reason: Not used
CVE-2026-25092 2026-01-30 N/A 0.0 Rejected reason: Not used
CVE-2026-25091 2026-01-30 N/A 0.0 Rejected reason: Not used
CVE-2026-25090 2026-01-30 N/A 0.0 Rejected reason: Not used
CVE-2026-24729 2026-01-30 N/A 0.0 An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands…
CVE-2026-24728 2026-01-30 N/A 0.0 A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication.
CVE-2026-24714 2026-01-30 HIGH 7.5 Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box.
CVE-2025-15322 2026-01-30 MEDIUM 4.3 Tanium addressed an improper access controls vulnerability in Tanium Server.
CVE-2026-1638 2026-01-30 MEDIUM 6.3 A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results…
CVE-2026-1665 2026-01-29 N/A 0.0 A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable…
CVE-2026-1637 2026-01-29 HIGH 8.8 A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function fromAdvSetMacMtuWan of the file /goform/AdvSetMacMtuWan. The manipulation leads to stack-based buffer overflow. Remote exploitation…
CVE-2026-25126 2026-01-29 HIGH 7.1 PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body’s `direction` value without runtime validation. TypeScript…
CVE-2026-25117 2026-01-29 N/A 0.0 pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on…
CVE-2026-25116 2026-01-29 HIGH 7.6 Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to…
CVE-2026-25063 2026-01-29 N/A 0.0 gradle-completion provides Bash and Zsh completion support for Gradle. A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution when…
CVE-2026-25061 2026-01-29 N/A 0.0 tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field…
CVE-2026-25047 2026-01-29 N/A 0.0 deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas…
CVE-2026-25046 2026-01-29 LOW 2.9 Kimi Agent SDK is a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync()…
CVE-2026-25040 2026-01-29 N/A 0.0 Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no…
CVE-2026-24905 2026-01-29 N/A 0.0 Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. The `ig` binary provides a…
CVE-2026-24904 2026-01-29 MEDIUM 5.3 TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails…
CVE-2026-24902 2026-01-29 HIGH 7.1 TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections…
CVE-2026-24846 2026-01-29 MEDIUM 5.5 malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the…
CVE-2026-24845 2026-01-29 MEDIUM 6.5 malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker registry credentials…
CVE-2026-1625 2026-01-29 MEDIUM 6.3 A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of…
CVE-2026-1624 2026-01-29 MEDIUM 6.3 A security vulnerability has been detected in D-Link DWR-M961 1.1.47. The affected element is an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads…
CVE-2026-1340 2026-01-29 CRITICAL 9.8 A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
CVE-2025-69516 2026-01-29 HIGH 8.8 A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer…
CVE-2026-1623 2026-01-29 MEDIUM 6.3 A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The…
CVE-2025-15288 2026-01-29 LOW 3.1 Tanium addressed an improper access controls vulnerability in Interact.
CVE-2026-25068 2026-01-29 N/A 0.0 alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the…
CVE-2026-24687 2026-01-29 N/A 0.0 Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems…
CVE-2026-22806 2026-01-29 CRITICAL 9.1 vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created…
CVE-2025-69929 2026-01-29 N/A 0.0 An issue in N3uron Web User Interface v.1.21.7-240207.1047 allows a remote attacker to escalate privileges via the password hashing on the client side using the MD5 algorithm over…
CVE-2025-69604 2026-01-29 N/A 0.0 An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell…
CVE-2025-63658 2026-01-29 N/A 0.0 A stack overflow in the mk_http_index_lookup function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to…
CVE-2025-63657 2026-01-29 N/A 0.0 An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to…
CVE-2025-63656 2026-01-29 N/A 0.0 An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to…
CVE-2025-63655 2026-01-29 N/A 0.0 A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request…
CVE-2025-63653 2026-01-29 N/A 0.0 An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to…
CVE-2025-63652 2026-01-29 N/A 0.0 A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the…
CVE-2025-63651 2026-01-29 N/A 0.0 A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the…
CVE-2025-63650 2026-01-29 N/A 0.0 An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP…
« Anterior Página 356 de 4239 Siguiente »