Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-25298 2025-10-16 N/A 0.0 Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores…
CVE-2025-11854 2025-10-16 N/A 0.0 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-22381. Reason: This candidate is a reservation duplicate of CVE-2025-22381. Notes: All CVE users should reference…
CVE-2025-9559 2025-10-16 MEDIUM 6.5 Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read…
CVE-2025-62496 2025-10-16 N/A 0.0 A vulnerability exists in the QuickJS engine's BigInt string parsing logic (js_bigint_from_string) when attempting to create a BigInt from a string with an excessively large number of digits.…
CVE-2025-62495 2025-10-16 N/A 0.0 An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the bytecode buffer size. * The regular expression bytecode is…
CVE-2025-62494 2025-10-16 N/A 0.0 A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine. * The code first checks if the left-hand operand is…
CVE-2025-62493 2025-10-16 N/A 0.0 A vulnerability exists in the QuickJS engine's BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to…
CVE-2025-62492 2025-10-16 N/A 0.0 A vulnerability stemming from floating-point arithmetic precision errors exists in the QuickJS engine's implementation of TypedArray.prototype.indexOf() when a negative fromIndex argument is supplied. * The fromIndex argument (read…
CVE-2025-62491 2025-10-16 N/A 0.0 A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises (ts->rejected_promise_list). * The function js_std_promise_rejection_check attempts to…
CVE-2025-62490 2025-10-16 N/A 0.0 In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect…
CVE-2025-61540 2025-10-16 MEDIUM 6.5 SQL injection vulnerability in Ultimate PHP Board 2.2.7 via the username field in lostpassword.php.
CVE-2025-55035 2025-10-16 MEDIUM 6.1 Mattermost Desktop App versions
CVE-2025-61536 2025-10-16 HIGH 8.2 FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit…
CVE-2025-11851 2025-10-16 LOW 3.5 A vulnerability has been found in Apeman ID71 EN75.8.53.20. The affected element is an unknown function of the file /set_alias.cgi. Such manipulation of the argument alias leads to…
CVE-2025-11842 2025-10-16 MEDIUM 6.3 A security vulnerability has been detected in Shazwazza Smidge up to 4.5.1. The impacted element is an unknown function of the component Bundle Handler. The manipulation of the…
CVE-2025-11840 2025-10-16 LOW 3.3 A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing manipulation can lead to out-of-bounds read. The…
CVE-2025-36002 2025-10-16 MEDIUM 5.5 IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be…
CVE-2025-22381 2025-10-16 HIGH 8.2 Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password.
CVE-2024-56143 2025-10-16 HIGH 8.2 Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query…
CVE-2025-41254 2025-10-16 MEDIUM 4.3 STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and VersionsSpring Framework: * 6.2.0 -…
CVE-2025-41253 2025-10-16 HIGH 7.5 The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be…
CVE-2025-11839 2025-10-16 LOW 3.3 A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing manipulation results in unchecked return value. The attack…
CVE-2025-9955 2025-10-16 MEDIUM 5.7 An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration.…
CVE-2025-9804 2025-10-16 CRITICAL 9.6 An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user…
CVE-2025-9152 2025-10-16 CRITICAL 9.8 An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user…
CVE-2025-10611 2025-10-16 CRITICAL 9.8 Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without…
CVE-2025-3930 2025-10-16 N/A 0.0 Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the…
CVE-2025-6338 2025-10-16 N/A 0.0 There is an incomplete cleanup vulnerability in Qt Network's Schannel support on Windows which can lead to a Denial of Service over a long period.This issue affects Qt…
CVE-2025-58426 2025-10-16 MEDIUM 4.3 desknet's NEO V4.0R1.0 to V9.0R2.0 contains a hard-coded cryptographic key, which allows an attacker to create malicious AppSuite applications.
CVE-2025-58079 2025-10-16 MEDIUM 4.3 Improper Protection of Alternate Path (CWE-424) in the AppSuite of desknet's NEO V4.0R1.0 to V9.0R2.0 allows an attacker to create malicious AppSuite applications.
CVE-2025-55072 2025-10-16 MEDIUM 5.4 Stored cross-site scripting (XSS) vulnerability in desknet's NEO V2.0R1.0 to V9.0R2.0 allow execution of arbitrary JavaScript in a user’s web browser.
CVE-2025-54859 2025-10-16 MEDIUM 4.8 Stored cross-site scripting (XSS) vulnerability in desknet's NEO V9.0R2.0 and earlier allow execution of arbitrary JavaScript in a user’s web browser.
CVE-2025-54760 2025-10-16 MEDIUM 5.4 Stored cross-site scripting (XSS) vulnerability in desknet's NEO V9.0R2.0 and earlier allow execution of arbitrary JavaScript in a user’s web browser.
CVE-2025-52583 2025-10-16 MEDIUM 6.1 Reflected cross-site scripting (XSS) vulnerability in desknet's Web Server allows execution of arbitrary JavaScript in a user’s web browser.
CVE-2025-24833 2025-10-16 MEDIUM 5.4 Stored cross-site scripting (XSS) vulnerability in desknet's NEO versions V4.0R1.0–V9.0R2.0 allow execution of arbitrary JavaScript in a user’s web browser.
CVE-2025-61581 2025-10-16 N/A 0.0 ** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control. This issue affects Apache Traffic Control: all versions. People with access to the management…
CVE-2025-58115 2025-10-16 MEDIUM 6.1 ChatLuck contains a cross-site scripting vulnerability in Guest User Sign-up. If exploited, an arbitrary script may be executed on the web browser of the user who is accessing…
CVE-2025-58075 2025-10-16 HIGH 8.1 Mattermost versions 10.11.x
CVE-2025-58073 2025-10-16 HIGH 8.1 Mattermost versions 10.11.x
CVE-2025-54539 2025-10-16 CRITICAL 9.8 A Deserialization of Untrusted Data vulnerability exists in the Apache ActiveMQ NMS AMQP Client. This issue affects all versions of Apache ActiveMQ NMS AMQP up to and including…
CVE-2025-54499 2025-10-16 LOW 3.1 Mattermost versions 10.5.x
CVE-2025-54461 2025-10-16 MEDIUM 5.3 ChatLuck contains an insufficient granularity of access control vulnerability in Invitation of Guest Users. If exploited, an uninvited guest user may register itself as a guest user.
CVE-2025-53858 2025-10-16 MEDIUM 5.4 ChatLuck contains a cross-site scripting vulnerability in Chat Rooms. If exploited, an arbitrary script may be executed on the web browser of the user who is accessing the…
CVE-2025-41410 2025-10-16 MEDIUM 5.4 Mattermost versions 10.10.x
CVE-2025-10545 2025-10-16 LOW 3.1 Mattermost versions 10.5.x
CVE-2025-0277 2025-10-16 MEDIUM 6.5 HCL BigFix Mobile 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not…
CVE-2025-0276 2025-10-16 MEDIUM 6.5 HCL BigFix Modern Client Management (MCM) 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing…
CVE-2025-55091 2025-10-16 N/A 0.0 In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ip_packet_receive() function when received an…
CVE-2025-41443 2025-10-16 MEDIUM 4.3 Mattermost versions 10.5.x
CVE-2025-41021 2025-10-16 N/A 0.0 Stored Cross-Site Scripting (XSS) in Sergestec's Exito v8.0, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request…
« Anterior Página 367 de 3934 Siguiente »