Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

CVE ID	Publicado	Severidad	CVSS	Descripción
CVE-2026-4691	2026-03-24	CRITICAL	9.8	Use-after-free in the CSS Parsing and Computation component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird <…
CVE-2026-4690	2026-03-24	HIGH	8.6	Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird…
CVE-2026-4689	2026-03-24	N/A	0.0	Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird…
CVE-2026-4688	2026-03-24	CRITICAL	10.0	Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
CVE-2026-4687	2026-03-24	HIGH	8.6	Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149,…
CVE-2026-4686	2026-03-24	HIGH	7.5	Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird <…
CVE-2026-4685	2026-03-24	HIGH	7.5	Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird <…
CVE-2026-4684	2026-03-24	HIGH	7.5	Race condition, use-after-free in the Graphics: WebRender component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird <…
CVE-2026-32300	2026-03-23	HIGH	8.1	Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0,…
CVE-2026-32299	2026-03-23	HIGH	7.5	Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0,…
CVE-2026-32279	2026-03-23	MEDIUM	6.8	Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0,…
CVE-2026-32278	2026-03-23	HIGH	8.2	Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0,…
CVE-2026-33676	2026-03-24	MEDIUM	6.5	Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for…
CVE-2026-33554	2026-03-24	HIGH	7.5	ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It…
CVE-2026-30662	2026-03-24	MEDIUM	6.5	ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses…
CVE-2026-29840	2026-03-24	MEDIUM	5.4	JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering tags but fails…
CVE-2026-30655	2026-03-24	MEDIUM	6.5	SQL injection in Solicitante::resetaSenha() in esiclivre/esiclivre v0.2.2 and earlier allows unauthenticated remote attackers to gain unauthorized access to sensitive information via the cpfcnpj parameter in /reset/index.php
CVE-2026-30653	2026-03-24	HIGH	7.5	An issue in Free5GC v.4.2.0 and before allows a remote attacker to cause a denial of service via the function HandleAuthenticationFailure of the component AMF
CVE-2026-32277	2026-03-23	HIGH	8.7	Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view.…
CVE-2026-32276	2026-03-23	HIGH	8.8	Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0,…
CVE-2026-33241	2026-03-24	HIGH	7.5	Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading…
CVE-2026-33242	2026-03-24	HIGH	7.5	Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated…
CVE-2026-33281	2026-03-24	MEDIUM	6.5	Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing NGAP messages with invalid PDU Session IDs outside of 1-15. An…
CVE-2026-33282	2026-03-24	HIGH	7.5	Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing a malformed NGAP LocationReport message with `ue-presence-in-area-of-interest` event type and omitting…
CVE-2026-33283	2026-03-24	MEDIUM	6.5	Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing malformed UL NAS Transport NAS messages without a Request Type. An…
CVE-2026-33307	2026-03-24	HIGH	7.5	Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0, code for client certificate verification imported the certificate chain sent…
CVE-2026-33308	2026-03-24	MEDIUM	6.8	Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Prior to version 0.13.0, code for client certificate verification did not check the key purpose as set…
CVE-2026-33316	2026-03-24	HIGH	8.1	Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts.…
CVE-2026-33315	2026-03-24	MEDIUM	4.3	Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the…
CVE-2026-33313	2026-03-24	MEDIUM	4.3	Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access…
CVE-2026-33497	2026-03-24	HIGH	7.5	Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name…
CVE-2026-33484	2026-03-24	HIGH	7.5	Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership…
CVE-2026-33418	2026-03-24	HIGH	7.5	DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the `ensureSize()` function in `@dicebear/converter` used a regex-based approach to rewrite SVG `width`/`height` attributes, capping…
CVE-2026-33311	2026-03-24	MEDIUM	4.7	DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from…
CVE-2026-33309	2026-03-24	CRITICAL	9.9	Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File…
CVE-2026-33675	2026-03-24	MEDIUM	6.4	Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any…
CVE-2026-30661	2026-03-24	MEDIUM	6.1	iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or…
CVE-2026-23484	2026-03-23	MEDIUM	6.5	Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the…
CVE-2026-33475	2026-03-24	CRITICAL	9.1	Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository…
CVE-2026-23481	2026-03-23	MEDIUM	6.5	Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version…
CVE-2026-23482	2026-03-23	HIGH	7.5	Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter…
CVE-2026-23483	2026-03-23	MEDIUM	5.3	Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if…
CVE-2026-23480	2026-03-23	HIGH	8.8	Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any…
CVE-2026-33340	2026-03-24	CRITICAL	9.1	LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all…
CVE-2026-26809	2026-03-24	N/A	0.0	Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue.…
CVE-2026-29839	2026-03-24	HIGH	8.8	DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.
CVE-2026-23485	2026-03-23	MEDIUM	5.3	Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different…
CVE-2026-23486	2026-03-23	MEDIUM	5.3	Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This issue…
CVE-2026-23487	2026-03-23	MEDIUM	6.5	Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched…
CVE-2026-23488	2026-03-23	MEDIUM	5.3	Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including…

« Anterior Página 38 de 4110 Siguiente »

Vulnerabilidades CVE

Vulnerabilidades CVE

Soluciones

Recursos

Legal y Soporte