Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-9522 2026-01-26 N/A 0.0 Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information.
CVE-2025-9521 2026-01-26 N/A 0.0 Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to…
CVE-2025-9520 2026-01-26 N/A 0.0 An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account.
CVE-2025-14969 2026-01-26 MEDIUM 4.3 A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action…
CVE-2025-14525 2026-01-26 MEDIUM 6.4 A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report…
CVE-2025-14459 2026-01-26 HIGH 8.5 A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data…
CVE-2025-11687 2026-01-26 MEDIUM 6.1 A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other…
CVE-2025-11065 2026-01-26 MEDIUM 5.3 A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values…
CVE-2025-70368 2026-01-26 N/A 0.0 Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which…
CVE-2025-14756 2026-01-26 N/A 0.0 Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length…
CVE-2026-24440 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) allow account passwords to be changed through the maintenance interface without requiring verification of the existing password.…
CVE-2026-24439 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that…
CVE-2026-24437 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally,…
CVE-2026-24436 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform…
CVE-2026-24435 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: *…
CVE-2026-24433 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script…
CVE-2026-24432 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials.…
CVE-2026-24431 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to…
CVE-2026-24430 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management…
CVE-2026-24429 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be…
CVE-2026-24428 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change…
CVE-2026-1446 2026-01-26 MEDIUM 5.0 There is a Cross Site Scripting issue in Esri ArcGIS Pro versions 3.6.0 and earlier. A local attacker could supply malicious strings into ArcGIS Pro which may execute…
CVE-2026-1224 2026-01-26 MEDIUM 4.9 Tanium addressed an uncontrolled resource consumption vulnerability in Discover.
CVE-2026-0925 2026-01-26 LOW 2.7 Tanium addressed an improper input validation vulnerability in Discover.
CVE-2025-71178 2026-01-26 N/A 0.0 Crucial Storage Executive installer versions prior to 11.08.082025.00 contain a DLL preloading vulnerability. During installation, the installer runs with elevated privileges and loads Windows DLLs using an uncontrolled…
CVE-2025-57785 2026-01-26 MEDIUM 6.5 A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code…
CVE-2025-57784 2026-01-26 MEDIUM 4.0 Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client.
CVE-2025-57783 2026-01-26 MEDIUM 5.3 Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha…
CVE-2020-36960 2026-01-26 MEDIUM 6.4 Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts…
CVE-2020-36959 2026-01-26 HIGH 7.8 IDT PC Audio 1.0.6499.0 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted…
CVE-2020-36958 2026-01-26 HIGH 7.8 Kite 1.2020.1119.0 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path…
CVE-2020-36957 2026-01-26 HIGH 7.8 PDF Complete 3.5.310.2002 contains an unquoted service path vulnerability in its pdfsvc.exe service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with elevated…
CVE-2020-36956 2026-01-26 MEDIUM 6.4 Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload…
CVE-2020-36955 2026-01-26 MEDIUM 6.4 Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can…
CVE-2020-36954 2026-01-26 MEDIUM 6.4 Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a payload…
CVE-2020-36953 2026-01-26 HIGH 7.8 MiniTool ShadowMaker 3.2 contains an unquoted service path vulnerability in the MTAgentService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in…
CVE-2025-70982 2026-01-26 CRITICAL 9.9 Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data.
CVE-2025-67274 2026-01-26 HIGH 7.5 An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module…
CVE-2025-50537 2026-01-26 MEDIUM 5.5 Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and…
CVE-2020-36952 2026-01-26 HIGH 7.8 IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service…
CVE-2025-59109 2026-01-26 N/A 0.0 The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface.…
CVE-2026-24656 2026-01-26 LOW 3.7 Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this…
CVE-2025-27821 2026-01-26 HIGH 7.3 Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes…
CVE-2016-15057 2026-01-26 CRITICAL 9.9 ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum. This issue affects Apache Continuum: all versions. Attackers…
CVE-2025-14973 2026-01-26 MEDIUM 6.8 The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to…
CVE-2025-14316 2026-01-26 HIGH 7.1 The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting…
CVE-2026-1284 2026-01-26 HIGH 7.8 An Out-Of-Bounds Write vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary…
CVE-2026-1283 2026-01-26 HIGH 7.8 A Heap-based Buffer Overflow vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute…
CVE-2025-59108 2026-01-26 N/A 0.0 By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced.
CVE-2025-59107 2026-01-26 N/A 0.0 Dormakaba provides the software FWServiceTool to update the firmware version of the Access Managers via the network. The firmware in some instances is provided in an encrypted ZIP…
« Anterior Página 385 de 4256 Siguiente »