Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-43826 2025-09-30 N/A 0.0 Stored cross-site scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10,…
CVE-2022-40285 2025-09-30 N/A 0.0 Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2024-13967. Reason: This record is a reservation duplicate of CVE-2024-13967. Notes: All CVE users should reference CVE-2024-13967 instead of…
CVE-2025-9232 2025-09-30 MEDIUM 5.9 Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of…
CVE-2025-9231 2025-09-30 MEDIUM 6.5 Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary:…
CVE-2025-9230 2025-09-30 HIGH 7.5 Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger…
CVE-2025-56392 2025-09-30 N/A 0.0 An Insecure Direct Object Reference (IDOR) in the /dashboard/notes endpoint of Syaqui Collegetivity v1.0.0 allows attackers to impersonate other users and perform arbitrary operations via a crafted POST…
CVE-2025-56200 2025-09-30 MEDIUM 6.1 A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the…
CVE-2025-56018 2025-09-30 MEDIUM 6.1 SourceCodester Web-based Pharmacy Product Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in Category Management via the category name field.
CVE-2025-52050 2025-09-30 MEDIUM 6.5 In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL…
CVE-2025-52049 2025-09-30 MEDIUM 6.5 In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query…
CVE-2025-52047 2025-09-30 MEDIUM 6.5 In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL…
CVE-2025-52043 2025-09-30 MEDIUM 6.5 In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL…
CVE-2025-36262 2025-09-30 MEDIUM 4.9 IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 could allow a malicious privileged user to bypass the UI to gain unauthorized access to sensitive information…
CVE-2025-36132 2025-09-30 MEDIUM 5.4 IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in…
CVE-2025-28016 2025-09-30 MEDIUM 4.8 A Reflected Cross-Site Scripting (XSS) vulnerability was found in loginsystem/edit-profile.php of the PHPGurukul User Registration & Login and User Management System V3.3. This vulnerability allows remote attackers to…
CVE-2025-10659 2025-09-30 CRITICAL 9.8 The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This vulnerability occurs due to the…
CVE-2024-55017 2025-09-30 HIGH 7.5 Account Takeover in Corezoid 6.6.0 in the OAuth2 implementation via an open redirect in the redirect_uri parameter allows attackers to intercept authorization codes and gain unauthorized access to…
CVE-2025-56132 2025-09-30 N/A 0.0 LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated…
CVE-2025-43827 2025-09-30 N/A 0.0 Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10,…
CVE-2025-11149 2025-09-30 HIGH 7.5 This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This…
CVE-2025-11148 2025-09-30 CRITICAL 9.8 All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts…
CVE-2025-57254 2025-09-30 N/A 0.0 An SQL injection vulnerability in user-login.php and index.php of Karthikg1908 Hospital Management System (HMS) 1.0 allows remote attackers to execute arbitrary SQL queries via the username and password…
CVE-2025-56675 2025-09-30 LOW 3.5 The EKEN video doorbell T6 BT60PLUS_MAIN_V1.0_GC1084_20230531 periodically sends debug logs to the EKEN cloud servers with sensitive information such as the Wi-Fi SSID and password.
CVE-2025-56513 2025-09-30 N/A 0.0 NiceHash QuickMiner 6.12.0 perform software updates over HTTP without validating digital signatures or hash checks. An attacker capable of intercepting or redirecting traffic to the update url and…
CVE-2025-54477 2025-09-30 MEDIUM 5.3 Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.
CVE-2025-23293 2025-09-30 HIGH 8.7 NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action. A successful exploit of this vulnerability may lead to…
CVE-2025-23292 2025-09-30 MEDIUM 4.6 NVIDIA Delegated Licensing Service for all appliance platforms contains a SQL injection vulnerability where an User/Attacker may cause an authorized action. A successful exploit of this vulnerability may…
CVE-2025-23291 2025-09-30 LOW 2.4 NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action. A successful exploit of this vulnerability may lead to…
CVE-2025-11195 2025-09-30 LOW 3.3 Rapid7 AppSpider Pro versions below 7.5.021 suffer from a project name validation vulnerability, whereby an attacker can change the project name directly in the configuration file to a…
CVE-2025-56520 2025-09-30 N/A 0.0 Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi. A different vulnerability than CVE-2025-29720.
CVE-2025-56207 2025-09-30 N/A 0.0 A security flaw in the '_transfer' function of a smart contract implementation for Money Making Opportunity (MMO), an Ethereum ERC721 Non-Fungible Token (NFT) project, allows users or attackers…
CVE-2025-54476 2025-09-30 N/A 0.0 Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.
CVE-2025-43400 2025-09-29 MEDIUM 6.3 An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.8.1, macOS Tahoe 26.0.1, macOS Sequoia 15.7.1, visionOS 26.0.1, iOS 26.0.1…
CVE-2025-6034 2025-09-30 HIGH 7.8 There is a memory corruption vulnerability due to an out of bounds read in DefaultFontOptions() when using SymbolEditor in NI Circuit Design Suite.  This vulnerability may result in…
CVE-2025-6033 2025-09-30 HIGH 7.8 There is a memory corruption vulnerability due to an out of bounds write in XML_Serialize() when using SymbolEditor in NI Circuit Design Suite.  This vulnerability may result in…
CVE-2025-56676 2025-09-30 N/A 0.0 TitanSystems Zender v3.9.7 contains an account takeover vulnerability in its password reset functionality. A temporary password or reset token issued to one user can be used to log…
CVE-2025-56572 2025-09-30 N/A 0.0 An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter.
CVE-2025-56571 2025-09-30 N/A 0.0 Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing…
CVE-2025-55797 2025-09-30 N/A 0.0 An improper access control vulnerability in FormCms v0.5.4 in the /api/schemas/history/[schemaId] endpoint allows unauthenticated attackers to access historical schema data if a valid schemaId is known or guessed.
CVE-2025-34224 2025-09-29 N/A 0.0 Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose a set of PHP scripts under the `console_release` directory without requiring…
CVE-2025-34221 2025-09-29 N/A 0.0 Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 25.2.1518 (VA/SaaS deployments) expose every internal Docker container to the network because firewall rules allow…
CVE-2025-34215 2025-09-29 N/A 0.0 Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (only VA deployments) expose an unauthenticated firmware-upload flow: a public page…
CVE-2025-7779 2025-09-30 HIGH 8.8 Local privilege escalation due to insecure XPC service configuration. The following products are affected: Acronis True Image (macOS) before build 42389, Acronis True Image for SanDisk (macOS) before…
CVE-2025-59956 2025-09-30 MEDIUM 6.5 AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted…
CVE-2025-61586 2025-09-30 N/A 0.0 FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information…
CVE-2025-59954 2025-09-30 N/A 0.0 Knowage is an open source analytics and business intelligence suite. Versions 8.1.26 and below are vulnerable to Remote Code Exection through using an unsafe org.apache.commons.jxpath.JXPathContext in MetaService.java service.…
CVE-2025-59950 2025-09-30 MEDIUM 6.7 FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection (confirmation dialog), it is possible to trick the…
CVE-2025-59937 2025-09-29 N/A 0.0 go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient…
CVE-2025-57769 2025-09-29 N/A 0.0 FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code…
CVE-2025-56301 2025-09-30 N/A 0.0 An issue was discovered in Chipsalliance Rocket-Chip commit f517abbf41abb65cea37421d3559f9739efd00a9 (2025-01-29) allowing attackers to corrupt exception handling and privilege state transitions via a flawed interaction between exception handling and…
« Anterior Página 414 de 3934 Siguiente »