Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-24408 2026-01-26 NONE 0.0 sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates…
CVE-2026-24400 2026-01-26 N/A 0.0 AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability…
CVE-2026-24123 2026-01-26 HIGH 7.4 BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attacks…
CVE-2025-30248 2026-01-26 N/A 0.0 DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted…
CVE-2026-24131 2026-01-26 N/A 0.0 pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root.…
CVE-2026-24056 2026-01-26 N/A 0.0 pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining…
CVE-2026-24003 2026-01-26 MEDIUM 4.3 EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests…
CVE-2026-23890 2026-01-26 MEDIUM 6.5 pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside…
CVE-2026-23889 2026-01-26 MEDIUM 6.5 pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on…
CVE-2026-23888 2026-01-26 MEDIUM 6.5 pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory.…
CVE-2026-22709 2026-01-26 CRITICAL 9.8 vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox…
CVE-2026-22696 2026-01-26 N/A 0.0 dcap-qvl implements the quote verification logic for DCAP (Data Center Attestation Primitives). A vulnerability present in versions prior to 0.3.9 involves a critical gap in the cryptographic verification…
CVE-2026-1445 2026-01-26 MEDIUM 4.7 A vulnerability was found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This vulnerability affects unknown code of the file controllers/books_center/upload_bookCover.php. Performing a manipulation of the argument book_cover results in…
CVE-2026-1444 2026-01-26 LOW 2.4 A vulnerability has been found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This affects an unknown part of the file controllers/books_center/add_book_check.php. Such manipulation of the argument mark leads to…
CVE-2026-23864 2026-01-26 HIGH 7.5 Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to…
CVE-2026-1443 2026-01-26 HIGH 7.3 A flaw has been found in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminDeleteUser.php. This manipulation of the argument…
CVE-2026-1190 2026-01-26 LOW 3.1 A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate…
CVE-2026-0810 2026-01-26 MEDIUM 6.8 A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading…
CVE-2025-9820 2026-01-26 MEDIUM 4.0 A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the…
CVE-2025-9615 2026-01-26 LOW 3.3 A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network.…
CVE-2025-9522 2026-01-26 N/A 0.0 Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information.
CVE-2025-9521 2026-01-26 N/A 0.0 Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to…
CVE-2025-9520 2026-01-26 N/A 0.0 An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account.
CVE-2025-14969 2026-01-26 MEDIUM 4.3 A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action…
CVE-2025-14525 2026-01-26 MEDIUM 6.4 A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report…
CVE-2025-14459 2026-01-26 HIGH 8.5 A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data…
CVE-2025-11687 2026-01-26 MEDIUM 6.1 A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other…
CVE-2025-11065 2026-01-26 MEDIUM 5.3 A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values…
CVE-2025-70368 2026-01-26 N/A 0.0 Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which…
CVE-2025-14756 2026-01-26 N/A 0.0 Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length…
CVE-2026-24440 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) allow account passwords to be changed through the maintenance interface without requiring verification of the existing password.…
CVE-2026-24439 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that…
CVE-2026-24437 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally,…
CVE-2026-24436 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform…
CVE-2026-24435 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: *…
CVE-2026-24433 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script…
CVE-2026-24432 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials.…
CVE-2026-24431 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to…
CVE-2026-24430 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management…
CVE-2026-24429 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be…
CVE-2026-24428 2026-01-26 N/A 0.0 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change…
CVE-2026-1446 2026-01-26 MEDIUM 5.0 There is a Cross Site Scripting issue in Esri ArcGIS Pro versions 3.6.0 and earlier. A local attacker could supply malicious strings into ArcGIS Pro which may execute…
CVE-2026-1224 2026-01-26 MEDIUM 4.9 Tanium addressed an uncontrolled resource consumption vulnerability in Discover.
CVE-2026-0925 2026-01-26 LOW 2.7 Tanium addressed an improper input validation vulnerability in Discover.
CVE-2025-71178 2026-01-26 N/A 0.0 Crucial Storage Executive installer versions prior to 11.08.082025.00 contain a DLL preloading vulnerability. During installation, the installer runs with elevated privileges and loads Windows DLLs using an uncontrolled…
CVE-2025-57785 2026-01-26 MEDIUM 6.5 A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code…
CVE-2025-57784 2026-01-26 MEDIUM 4.0 Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client.
CVE-2025-57783 2026-01-26 MEDIUM 5.3 Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha…
CVE-2020-36960 2026-01-26 MEDIUM 6.4 Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts…
CVE-2020-36959 2026-01-26 HIGH 7.8 IDT PC Audio 1.0.6499.0 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted…
« Anterior Página 45 de 3917 Siguiente »