Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-13215 2026-01-06 MEDIUM 5.3 The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due…
CVE-2025-15001 2026-01-06 CRITICAL 9.8 The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.1. This is due to the…
CVE-2025-14997 2026-01-06 HIGH 7.2 The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions…
CVE-2025-14996 2026-01-06 CRITICAL 9.8 The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This…
CVE-2025-14441 2026-01-06 MEDIUM 5.3 The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to,…
CVE-2025-14438 2026-01-06 MEDIUM 6.4 The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function.…
CVE-2025-14120 2026-01-06 MEDIUM 6.4 The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient…
CVE-2026-21750 2026-01-06 N/A 0.0 Rejected reason: Not used
CVE-2026-21749 2026-01-06 N/A 0.0 Rejected reason: Not used
CVE-2026-21748 2026-01-06 N/A 0.0 Rejected reason: Not used
CVE-2026-21747 2026-01-06 N/A 0.0 Rejected reason: Not used
CVE-2026-21746 2026-01-06 N/A 0.0 Rejected reason: Not used
CVE-2026-21745 2026-01-06 N/A 0.0 Rejected reason: Not used
CVE-2026-21744 2026-01-06 N/A 0.0 Rejected reason: Not used
CVE-2026-21676 2026-01-06 HIGH 8.8 iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function…
CVE-2026-21487 2026-01-06 MEDIUM 6.1 iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have an Out-of-bounds Read, Use of Out-of-range Pointer Offset…
CVE-2026-21486 2026-01-06 HIGH 7.8 iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer…
CVE-2026-0604 2026-01-06 MEDIUM 6.5 The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter…
CVE-2025-14153 2026-01-06 MEDIUM 6.5 The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0…
CVE-2025-14034 2026-01-06 MEDIUM 5.3 The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and…
CVE-2025-13746 2026-01-06 MEDIUM 6.4 The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including,…
CVE-2025-13652 2026-01-06 MEDIUM 6.5 The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.0.4 due to…
CVE-2025-13409 2026-01-06 MEDIUM 4.9 The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13…
CVE-2025-11723 2026-01-06 MEDIUM 6.5 The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via…
CVE-2025-11370 2026-01-06 MEDIUM 5.3 The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable…
CVE-2026-21673 2026-01-06 HIGH 7.8 iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects…
CVE-2025-20802 2026-01-06 N/A 0.0 In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained…
CVE-2025-15364 2026-01-06 HIGH 7.3 The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin…
CVE-2026-21507 2026-01-06 HIGH 7.5 iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID.…
CVE-2025-69197 2026-01-06 MEDIUM 6.5 Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled…
CVE-2025-68954 2026-01-06 N/A 0.0 Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance…
CVE-2025-69230 2026-01-06 N/A 0.0 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the…
CVE-2025-69229 2026-01-06 N/A 0.0 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when…
CVE-2025-69228 2026-01-06 N/A 0.0 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP…
CVE-2025-69227 2026-01-06 N/A 0.0 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting…
CVE-2025-69225 2026-01-06 N/A 0.0 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range…
CVE-2025-69226 2026-01-05 N/A 0.0 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the…
CVE-2025-69224 2026-01-05 N/A 0.0 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the…
CVE-2026-0625 2026-01-05 N/A 0.0 Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can…
CVE-2026-0621 2026-01-05 N/A 0.0 Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded…
CVE-2026-0605 2026-01-05 HIGH 7.3 A security vulnerability has been detected in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Such manipulation of the…
CVE-2026-0588 2026-01-05 LOW 3.5 A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API.…
CVE-2025-69223 2026-01-05 HIGH 7.5 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the…
CVE-2026-0587 2026-01-05 LOW 3.5 A security flaw has been discovered in Xinhu Rainrock RockOA up to 2.7.1. Affected is an unknown function of the file rock_page_gong.php of the component Cover Image Handler.…
CVE-2025-68953 2026-01-05 HIGH 7.5 Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the…
CVE-2025-68454 2026-01-05 N/A 0.0 Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For…
CVE-2025-68436 2026-01-05 N/A 0.0 Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets…
CVE-2025-68428 2026-01-05 N/A 0.0 jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows…
CVE-2025-67732 2026-01-05 N/A 0.0 Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and…
CVE-2025-66648 2026-01-05 HIGH 7.2 vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal…
« Anterior Página 465 de 4268 Siguiente »