Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-10735 2026-06-24 HIGH 7.5 Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2,…
CVE-2026-0864 2026-06-23 N/A 0.0 When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and…
CVE-2025-64105 2026-06-23 N/A 0.0 FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the…
CVE-2026-44791 2026-06-23 CRITICAL 9.9 n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch…
CVE-2026-45732 2026-06-23 HIGH 8.1 n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update.…
CVE-2026-44792 2026-06-23 CRITICAL 9.0 n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source…
CVE-2026-44790 2026-06-23 HIGH 8.8 n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could inject CLI flags…
CVE-2026-55450 2026-06-23 CRITICAL 9.3 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any…
CVE-2026-55447 2026-06-23 CRITICAL 9.6 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can…
CVE-2026-55446 2026-06-23 HIGH 7.5 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse…
CVE-2026-55423 2026-06-23 MEDIUM 6.1 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged…
CVE-2026-55255 2026-06-23 CRITICAL 9.9 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated…
CVE-2026-9724 2026-06-24 MEDIUM 4.3 The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation…
CVE-2026-9710 2026-06-24 HIGH 7.7 The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every…
CVE-2026-9709 2026-06-24 HIGH 7.7 The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any…
CVE-2026-9619 2026-06-24 MEDIUM 4.3 The Reviews and Rating – Docplanner plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.4. This is due to the plugin…
CVE-2026-9612 2026-06-24 MEDIUM 5.3 The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the yapacdev_generate_order_pdf. This…
CVE-2026-56761 2026-06-24 MEDIUM 4.3 hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers can craft specially…
CVE-2026-9178 2026-06-24 HIGH 7.5 The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/ (callback…
CVE-2026-9172 2026-06-24 MEDIUM 5.3 The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_account()…
CVE-2026-8705 2026-06-24 HIGH 7.5 The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the `pagseguro[metodo]` POST parameter of the `clearsale_total_push` AJAX action in all versions up to, and including,…
CVE-2026-8688 2026-06-24 MEDIUM 4.3 The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.3. This is due to the plugin not…
CVE-2026-8614 2026-06-24 MEDIUM 4.3 The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistio_plugin_delete_assistio_settings() function in versions…
CVE-2026-6292 2026-06-24 MEDIUM 4.3 The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This is due to a…
CVE-2026-9539 2026-06-24 MEDIUM 6.5 An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a…
CVE-2026-56370 2026-06-24 LOW 3.3 ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage() when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed connected-components definitions via…
CVE-2026-56351 2026-06-24 HIGH 8.2 n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to inject arbitrary SQL through unescaped identifier values…
CVE-2026-56337 2026-06-24 MEDIUM 5.3 Capgo before 12.128.2 contains an information disclosure vulnerability in the public.exist_app_v2 RPC function that allows unauthenticated attackers to enumerate app_ids by calling POST /rest/v1/rpc/exist_app_v2 with arbitrary appid parameters.…
CVE-2026-56310 2026-06-24 MEDIUM 4.3 Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with org-limited API keys can…
CVE-2026-56270 2026-06-24 HIGH 7.5 Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete SSO configuration, including…
CVE-2026-56262 2026-06-24 MEDIUM 6.5 Crawl4AI before 0.8.7 contains an authentication bypass vulnerability in the monitor router endpoints that allows unauthenticated attackers to access destructive operations. Remote attackers can invoke the /monitor/actions/cleanup endpoint…
CVE-2026-56257 2026-06-24 HIGH 7.1 Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving app_versions.owner_org unchanged, enabling…
CVE-2026-56244 2026-06-24 HIGH 7.1 Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve…
CVE-2026-56232 2026-06-24 HIGH 8.8 Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their…
CVE-2026-56231 2026-06-24 HIGH 7.6 Capgo before 12.128.2 contains a broken object level authorization (BOLA) vulnerability in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. The handlers authorize the request based only on the…
CVE-2026-56052 2026-06-24 HIGH 7.6 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder by FunnelKit allows Blind SQL Injection. This issue affects Funnel Builder…
CVE-2026-54588 2026-06-23 CRITICAL 9.6 Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative source for building…
CVE-2026-54515 2026-06-23 MEDIUM 5.3 jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(),…
CVE-2026-53927 2026-06-23 N/A 0.0 NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and…
CVE-2026-47384 2026-06-23 N/A 0.0 NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a…
CVE-2026-47380 2026-06-23 N/A 0.0 NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing…
CVE-2026-46554 2026-06-23 N/A 0.0 NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was…
CVE-2026-46548 2026-06-23 MEDIUM 4.3 NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because…
CVE-2026-54762 2026-06-23 N/A 0.0 Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected…
CVE-2026-13140 2026-06-24 N/A 0.0 Stored Cross-Site Scripting in the exposed AWS API key store of Thinkst Applied Research Canarytokens. Anonymous exploitation requires knowledge of a random identifier. This issue affects Canarytokens: from Docker…
CVE-2026-13150 2026-06-24 N/A 0.0 Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests…
CVE-2026-11968 2026-06-24 MEDIUM 5.5 Argument Injection in TortoiseGitBlame via Malicious Git History Filenames Leads to Arbitrary File Write in TortoiseGit
CVE-2026-13006 2026-06-24 N/A 0.0 ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing…
CVE-2026-12094 2026-06-24 MEDIUM 5.3 The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function…
CVE-2026-11820 2026-06-23 MEDIUM 6.5 Module: plugins/modules/nexmo.py CVSS 3.1: 6.5 MEDIUM — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET…
« Anterior Página 48 de 4522 Siguiente »