Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-66294 2025-12-01 N/A 0.0 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary…
CVE-2025-66206 2025-12-01 MEDIUM 6.8 Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, certain requests were vulnerable to path traversal attacks, wherein some files from the server could be…
CVE-2025-66205 2025-12-01 HIGH 7.1 Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters.…
CVE-2025-65840 2025-12-01 HIGH 8.8 PublicCMS V5.202506.b is vulnerable to Cross Site Request Forgery (CSRF) in the CkEditorAdminController.
CVE-2025-65621 2025-12-01 N/A 0.0 Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.
CVE-2025-58044 2025-12-01 N/A 0.0 JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as…
CVE-2025-55749 2025-12-01 N/A 0.0 XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is…
CVE-2025-65838 2025-12-01 N/A 0.0 PublicCMS V5.202506.b is vulnerable to path traversal via the doUploadSitefile method.
CVE-2025-65836 2025-12-01 N/A 0.0 PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController.
CVE-2025-63317 2025-12-01 MEDIUM 5.4 Todoist v8896 is vulnerable to Cross Site Scripting (XSS) in /api/v1/uploads. Uploaded SVG files have no sanitization applied, so embedded JavaScript executes when a user opens the attachment…
CVE-2025-51683 2025-12-01 N/A 0.0 A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server endpoint .
CVE-2025-51682 2025-12-01 CRITICAL 9.8 mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests…
CVE-2025-12756 2025-12-01 MEDIUM 4.3 Mattermost versions 11.0.x
CVE-2025-65407 2025-12-01 MEDIUM 6.5 A use-after-free in the MPEG1or2Demux::newElementaryStream() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG Program stream.
CVE-2025-63365 2025-12-01 HIGH 7.1 SoftSea EPUB File Reader 1.0.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the EPUB file processing component, specifically in the functionality responsible for extracting and handling…
CVE-2025-34297 2025-12-01 N/A 0.0 KissFFT versions prior to the fix commit 1b083165 contain an integer overflow in kiss_fft_alloc() in kiss_fft.c on platforms where size_t is 32-bit. The nfft parameter is not validated…
CVE-2025-11772 2025-12-01 MEDIUM 6.6 A carefully crafted DLL, copied to C:\ProgramData\Synaptics folder, allows a local user to execute arbitrary code with elevated privileges during driver installation.
CVE-2025-13837 2025-12-01 N/A 0.0 When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
CVE-2025-13836 2025-12-01 N/A 0.0 When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to…
CVE-2025-13835 2025-12-01 MEDIUM 6.5 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tyche Softwares Arconix Shortcodes allows Stored XSS.This issue affects Arconix Shortcodes: from n/a through 2.1.19.
CVE-2025-13653 2025-12-01 MEDIUM 4.3 In Search Guard FLX versions from 3.1.0 up to 4.0.0 with enterprise modules being disabled, there exists an issue which allows authenticated users to use specially crafted requests…
CVE-2024-51999 2025-12-01 N/A 0.0 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error and is not a valid vulnerability. Notes: All references and…
CVE-2025-13129 2025-12-01 MEDIUM 4.3 Improper Enforcement of Behavioral Workflow vulnerability in Seneka Software Hardware Information Technology Trade Contracting and Industry Ltd. Co. Onaylarım allows Functionality Misuse.This issue affects Onaylarım: from 25.09.26.01 through…
CVE-2025-63520 2025-12-01 MEDIUM 6.1 Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate).
CVE-2025-63522 2025-12-01 MEDIUM 4.6 Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function
CVE-2025-63523 2025-12-01 MEDIUM 6.5 FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit…
CVE-2025-63525 2025-12-01 CRITICAL 9.6 An issue was discovered in Blood Bank Management System 1.0 allowing authenticated attackers to perform actions with escalated privileges via crafted request to delete.php.
CVE-2025-63526 2025-12-01 HIGH 8.5 A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System within the abs.php component. The application fails to properly sanitize or encode user-supplied input before rendering…
CVE-2025-63527 2025-12-01 HIGH 8.5 A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and hprofile.php components. The application fails to properly sanitize or encode user-supplied…
CVE-2025-63528 2025-12-01 HIGH 8.5 A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the blooddinfo.php component. The application fails to properly sanitize or encode user-supplied input before…
CVE-2025-63529 2025-12-01 MEDIUM 6.1 A session fixation vulnerability exists in Blood Bank Management System 1.0 in login.php that allows an attacker to set or predict a user's session identifier prior to authentication.…
CVE-2025-63531 2025-12-01 CRITICAL 10.0 A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the receiverLogin.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing…
CVE-2025-65408 2025-12-01 MEDIUM 6.5 A NULL pointer dereference in the ADTSAudioFileServerMediaSubsession::createNewRTPSink() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS file.
CVE-2025-65406 2025-12-01 MEDIUM 6.5 A heap overflow in the MatroskaFile::createRTPSinkForTrackNumber() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MKV file.
CVE-2025-65405 2025-12-01 MEDIUM 6.5 A use-after-free in the ADTSAudioFileSource::samplingFrequency() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS/AAC file.
CVE-2025-65404 2025-12-01 MEDIUM 6.5 A buffer overflow in the getSideInfo2() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via a crafted MP3 stream.
CVE-2025-65403 2025-12-01 MEDIUM 6.5 A buffer overflow in the g_cfg.MaxUsers component of LightFTP v2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-64030 2025-12-01 MEDIUM 5.4 Eximbills Enterprise 4.1.5 (Built on 2020-10-30) is vulnerable to authenticated stored cross-site scripting (CWE-79) via the /EximBillWeb/servlets/WSTrxManager endpoint. Unsanitized user input in the TMPL_INFO parameter is stored server-side…
CVE-2025-63095 2025-12-01 MEDIUM 6.5 Improper input validation in the BitstreamWriter::write_bits() function of Tempus Ex hello-video-codec v0.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-61228 2025-12-01 HIGH 7.8 An issue in Shirt Pocket SuperDuper! V.3.10 and before allows a local attacker to execute arbitrary code via the software update mechanism
CVE-2025-57489 2025-12-01 HIGH 8.1 Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary.
CVE-2024-39148 2025-12-01 HIGH 8.1 The service wmp-agent of KerOS prior 5.12 does not properly validate so-called ‘magic URLs’ allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the…
CVE-2024-56089 2025-12-01 HIGH 7.5 An issue in Technitium through v13.2.2 enables attackers to conduct a DNS cache poisoning attack and inject fake responses by reviving the birthday attack.
CVE-2025-11131 2025-12-01 HIGH 7.5 In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed
CVE-2025-64775 2025-12-01 HIGH 7.5 Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through…
CVE-2025-63533 2025-12-01 HIGH 8.5 A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and rprofile.php components. The application fails to properly sanitize or encode user-supplied…
CVE-2025-63532 2025-12-01 CRITICAL 9.6 A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the cancel.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing…
CVE-2025-2879 2025-12-01 MEDIUM 5.1 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local…
CVE-2025-12106 2025-12-01 CRITICAL 9.1 Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses
CVE-2025-11699 2025-12-01 HIGH 7.1 nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access…
« Anterior Página 620 de 4293 Siguiente »