Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-33897 2026-03-26 CRITICAL 9.9 Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on…
CVE-2026-33542 2026-03-26 N/A 0.0 Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens…
CVE-2026-4900 2026-03-26 MEDIUM 5.3 A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file /dbfood/localhost.sql. This manipulation causes files or directories accessible.…
CVE-2026-4899 2026-03-26 LOW 2.4 A security flaw has been discovered in code-projects Online Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file /dbfood/food.php. The manipulation of…
CVE-2026-4898 2026-03-26 MEDIUM 4.3 A vulnerability was identified in code-projects Online Food Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file /dbfood/contact.php. The manipulation of the argument…
CVE-2026-4346 2026-03-26 N/A 0.0 The vulnerability affecting TL-WR850N v3 allows cleartext storage of administrative and Wi-Fi credentials in a region of the device’s flash memory while the serial interface remains enabled and…
CVE-2026-3650 2026-03-26 HIGH 7.5 A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability…
CVE-2026-33687 2026-03-26 HIGH 8.8 Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users…
CVE-2026-33686 2026-03-26 HIGH 8.8 Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails…
CVE-2026-33682 2026-03-26 MEDIUM 4.7 Streamlit is a data oriented application development framework for python. Streamlit Open Source versions prior to 1.54.0 running on Windows hosts have an unauthenticated Server-Side Request Forgery (SSRF)…
CVE-2026-33674 2026-03-26 LOW 2.0 PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known…
CVE-2026-33673 2026-03-26 HIGH 7.6 PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker…
CVE-2026-33672 2026-03-26 MEDIUM 5.3 Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object…
CVE-2026-33671 2026-03-26 HIGH 7.5 Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns.…
CVE-2026-33670 2026-03-26 CRITICAL 9.8 SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a…
CVE-2026-33669 2026-03-26 CRITICAL 9.8 SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view…
CVE-2026-33658 2026-03-26 N/A 0.0 Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the…
CVE-2026-33653 2026-03-26 MEDIUM 4.6 Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames…
CVE-2026-2271 2026-03-26 LOW 3.3 A flaw was found in GIMP's PSP (Paint Shop Pro) file parser. A remote attacker could exploit an integer overflow vulnerability in the read_creator_block() function by providing a…
CVE-2026-2239 2026-03-26 LOW 2.8 A flaw was found in GIMP. Heap-buffer-overflow vulnerability exists in the fread_pascal_string function when processing a specially crafted PSD (Photoshop Document) file. This occurs because the buffer allocated…
CVE-2026-2100 2026-03-26 MEDIUM 5.3 A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM…
CVE-2026-1556 2026-03-26 N/A 0.0 Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose…
CVE-2026-0968 2026-03-26 LOW 3.1 A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME`…
CVE-2026-0967 2026-03-26 LOW 2.2 A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function…
CVE-2026-0966 2026-03-26 MEDIUM 6.5 The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to…
CVE-2026-0964 2026-03-26 MEDIUM 5.0 A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious…
CVE-2025-12805 2026-03-26 HIGH 8.1 A flaw was found in Red Hat OpenShift AI (RHOAI) llama-stack-operator. This vulnerability allows unauthorized access to Llama Stack services deployed in other namespaces via direct network requests,…
CVE-2026-4933 2026-03-26 N/A 0.0 Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.
CVE-2026-4393 2026-03-26 N/A 0.0 Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.
CVE-2026-3622 2026-03-26 N/A 0.0 The vulnerability exists in the UPnP component of TL-WR841N v14, where improper input validation leads to an out-of-bounds read, potentially causing a crash of the UPnP service. Successful…
CVE-2026-3573 2026-03-26 N/A 0.0 Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.
CVE-2026-3531 2026-03-26 N/A 0.0 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0…
CVE-2026-3530 2026-03-26 N/A 0.0 Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
CVE-2026-33644 2026-03-26 N/A 0.0 Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89)…
CVE-2026-33640 2026-03-26 N/A 0.0 Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0…
CVE-2026-33638 2026-03-26 MEDIUM 5.3 Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without…
CVE-2026-33635 2026-03-26 MEDIUM 4.3 iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization…
CVE-2026-33622 2026-03-26 N/A 0.0 PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and…
CVE-2026-33620 2026-03-26 MEDIUM 4.3 PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.8` through `v0.8.3` accepted the API token from a `token` URL…
CVE-2026-33619 2026-03-26 MEDIUM 4.1 PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's…
CVE-2026-33545 2026-03-26 MEDIUM 5.3 MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL…
CVE-2026-33541 2026-03-26 MEDIUM 6.5 TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw…
CVE-2026-33537 2026-03-26 N/A 0.0 Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and…
CVE-2026-2436 2026-03-26 MEDIUM 6.5 A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a TLS handshake…
CVE-2026-0965 2026-03-26 LOW 3.3 A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration…
CVE-2025-41368 2026-03-26 HIGH 8.1 Problem in the Small HTTP Server v3.06.36 service. An authenticated path traversal vulnerability in '/' allows remote users to bypass the intended restrictions of SecurityManager and display any…
CVE-2025-41359 2026-03-26 HIGH 7.8 Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker…
CVE-2026-30892 2026-03-26 NONE 0.0 crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value…
CVE-2026-32748 2026-03-26 HIGH 7.5 Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable…
CVE-2026-33942 2026-03-26 CRITICAL 9.8 Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token…
« Anterior Página 66 de 4158 Siguiente »