Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-6950 2025-10-17 N/A 0.0 An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens…
CVE-2025-6949 2025-10-17 N/A 0.0 An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A critical authorization flaw in the API allows an authenticated, low-privileged user…
CVE-2025-11900 2025-10-17 CRITICAL 9.8 The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.
CVE-2025-11899 2025-10-17 HIGH 8.1 Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into…
CVE-2025-11898 2025-10-17 HIGH 7.5 Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.
CVE-2025-6894 2025-10-17 N/A 0.0 An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authorization logic of the affected device allows…
CVE-2025-6893 2025-10-17 N/A 0.0 An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in broken access control has been identified in the /api/v1/setting/data…
CVE-2025-6892 2025-10-17 N/A 0.0 An Incorrect Authorization vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints,…
CVE-2025-62506 2025-10-16 HIGH 8.1 MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted…
CVE-2025-62504 2025-10-16 MEDIUM 6.5 Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a…
CVE-2025-11896 2025-10-16 N/A 0.0 In Xpdf 4.05 (and earlier), a PDF object loop in a CMap, via the "UseCMap" entry, leads to infinite recursion and a stack overflow.
CVE-2025-11864 2025-10-16 HIGH 7.3 A vulnerability was identified in NucleoidAI Nucleoid up to 0.7.10. The impacted element is the function extension.apply of the file /src/cluster.ts of the component Outbound Request Handler. Such…
CVE-2024-42192 2025-10-16 MEDIUM 5.5 HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a credential leakage which could allow an attacker to access other computers or applications.
CVE-2025-62412 2025-10-16 LOW 3.8 LibreNMS is a community-based GPL-licensed network monitoring system. The alert rule name in the Alerts > Alert Rules page is not properly sanitized, and can be used to…
CVE-2025-62411 2025-10-16 MEDIUM 5.5 LibreNMS is a community-based GPL-licensed network monitoring system. LibreNMS
CVE-2025-61514 2025-10-16 MEDIUM 6.5 An arbitrary file upload vulnerability in SageMath, Inc CoCalc before commit 0d2ff58 allows attackers to execute arbitrary code via uploading a crafted SVG file.
CVE-2025-62409 2025-10-16 N/A 0.0 Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10, large requests and responses can potentially trigger TCP connection pool crashes…
CVE-2025-61539 2025-10-16 MEDIUM 6.1 Cross site scripting (XSS) vulnerability in Ultimate PHP Board 2.2.7 via the u_name parameter in lostpassword.php.
CVE-2025-60855 2025-10-16 MEDIUM 5.1 Reolink Video Doorbell WiFi DB_566128M5MP_W performs insufficient validation of firmware update signatures. This allows attackers to load malicious firmware images, resulting in arbitrary code execution with root privileges.
CVE-2025-61330 2025-10-16 MEDIUM 6.5 A hard-coded weak password vulnerability has been discovered in all Magic-branded devices from Chinese network equipment manufacturer H3C. The vulnerability stems from the use of a hard-coded weak…
CVE-2025-60641 2025-10-16 MEDIUM 6.5 The file mexcel.php in the Vfront 0.99.52 codebase contains a vulnerable call to unserialize(base64_decode($_POST['mexcel'])), where $_POST['mexcel'] is user-controlled input. This input is decoded from base64 and deserialized without…
CVE-2025-60639 2025-10-16 MEDIUM 6.5 Hardcoded credentials in gsigel14 ATLAS-EPIC commit f29312c (2025-05-26).
CVE-2025-56700 2025-10-16 MEDIUM 5.4 Boolean SQL injection vulnerability in the web app of Base Digitale Group spa product Centrax Open PSIM version 6.1 allows a low level priviliged user that has access…
CVE-2025-56699 2025-10-16 MEDIUM 5.4 SQL injection vulnerability in the cmd component of Base Digitale Group spa product Centrax Open PSIM version 6.1 allows an unauthenticated user to execute arbitrary SQL commands via…
CVE-2025-34513 2025-10-16 N/A 0.0 Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this…
CVE-2025-62425 2025-10-16 HIGH 8.3 MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows…
CVE-2025-61543 2025-10-16 HIGH 7.1 A Host Header Injection vulnerability exists in the password reset functionality of CraftMyCMS 4.0.2.2. The system uses `$_SERVER['HTTP_HOST']` directly to construct password reset links sent via email. An…
CVE-2025-61541 2025-10-16 HIGH 7.1 Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header…
CVE-2025-34255 2025-10-16 N/A 0.0 D-Link Nuclias Connect firmware versions
CVE-2025-34254 2025-10-16 N/A 0.0 D-Link Nuclias Connect firmware versions
CVE-2025-34253 2025-10-16 N/A 0.0 D-Link Nuclias Connect firmware versions
CVE-2025-11853 2025-10-16 MEDIUM 6.3 A vulnerability was determined in Sismics Teedy up to 1.11. This affects an unknown function of the file /api/file of the component API Endpoint. Executing manipulation can lead…
CVE-2025-11852 2025-10-16 MEDIUM 5.3 A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in…
CVE-2025-11493 2025-10-16 HIGH 8.8 The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an…
CVE-2025-11492 2025-10-16 CRITICAL 9.6 In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could…
CVE-2025-62586 2025-10-16 CRITICAL 9.8 OPEXUS FOIAXpress allows a remote, unauthenticated attacker to reset the administrator password. Fixed in FOIAXpress version 11.13.2.0.
CVE-2025-62413 2025-10-16 MEDIUM 6.1 MQTTX is an MQTT 5.0 desktop client and MQTT testing tool. A Cross-Site Scripting (XSS) vulnerability was introduced in MQTTX v1.12.0 due to improper handling of MQTT message…
CVE-2025-62407 2025-10-16 MEDIUM 6.1 Frappe is a full-stack web application framework. Prior to 14.98.0 and 15.83.0, an open redirect was possible through the redirect argument on the login page, if a specific…
CVE-2025-61924 2025-10-16 LOW 3.8 PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due…
CVE-2025-61923 2025-10-16 MEDIUM 4.1 PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in…
CVE-2025-61909 2025-10-16 N/A 0.0 Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, the safe-reload script (also used during systemctl reload icinga2) and logrotate configuration…
CVE-2025-61908 2025-10-16 N/A 0.0 Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, when creating an invalid reference, such as a reference to null, dereferencing…
CVE-2025-61907 2025-10-16 N/A 0.0 Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects…
CVE-2025-34519 2025-10-16 N/A 0.0 Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an insecure hashing algorithm vulnerability. The product stores passwords using the MD5 hash function without applying a per‑password salt. Because MD5 is…
CVE-2025-34518 2025-10-16 N/A 0.0 Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a relative path traversal vulnerability in get_file_content.php that allows an attacker to read arbitrary files. Ilevia has declined to service this vulnerability, and recommends…
CVE-2025-34517 2025-10-16 N/A 0.0 Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an absolute path traversal vulnerability in get_file_content.php that allows an attacker to read arbitrary files. Ilevia has declined to service this vulnerability, and recommends…
CVE-2025-34516 2025-10-16 N/A 0.0 Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a use of default credentials vulnerability that allows an unauthenticated attacker to obtain remote access. Ilevia has declined to service this…
CVE-2025-34515 2025-10-16 N/A 0.0 Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an execution with unnecessary privileges vulnerability in sync_project.sh that allows an attacker to escalate privileges to root. Ilevia has declined to service…
CVE-2025-34514 2025-10-16 N/A 0.0 Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain authenticated OS command injection vulnerabilities in multiple web-accessible PHP scripts that call exec() and allow an authenticated attacker to…
CVE-2025-34512 2025-10-16 N/A 0.0 Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to…
« Anterior Página 735 de 4304 Siguiente »