Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2025-10458 2025-09-19 HIGH 7.6 Parameters are not validated or sanitized, and are later used in various internal operations.
CVE-2025-10457 2025-09-19 MEDIUM 4.3 The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies…
CVE-2025-10456 2025-09-19 HIGH 7.1 A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes…
CVE-2025-5955 2025-09-19 HIGH 8.1 The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not…
CVE-2025-10146 2025-09-19 MEDIUM 6.1 The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_ids’ parameter in all versions up to, and including, 3.3.23 due to insufficient input…
CVE-2025-8487 2025-09-19 MEDIUM 5.4 The Kubio AI Page Builder plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the kubio-image-hub-install-plugin AJAX action in all versions…
CVE-2025-59717 2025-09-19 MEDIUM 5.4 In the @digitalocean/do-markdownit package through 1.16.1 (in npm), the callout and fence_environment plugins perform .includes substring matching if allowedClasses or allowedEnvironments is a string (instead of an array).
CVE-2025-7937 2025-09-19 MEDIUM 6.6 There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW . An attacker can update the system firmware with a specially crafted image.
CVE-2025-59715 2025-09-19 MEDIUM 4.8 SMSEagle before 6.11 allows reflected XSS via a username or contact phone number.
CVE-2025-59714 2025-09-19 MEDIUM 6.5 In Internet2 Grouper 5.17.1 before 5.20.5, group admins who are not Grouper sysadmins can configure loader jobs.
CVE-2025-59713 2025-09-19 MEDIUM 6.8 Snipe-IT before 8.1.18 allows unsafe deserialization.
CVE-2025-59712 2025-09-19 MEDIUM 6.4 Snipe-IT before 8.1.18 allows XSS.
CVE-2025-10690 2025-09-19 CRITICAL 9.8 The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in…
CVE-2025-6198 2025-09-19 MEDIUM 6.4 There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image.
CVE-2025-30755 2025-09-19 MEDIUM 6.1 OpenGrok 1.14.1 has a reflected Cross-Site Scripting (XSS) issue when producing the cross reference page. This happens through improper handling of the revision parameter. The application reflects unsanitized…
CVE-2025-59692 2025-09-18 LOW 3.7 PureVPN client applications on Linux through September 2025 mishandle firewalling. They flush the system's existing iptables rules and apply default ACCEPT policies when connecting to a VPN server.…
CVE-2025-59691 2025-09-18 LOW 3.7 PureVPN client applications on Linux through September 2025 allow IPv6 traffic to leak outside the VPN tunnel upon network events such as Wi-Fi reconnect or system resume. In…
CVE-2025-59220 2025-09-18 HIGH 7.0 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.
CVE-2025-59216 2025-09-18 HIGH 7.0 Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
CVE-2025-59215 2025-09-18 HIGH 7.0 Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
CVE-2025-54860 2025-09-18 HIGH 7.7 Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 in order to allow management operations on the device such as firmware upgrades and…
CVE-2025-54818 2025-09-18 HIGH 8.0 Cognex In-Sight Explorer and In-Sight Camera Firmware expose a proprietary protocol on TCP port 1069 to perform management operations such as modifying system properties. The user management functionality…
CVE-2025-54810 2025-09-18 HIGH 8.0 Cognex In-Sight Explorer and In-Sight Camera Firmware expose a proprietary protocol on TCP port 1069 to perform management operations such as modifying system properties. The user management functionality…
CVE-2025-54497 2025-09-18 HIGH 8.1 Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 to allow management operations such as firmware upgrades and device reboots, which require authentication.…
CVE-2025-53969 2025-09-18 HIGH 8.8 Cognex In-Sight Explorer and In-Sight Camera Firmware expose a service implementing a proprietary protocol on TCP port 1069 to allow the client-side software, such as the In-Sight Explorer…
CVE-2025-52873 2025-09-18 HIGH 8.1 Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 to allow management operations such as firmware upgrades and device reboots, which require authentication.…
CVE-2025-10035 2025-09-18 CRITICAL 10.0 A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly…
CVE-2025-57295 2025-09-18 HIGH 8.0 H3C devices running firmware version NX15V100R015 are vulnerable to unauthorized access due to insecure default credentials. The root user account has no password set, and the H3C user…
CVE-2025-57293 2025-09-18 HIGH 8.8 A command injection vulnerability in COMFAST CF-XR11 (firmware V2.7.2) exists in the multi_pppoe API, processed by the sub_423930 function in /usr/bin/webmgnt. The phy_interface parameter is not sanitized, allowing…
CVE-2025-55068 2025-09-18 HIGH 8.2 Dover Fueling Solutions ProGauge MagLink LX4 Devices fail to handle Unix time values beyond a certain point. An attacker can manually change the system time to exploit this…
CVE-2025-54807 2025-09-18 CRITICAL 9.8 The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the signing key can bypass authentication, gaining complete access…
CVE-2025-54754 2025-09-18 HIGH 8.0 An attacker with adjacent access, without authentication, can exploit this vulnerability to retrieve a hard-coded password embedded in publicly available software. This password can then be used to…
CVE-2025-53947 2025-09-18 HIGH 7.7 A local attacker with low privileges on the Windows system where the software is installed can exploit this vulnerability to corrupt sensitive data. A data folder is created…
CVE-2025-47698 2025-09-18 N/A 0.0 An adjacent attacker without authentication can exploit this vulnerability to retrieve a set of user-privileged credentials. These credentials are present during the firmware upgrade procedure.
CVE-2025-30519 2025-09-18 CRITICAL 9.8 Dover Fueling Solutions ProGauge MagLink LX4 Devices have default root credentials that cannot be changed through standard administrative means. An attacker with network access to the device can gain…
CVE-2025-10689 2025-09-18 MEDIUM 6.3 A vulnerability was identified in D-Link DIR-645 105B01. This issue affects the function soapcgi_main of the file /soap.cgi. Such manipulation of the argument service leads to command injection.…
CVE-2025-59424 2025-09-18 HIGH 7.3 LinkAce is a self-hosted archive to collect website links. Prior to 2.3.1, a Stored Cross-Site Scripting (XSS) vulnerability has been identified on the /system/audit page. The application fails…
CVE-2025-10688 2025-09-18 HIGH 7.3 A vulnerability was determined in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code of the file /admin/operation/paid.php. This manipulation of the argument insta_amt causes sql…
CVE-2025-47906 2025-09-18 MEDIUM 6.5 If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries…
CVE-2025-26503 2025-09-18 MEDIUM 6.7 A crafted system call argument can cause memory corruption.
CVE-2025-10650 2025-09-18 N/A 0.0 SoftIron HyperCloud 2.5.0 through 2.6.3 may incorrectly add user SSH keys to the administrator-level authorized keys under certain conditions, allowing unauthorized privilege escalation to admin via SSH.
CVE-2025-10687 2025-09-18 HIGH 7.3 A vulnerability was found in SourceCodester Responsive E-Learning System 1.0. This affects an unknown part of the file /admin/add_teacher.php. The manipulation of the argument Username results in sql…
CVE-2025-10676 2025-09-18 MEDIUM 4.3 A weakness has been identified in fuyang_lipengjun platform 1.0. Affected is the function BrandController of the file /brand/queryAll. Executing manipulation can lead to improper authorization. The attack can…
CVE-2025-59678 2025-09-19 N/A 0.0 Rejected reason: Not used
CVE-2025-59677 2025-09-19 N/A 0.0 Rejected reason: Not used
CVE-2025-59676 2025-09-19 N/A 0.0 Rejected reason: Not used
CVE-2025-59675 2025-09-19 N/A 0.0 Rejected reason: Not used
CVE-2025-59674 2025-09-19 N/A 0.0 Rejected reason: Not used
CVE-2025-59673 2025-09-19 N/A 0.0 Rejected reason: Not used
CVE-2025-59672 2025-09-19 N/A 0.0 Rejected reason: Not used
« Anterior Página 812 de 4304 Siguiente »