Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-23924 2026-03-24 N/A 0.0 Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read…
CVE-2026-23923 2026-03-24 N/A 0.0 An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.
CVE-2026-23921 2026-03-24 N/A 0.0 A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query…
CVE-2026-23920 2026-03-24 N/A 0.0 Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are…
CVE-2026-23919 2026-03-24 N/A 0.0 For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator…
CVE-2026-1995 2026-03-24 HIGH 7.8 IDrive’s id_service.exe process runs with elevated privileges and regularly reads from several files under the C:\ProgramData\IDrive\ directory. The UTF16-LE encoded contents of these files are used as arguments…
CVE-2026-33407 2026-03-24 N/A 0.0 Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The…
CVE-2026-33401 2026-03-24 N/A 0.0 Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left…
CVE-2026-33400 2026-03-24 MEDIUM 5.4 Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user…
CVE-2026-33399 2026-03-24 HIGH 7.7 Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection…
CVE-2026-33162 2026-03-24 N/A 0.0 Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections…
CVE-2026-33161 2026-03-24 N/A 0.0 Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can…
CVE-2026-33160 2026-03-24 N/A 0.0 Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call…
CVE-2026-33159 2026-03-24 N/A 0.0 Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config…
CVE-2026-33158 2026-03-24 N/A 0.0 Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can…
CVE-2026-33157 2026-03-24 N/A 0.0 Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be…
CVE-2026-32854 2026-03-24 N/A 0.0 LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause…
CVE-2026-32853 2026-03-24 N/A 0.0 LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information…
CVE-2026-26830 2026-03-25 CRITICAL 9.8 pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell…
CVE-2026-23514 2026-03-25 HIGH 8.8 Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade…
CVE-2025-59707 2026-03-25 N/A 0.0 In N2W before 4.3.2 and 4.4.x before 4.4.1, there is potential remote code execution and account credentials theft because of a spoofing vulnerability.
CVE-2025-59706 2026-03-25 N/A 0.0 In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution.
CVE-2026-4816 2026-03-25 N/A 0.0 A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by…
CVE-2026-4815 2026-03-25 N/A 0.0 A SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to retrieve, create, update and delete database via 'calls[0][message_ids][]' parameter in '/supportboard/include/ajax.php'…
CVE-2026-3591 2026-03-25 MEDIUM 5.4 A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an…
CVE-2026-3119 2026-03-25 MEDIUM 6.5 Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has…
CVE-2026-3104 2026-03-25 HIGH 7.5 A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0…
CVE-2026-28529 2026-03-25 N/A 0.0 cryptodev-linux version 1.14 and prior contain a page reference handling flaw in the get_userbuf function of the /dev/crypto device driver that allows local users to trigger use-after-free conditions.…
CVE-2026-1519 2026-03-25 HIGH 7.5 If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are…
CVE-2025-40842 2026-03-25 N/A 0.0 Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Scripting (XSS) vulnerability which, if exploited, can lead to unauthorized disclosure and modification of certain information.
CVE-2025-40841 2026-03-25 N/A 0.0 Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead to unauthorized modification of certain information.
CVE-2025-27260 2026-03-25 N/A 0.0 Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special Elements vulnerability which, if exploited, can lead to unauthorized modification of certain information
CVE-2024-51346 2026-03-25 HIGH 7.7 An issue in Eufy Homebase 2 version 3.3.4.1h allows a local attacker to obtain sensitive information via the cryptographic scheme.
CVE-2026-31788 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space…
CVE-2026-23395 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier…
CVE-2026-23394 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: af_unix: Give up GC if MSG_PEEK intervened. Igor Ushakov reported that GC purged the receive queue of an…
CVE-2026-23393 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called…
CVE-2026-23392 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error…
CVE-2026-23391 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while…
CVE-2026-23390 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow The dma_map_sg tracepoint can trigger a perf buffer overflow…
CVE-2026-23389 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: ice: Fix memory leak in ice_set_ringparam() In ice_set_ringparam, tx_rings and xdp_rings are allocated before rx_rings. If the allocation…
CVE-2026-23388 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: Squashfs: check metadata block offset is within range Syzkaller reports a "general protection fault in squashfs_copy_data" This is…
CVE-2026-23387 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() devm_add_action_or_reset() already invokes the action on failure, so the explicit put…
CVE-2026-23386 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA buffer…
CVE-2026-23385 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: clone set on flush only Syzbot with fault injection triggered a failing memory allocation with GFP_KERNEL…
CVE-2026-23384 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix kernel stack leak in ionic_create_cq() struct ionic_cq_resp resp { __u32 cqid[2]; // offset 0 - PARTIALLY…
CVE-2026-23383 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target…
CVE-2026-23382 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference…
CVE-2026-23381 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl…
CVE-2026-23380 2026-03-25 N/A 0.0 In the Linux kernel, the following vulnerability has been resolved: tracing: Fix WARN_ON in tracing_buffers_mmap_close When a process forks, the child process copies the parent's VMAs but the…
« Anterior Página 84 de 4161 Siguiente »