Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2017-14451 An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequen... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-41875 A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Specially crafted JSON payloads may lead to RCE (r... | 10.0 | CRITICAL | β | 0 |
| CVE-2019-7003 A SQL injection vulnerability in the reporting component of Avaya Control Manager could allow an unauthenticated attacker to execute arbitrary SQL commands and retrieve sensitive data related to other... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-29822 Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection | 10.0 | CRITICAL | β | 0 |
| CVE-2022-29823 Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application. | 10.0 | CRITICAL | β | 0 |
| CVE-2021-26730 A stack-based buffer overflow vulnerability in a subfunction of the Login_handler_func function of spx_restservice allows an attacker to execute arbitrary code with the same privileges as the server u... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-3765 Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. | 10.0 | CRITICAL | β | 0 |
| CVE-2018-3907 An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The video-core process incorrectly handles pip... | 10.0 | CRITICAL | β | 0 |
| CVE-2021-26727 Multiple command injections and stack-based buffer overflows vulnerabilities in the SubNet_handler_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-21941 All versions of iSTAR Ultra prior to version 6.8.9.CU01 are vulnerable to a command injection that could allow an unauthenticated user root access to the system. | 10.0 | CRITICAL | β | 0 |
| CVE-2022-33195 Four OS command injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A XCMD can lead to arbitrary command execution. ... | 10.0 | CRITICAL | β | 0 |
| CVE-2019-16932 A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data. | 10.0 | CRITICAL | β | 0 |
| CVE-2021-26729 Command injection and multiple stack-based buffer overflows vulnerabilities in the Login_handler_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges a... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-33193 Four OS command injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A XCMD can lead to arbitrary command execution. ... | 10.0 | CRITICAL | β | 0 |
| CVE-2013-3542 Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models with firmware 1.0.4.11, have a hardcoded a... | 10.0 | CRITICAL | β | 0 |
| CVE-2019-7290 An access issue was addressed with additional sandbox restrictions. This issue is fixed in Shortcuts 2.1.3 for iOS. A sandboxed process may be able to circumvent sandbox restrictions. | 10.0 | CRITICAL | β | 0 |
| CVE-2021-38397 Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service ... | 10.0 | CRITICAL | β | 0 |
| CVE-2020-6770 Deserialization of Untrusted Data in the BVMS Mobile Video Service (BVMS MVS) allows an unauthenticated remote attacker to execute arbitrary code on the system. This affects Bosch BVMS versions 10.0 <... | 10.0 | CRITICAL | β | 0 |
| CVE-2020-15188 SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the serv... | 10.0 | CRITICAL | β | 0 |
| CVE-2021-21322 fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the pro... | 10.0 | CRITICAL | β | 0 |
| CVE-2016-20010 EWWW Image Optimizer before 2.8.5 allows remote command execution because it relies on a protection mechanism involving boolval, which is unavailable before PHP 5.5. | 10.0 | CRITICAL | β | 0 |
| CVE-2021-21777 An information disclosure vulnerability exists in the Ethernet/IP UDP handler functionality of EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A specially crafted network request can lead t... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-45519 The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute comman... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2021-22893 Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect S... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2026-32213 Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network. | 10.0 | CRITICAL | β | 0 |
| CVE-2026-34162 FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-26216 Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-1283 Code Injection in GitHub repository builderio/qwik prior to 0.21.0. | 10.0 | CRITICAL | β | 0 |
| CVE-2026-1633 The Synectix LAN 232 TRIO 3-Port serial to ethernet adapter exposes its web management interface without requiring authentication, allowing unauthenticated users to modify critical device settings or ... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-31126 Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to code execution by sending a ... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-65091 XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL i... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-49060 Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Wastia wastia allows Upload a Web Shell to a Web Server.This issue affects Wastia: from n/a through < 1.1.3. | 10.0 | CRITICAL | β | 0 |
| CVE-2023-34976 A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed ... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-65041 Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network. | 10.0 | CRITICAL | β | 0 |
| CVE-2021-32494 Radare2 has a division by zero vulnerability in Mach-O parser's rebase_buffer function. This allow attackers to create malicious inputs that can cause denial of service. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-32766 An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have ... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-54119 ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attack... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-38586 An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sonoma 14. A sandboxed process may be able to circumvent sandbox restrictions. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-13152 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSS Software Mobuy Online Machinery Monitoring Panel allows SQL Injection.This issue affects Mobuy... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-45854 /server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-32975 Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an ... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-41240 Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthe... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-26701 An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH access, use of Sudo to root, and sensitive data exposure. This is fixed ... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-51568 CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthentic... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-46506 NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-32444 vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration with mooncake, are vulnerable to remote c... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-24522 KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the ... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-32845 This issue was addressed with improved checks. This issue is fixed in watchOS 8.7, iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5. An app may be able to break out of its sandbox. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-26853 DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 has a broken authorization schema. | 10.0 | CRITICAL | β | 0 |
| CVE-2017-8110 www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php. | 10.0 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.