Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2024-50531 Unrestricted Upload of File with Dangerous Type vulnerability in David F. Carr RSVPMaker for Toastmasters allows Upload a Web Shell to a Web Server.This issue affects RSVPMaker for Toastmasters: from ... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-52376 Unrestricted Upload of File with Dangerous Type vulnerability in cmsMinds Boat Rental Plugin for WordPress allows Upload a Web Shell to a Web Server.This issue affects Boat Rental Plugin for WordPress... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-22954 GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-39251 An issue in the component ControlCenter.sys/ControlCenter64.sys of ThundeRobot Control Center v2.0.0.10 allows attackers to access sensitive information, execute arbitrary code, or escalate privileges... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-47641 Unrestricted Upload of File with Dangerous Type vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce allows Upload a Web Shell to a Web Server. This issue affects Printca... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-22601 InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-330: Use of Insufficiently Random Values.Β TheyΒ d... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-21941 All versions of iSTAR Ultra prior to version 6.8.9.CU01 are vulnerable to a command injection that could allow an unauthenticated user root access to the system. | 10.0 | CRITICAL | β | 0 |
| CVE-2022-23657 A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released up... | 10.0 | CRITICAL | β | 0 |
| CVE-2021-27470 A deserialization vulnerability exists in how the LogService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a remo... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-20704 Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arb... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-20706 Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arb... | 10.0 | CRITICAL | β | 0 |
| CVE-2021-40519 Airangel HSMX Gateway devices through 5.2.04 have Hard-coded Database Credentials. | 10.0 | CRITICAL | β | 0 |
| CVE-2021-27446 The Weintek cMT product line is vulnerable to code injection, which may allow an unauthenticated remote attacker to execute commands with root privileges on the operation system. | 10.0 | CRITICAL | β | 0 |
| CVE-2022-23658 A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released up... | 10.0 | CRITICAL | β | 0 |
| CVE-2021-27329 Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names. | 10.0 | CRITICAL | β | 0 |
| CVE-2021-32637 Authelia is a a single sign-on multi-factor portal for web apps. This affects uses who are using nginx ngx_http_auth_request_module with Authelia, it allows a malicious individual who crafts a malform... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-20705 Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arb... | 10.0 | CRITICAL | β | 0 |
| CVE-2021-41163 Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscri... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-5243 Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SMG Software Information Portal allows Code... | 10.0 | CRITICAL | β | 0 |
| CVE-2020-13753 The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg-desk... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-63224 The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authe... | 10.0 | CRITICAL | β | 0 |
| CVE-2020-15164 in Scratch Login (MediaWiki extension) before version 1.1, any account can be logged into by using the same username with leading, trailing, or repeated underscore(s), since those are treated as white... | 10.0 | CRITICAL | β | 0 |
| CVE-2019-8779 A logic issue applied the incorrect restrictions. This issue was addressed by updating the logic to apply the correct restrictions. This issue is fixed in iOS 13.1.1 and iPadOS 13.1.1. Third party app... | 10.0 | CRITICAL | β | 0 |
| CVE-2019-5617 Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.4 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticate... | 10.0 | CRITICAL | β | 0 |
| CVE-2019-7268 Linear eMerge 50P/5000P devices allow Unauthenticated File Upload. | 10.0 | CRITICAL | β | 0 |
| CVE-2018-16462 A command injection vulnerability in the apex-publish-static-files npm module version <2.0.1 which allows arbitrary shell command execution through a maliciously crafted argument. | 10.0 | CRITICAL | β | 0 |
| CVE-2018-6692 Stack-based Buffer Overflow vulnerability in libUPnPHndlr.so in Belkin Wemo Insight Smart Plug allows remote attackers to bypass local security protection via a crafted HTTP post packet. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-49610 Unrestricted Upload of File with Dangerous Type vulnerability in Jack Zhu allows Upload a Web Shell to a Web Server.This issue affects photokit: from n/a through 1.0. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-49216 Unrestricted Upload of File with Dangerous Type vulnerability in Joshua Clayton Feed Comments Number allows Upload a Web Shell to a Web Server.This issue affects Feed Comments Number: from n/a through... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-25925 Unrestricted Upload of File with Dangerous Type vulnerability in SYSBASICS WooCommerce Easy Checkout Field Editor, Fees & Discounts.This issue affects WooCommerce Easy Checkout Field Editor, Fees & Di... | 10.0 | CRITICAL | β | 0 |
| CVE-2019-7609 Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt ... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2024-3400 A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurat... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2025-47812 In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitr... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2025-20393 A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execut... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2026-30302 The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect us... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-33478 WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker ... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-10035 A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, ... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2021-41277 Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and ... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2025-43300 An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS 15.8.5, iOS 16.7.12 and iPadOS 16.7.12. Processing a malicious image file may res... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2025-20281 A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2022-27593 An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have al... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2025-24201 An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2024-45032 A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge Management Virtual (All versions < V2.3.1-1). Affected components do not properly validat... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-22536 SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenati... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2025-59818 This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file name of an uploaded file. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-60206 Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through <= 7.8.3. | 10.0 | CRITICAL | β | 0 |
| CVE-2022-2421 Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitra... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-40805 Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitima... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-64127 An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-9574 Missing Authentication for Critical Function vulnerability in ABB ALS-mini-s4 IP, ABB ALS-mini-s8 IP.This issue affects .Β All firmware versions with the Serial Number from 2000 to 5166 | 10.0 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.