Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2025-26074 Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-45931 An issue D-Link DIR-816-A2 DIR-816A2_FWv1.10CNB05_R1B011D88210 allows a remote attacker to execute arbitrary code via system() function in the bin/goahead file | 9.8 | CRITICAL | β | 0 |
| CVE-2025-53004 DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, there is a bypass vulnerability in Dataease's Redshift Data Source JDBC Connection Parameters. T... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-53005 DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, there is a bypass vulnerability in Dataease's PostgreSQL Data Source JDBC Connection Parameters.... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-6934 The Opal Estate Pro β Property Management and Submission plugin for WordPress, used by the FullHouse - Real Estate Responsive WordPress Theme, is vulnerable to privilege escalation via in all versions... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-11403 There exists an out of bounds read/write in LibJXL versions prior to commitΒ 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder used by the JPEG XL encoderΒ when doing JPEG recompression (i.e. i... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-41648 An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-28141 An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attack... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-28967 The unofficial MATLAB extension before 2.0.1 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace because of lint configuration settings. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-29953 Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted se... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-37099 A remote code execution vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-41779 IBM Engineering Systems Design Rhapsody - Model Manager 7.0.2 and 7.0.3Β could allow a remote attacker to bypass security restrictions, caused by a race condition. By sending a specially crafted reques... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-52101 linjiashop <=0.9 is vulnerable to Incorrect Access Control. When using the default-generated JWT authentication, attackers can bypass the authentication and retrieve the encrypted "password" and "salt... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-0668 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: before 1.4.5. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-4689 The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-13786 The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' f... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-53006 DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, in both PostgreSQL and Redshift, apart from parameters like "socketfactory" and "socketfactoryar... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-55529 Z-BlogPHP 1.7.3 is vulnerable to arbitrary code execution via \zb_users\theme\shell\template. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-43091 A flaw was found in GNOME Maps, which is vulnerable to a code injection attack via its service.json configuration file. If the configuration file is malicious, it may execute arbitrary code. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-53890 pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoadβs CAPTCHA processing code allows unauthenticated remote attackers to execute a... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-56518 Hazelcast Management Center through 6.0 allows remote code execution via a JndiLoginModule user.provider.url in a hazelcast-client XML document (aka a client configuration file), which can be uploaded... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-52376 An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet s... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-27690 Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability,... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-52688 Successful exploitation of the vulnerability could allow an attacker to inject commands with root privileges on the access point, potentially leading to the loss of confidentiality, integrity, availab... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-52689 Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-48887 A unverified password change vulnerability in Fortinet FortiSwitch GUI may allow a remote unauthenticated attacker to change admin passwords via a specially crafted request | 9.8 | CRITICAL | β | 0 |
| CVE-2024-9342 In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-5396 The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.0. This is due to the bbackup_ajax_handle() function not having a capability chec... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-51630 TOTOLINK N350RT V9.3.5u.6139_B20201216 was discovered to contain a buffer overflow via the ePort parameter in the function setIpPortFilterRules. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-54092 A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All v... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-27520 BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been ident... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-6222 The WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-6187 The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. The plugin registers the /webho... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-44796 An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT toke... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-26855 A SQL injection in Articles Calendar extension 1.0.0 - 1.0.1.0007 for Joomla allows attackers to execute arbitrary SQL commands. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-48904 An command injection vulnerability in Trend Micro Cloud Edge could allow a remote attacker to execute arbitrary code on affected appliances. Please note: authentication is not required in order to ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-7444 The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user being returned by the s... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-56325 Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-7696 The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserializa... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-40752 IBM InfoSphere DataStage 11.7 is vulnerable to a command injection vulnerability due to improper neutralization of special elements. IBM X-Force ID:Β 236687. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-7697 The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deseria... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-7916 WinMatrix3 developed by Simopro Technology has an Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously craft... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-7918 WinMatrix3 Web package developed by Simopro Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete databas... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-7343 The SFT developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-39983 File upload vulnerability in Pro Gamma Instant Developer RD3 22.5 r23, r30, and possibly earlier versions, allows attackers to execute arbitrary code. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-22398 Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. An unauthenticated attacker with remote ac... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-24655 Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter under the Profile Update function. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-26799 A reflected cross-site scripting (XSS) vulnerability was discovered in index.php on Luxcal 4.5.2 which allows an unauthenticated attacker to steal other users' data. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-48307 JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-44097 According to the researcher: "The TLS connections are encrypted against tampering or eavesdropping. However, the application does not validate the server certificate properly while initializing the TL... | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.