{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-24T11:20:41.532","vulnerabilities":[{"cve":{"id":"CVE-2026-33249","sourceIdentifier":"security-advisories@github.com","published":"2026-03-25T21:16:47.737","lastModified":"2026-03-26T16:20:55.100","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."},{"lang":"es","value":"NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajería nativo de la nube y del borde. A partir de la versión 2.11.0 y antes de las versiones 2.11.15 y 2.12.6, un cliente válido que utiliza encabezados de rastreo de mensajes puede indicar que los mensajes de rastreo pueden enviarse a un asunto válido arbitrario, incluidos aquellos para los que el cliente no tiene permiso de publicación. La carga útil es un mensaje de rastreo válido y no es elegido por el atacante. Las versiones 2.11.15 y 2.12.6 contienen una corrección. No hay soluciones alternativas conocidas disponibles."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*","versionStartIncluding":"2.11.0","versionEndExcluding":"2.11.15","matchCriteriaId":"04A14239-FB32-4FD3-8B45-BDE015A7F721"},{"vulnerable":true,"criteria":"cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*","versionStartIncluding":"2.12.0","versionEndExcluding":"2.12.6","matchCriteriaId":"4E347CFB-C56D-4FD8-8DD8-3D34C08D7154"}]}]}],"references":[{"url":"https://advisories.nats.io/CVE/secnote-2026-15.txt","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}