9262+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …
A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to …
A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker …
The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in …
The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives …
The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to 2.3.16. This is due to the plugin …
The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to …
The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious …
Buffer overflow vulnerability in Digital China DCBI-Netlog-LAB Gateway 1.0 due to the lack of length verification, which is related to saving parental control configuration information. …
Logsign Unified SecOps Platform Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. Authentication is …
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in Privilege escalation. An attacker …
Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
A Reliance on Untrusted Inputs in a Security Decision vulnerability has been identified in the Lexmark Print Management Client.
Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the …
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.
OS command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote …
Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to …
PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) …
The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking …
The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.8. This is due …
The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.7. This is due to the plugin …
School Affairs System from Quanxun has an Exposure of Sensitive Information, allowing unauthenticated attackers to view specific pages and obtain database information as well as …
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an …
The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up …
The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication …
An issue in trojan v.2.0.0 through v.2.15.3 allows a remote attacker to escalate privileges via the initialization interface /auth/register.
An issue in DataEase v1 allows an attacker to execute arbitrary code via the user account and password components.
Unverified password change vulnerability in Janto, versions prior to r12. This could allow an unauthenticated attacker to change another user's password without knowing their current …
Cross-Site Request Forgery (CSRF) vulnerability in sainwp OneStore Sites onestore-sites allows Cross Site Request Forgery.This issue affects OneStore Sites: from n/a through <= 0.1.1.
Cross-Site Request Forgery (CSRF) vulnerability in FancyWP Starter Templates by FancyWP starter-templates allows Cross Site Request Forgery.This issue affects Starter Templates by FancyWP: from n/a …
Cross-Site Request Forgery (CSRF) vulnerability in MetricThemes Munk Sites munk-sites allows Cross Site Request Forgery.This issue affects Munk Sites: from n/a through <= 1.0.7.
The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient …
Multiple Elber products are affected by an authentication bypass vulnerability which allows unauthorized access to the password management functionality. Attackers can exploit this issue by …
WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal …
A SQL Injection vulnerability exists in the /feed/insert.json endpoint of the Emoncms project >= 11.6.9. The vulnerability is caused by improper handling of user-supplied input …
MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. In affected versions unsafe parsing logic of the …
Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h, and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b have a Hardcoded password vulnerability.
Built-in SMS-configuration command in Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allows malicious users to change the device …
Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allow a malicious user to gain information about the device by sending …
An SQL injection vulnerability in the pjActionGetUser function of PHPJabbers Cinema Booking System v2.0 allows attackers to manipulate database queries via the column parameter. Exploiting …
A stored cross-site scripting (XSS) vulnerability in PHPJabbers Cinema Booking System v2.0 exists due to unsanitized input in file upload fields (event_img, seat_maps) and seat …
A cross-site scripting (xss) vulnerability exists in the dataset upload functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to an …
Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
Sandbox escape in the JavaScript Task feature of Google Cloud Application Integration allows an actor to execute arbitrary unsandboxed code via crafted JavaScript code executed …
Free website and port scanning — find vulnerabilities before attackers do.