CVE Database

9262+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-10044
9.3 CRITICAL

A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This …

Dec 30, 2024
CVE-2024-47926
9.8 CRITICAL

Tecnick TCExam – CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Dec 30, 2024
CVE-2024-47919
9.8 CRITICAL

Tiki Wiki CMS – CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Dec 30, 2024
CVE-2024-50717
9.8 CRITICAL

SQL injection vulnerability in Smart Agent v.1.1.0 allows a remote attacker to execute arbitrary code via the client parameter in the /recuperaLog.php component.

Dec 27, 2024
CVE-2024-50716
9.8 CRITICAL

SQL injection vulnerability in Smart Agent v.1.1.0 allows a remote attacker to execute arbitrary code via the id parameter in the /sendPushManually.php component.

Dec 27, 2024
CVE-2024-50713
9.8 CRITICAL

SmartAgent v1.1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /tests/interface.php.

Dec 27, 2024
CVE-2024-54450
9.4 CRITICAL

An issue was discovered in Kurmi Provisioning Suite 7.9.0.33. If an X-Forwarded-For header is received during authentication, the Kurmi application will record the (possibly forged) …

Dec 27, 2024
CVE-2024-50944
9.8 CRITICAL

Integer overflow vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f in the shopping cart functionality. The issue lies in the quantity parameter in the CartController's AddToCart …

Dec 27, 2024
CVE-2024-56521
9.8 CRITICAL

An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.

Dec 27, 2024
CVE-2024-56431
9.8 CRITICAL

oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0 7180717 has an invalid negative left shift. NOTE: this is disputed by third parties because there …

Dec 25, 2024
CVE-2024-8950
9.9 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arne Informatics Piramit Automation allows Blind SQL Injection.This issue affects Piramit …

Dec 25, 2024
CVE-2024-52046
9.8 CRITICAL

The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability …

Dec 25, 2024
CVE-2024-11281
9.8 CRITICAL

The WooCommerce Point of Sale plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0. This is due to …

Dec 25, 2024
CVE-2024-43441
9.8 CRITICAL

Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server. This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.5.0. Users are recommended to upgrade to version …

Dec 24, 2024
CVE-2024-40896
9.1 CRITICAL

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX …

Dec 23, 2024
CVE-2024-54148
9.8 CRITICAL

Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to …

Dec 23, 2024
CVE-2024-45387
9.9 CRITICAL

An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", …

Dec 23, 2024
CVE-2024-46873
9.8 CRITICAL

Multiple SHARP routers leave the hidden debug function enabled. An arbitrary OS command may be executed with the root privilege by a remote unauthenticated attacker.

Dec 23, 2024
CVE-2024-11349
9.8 CRITICAL

The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not …

Dec 21, 2024
CVE-2024-55509
9.8 CRITICAL

SQL injection vulnerability in CodeAstro Complaint Management System v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via the id parameter of …

Dec 20, 2024
CVE-2024-56337
9.8 CRITICAL

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through …

Dec 20, 2024
CVE-2024-51466
9.0 CRITICAL

IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could exploit …

Dec 20, 2024
CVE-2024-12571
9.8 CRITICAL

The Store Locator for WordPress with Google Maps – LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' …

Dec 20, 2024
CVE-2022-32203
9.8 CRITICAL

There is a command injection vulnerability in Huawei terminal printer product. Successful exploitation could result in the highest privileges of the printer. (Vulnerability ID: HWPSIRT-2022-51773) …

Dec 20, 2024
CVE-2024-56327
9.8 CRITICAL

pyrage is a set of Python bindings for the rage file encryption library (age in Rust). `pyrage` uses the Rust `age` crate for its underlying …

Dec 19, 2024
CVE-2024-54984
9.8 CRITICAL

An issue in Quectel BG96 BG96MAR02A08M1G allows attackers to bypass authentication via a crafted NAS message. NOTE: this is disputed by the supplier.

Dec 19, 2024
CVE-2024-54983
9.8 CRITICAL

An issue in Quectel BC95-CNV V100R001C00SPC051 allows attackers to bypass authentication via a crafted NAS message.

Dec 19, 2024
CVE-2024-12728
9.8 CRITICAL

A weak credentials vulnerability potentially allows privileged system access via SSH to Sophos Firewall older than version 20.0 MR3 (20.0.3).

Dec 19, 2024
CVE-2024-12727
9.8 CRITICAL

A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database …

Dec 19, 2024
CVE-2024-54150
9.1 CRITICAL

cjwt is a C JSON Web Token (JWT) Implementation. Algorithm confusion occurs when a system improperly verifies the type of signature used, allowing attackers to …

Dec 19, 2024
CVE-2024-55081
9.8 CRITICAL

An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML …

Dec 19, 2024
CVE-2024-10244
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ISDO Software Web Software allows SQL Injection.This issue affects Web Software: …

Dec 19, 2024
CVE-2021-26102
9.8 CRITICAL

A relative path traversal vulnerability (CWE-23) in FortiWAN version 4.5.7 and below, 4.4 all versions may allow a remote non-authenticated attacker to delete files on …

Dec 19, 2024
CVE-2024-12626
9.6 CRITICAL

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the …

Dec 19, 2024
CVE-2023-4617
10.0 CRITICAL

Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users …

Dec 19, 2024
CVE-2024-55461
9.8 CRITICAL

SeaCMS <=13.0 is vulnerable to command execution in phome.php via the function Ebak_RepPathFiletext().

Dec 18, 2024
CVE-2024-56145
9.8 CRITICAL KEV

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability …

Dec 18, 2024
CVE-2024-52591
9.3 CRITICAL

Misskey is an open source, federated social media platform. In affected versions missing validation in `ApRequestService.signedGet` and `HttpRequestService.getActivityJson` allows an attacker to create fake user …

Dec 18, 2024
CVE-2024-56057
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from …

Dec 18, 2024
CVE-2024-56054
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from …

Dec 18, 2024
CVE-2024-56052
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from …

Dec 18, 2024
CVE-2024-56050
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from …

Dec 18, 2024
CVE-2024-54383
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in wpweb WooCommerce PDF Vouchers woocommerce-pdf-vouchers allows Privilege Escalation.This issue affects WooCommerce PDF Vouchers: from n/a through < 4.9.9.

Dec 18, 2024
CVE-2023-34990
9.8 CRITICAL

A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially …

Dec 18, 2024
CVE-2024-56059
9.8 CRITICAL

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in farinspace Partners partners allows Object Injection.This issue affects Partners: from n/a through <= 0.2.0.

Dec 18, 2024
CVE-2024-56058
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in denniskravetstns VRPConnector vrpconnector allows Object Injection.This issue affects VRPConnector: from n/a through <= 2.0.1.

Dec 18, 2024
CVE-2024-4996
9.8 CRITICAL

Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in …

Dec 18, 2024
CVE-2024-4995
9.8 CRITICAL

Wapro ERP Desktop is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data …

Dec 18, 2024
CVE-2024-1610
9.8 CRITICAL

In OPPO Store APP, there's a possible escalation of privilege due to improper input validation.

Dec 18, 2024
CVE-2024-12287
9.8 CRITICAL

The Biagiotti Membership plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.0.2. This is due to the plugin …

Dec 18, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.