CVE Database

9279+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-54367
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Ultimate Member ForumWP forumwp allows Object Injection.This issue affects ForumWP: from n/a through <= 2.1.0.

Dec 16, 2024
CVE-2024-54363
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in saiful.total Wp NssUser Register wp-nssuser-register allows Privilege Escalation.This issue affects Wp NssUser Register: from n/a through <= 1.0.0.

Dec 16, 2024
CVE-2024-54361
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tenteeglobal Instant Appointment instant-appointment allows SQL Injection.This issue affects Instant Appointment: …

Dec 16, 2024
CVE-2024-49775
9.8 CRITICAL

A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2501.0001), Opcenter Intelligence (All versions < V2501.0001), Opcenter Quality (All versions < V2512), …

Dec 16, 2024
CVE-2024-12641
9.6 CRITICAL

TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with …

Dec 16, 2024
CVE-2024-55969
9.1 CRITICAL

DocIO in Syncfusion Essential Studio for ASP.NET MVC before 27.1.55 throws XMLException during the resaving of a DOCX document with an external reference XML, aka …

Dec 15, 2024
CVE-2023-29476
9.1 CRITICAL

In Menlo On-Premise Appliance before 2.88, web policy may not be consistently applied properly to intentionally malformed client requests. This is fixed in 2.88.2+, 2.89.1+, …

Dec 14, 2024
CVE-2024-55956
9.8 CRITICAL KEV

In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on …

Dec 13, 2024
CVE-2024-54297
9.8 CRITICAL

Authentication Bypass Using an Alternate Path or Channel vulnerability in extremeidea vBSSO-lite vbsso-lite allows Authentication Bypass.This issue affects vBSSO-lite: from n/a through <= 1.4.3.

Dec 13, 2024
CVE-2024-54296
9.8 CRITICAL

Authentication Bypass Using an Alternate Path or Channel vulnerability in Codexpert, Inc CoSchool LMS coschool allows Authentication Bypass.This issue affects CoSchool LMS: from n/a through …

Dec 13, 2024
CVE-2024-54295
9.8 CRITICAL

Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder ListApp Mobile Manager listapp-mobile-manager allows Authentication Bypass.This issue affects ListApp Mobile Manager: from n/a …

Dec 13, 2024
CVE-2024-54294
9.8 CRITICAL

Authentication Bypass Using an Alternate Path or Channel vulnerability in Appgenix Infotech Firebase OTP Authentication authentication-via-otp-using-firebase allows Authentication Bypass.This issue affects Firebase OTP Authentication: from …

Dec 13, 2024
CVE-2024-54293
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in CE21 CE21 Suite ce21-suite allows Privilege Escalation.This issue affects CE21 Suite: from n/a through <= 2.2.0.

Dec 13, 2024
CVE-2024-54292
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in appsplate Appsplate appsplate allows SQL Injection.This issue affects Appsplate: from n/a …

Dec 13, 2024
CVE-2024-54273
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in PickPlugins Mail Picker mail-picker allows Object Injection.This issue affects Mail Picker: from n/a through <= 1.0.14.

Dec 13, 2024
CVE-2024-54262
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in sidngr Import Export For WooCommerce import-export-for-woocommerce allows Upload a Web Shell to a Web Server.This issue …

Dec 13, 2024
CVE-2024-54261
10.0 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HK Digital Agency LLC TAX SERVICE Electronic HDM virtual-hdm-for-taxservice-am allows SQL …

Dec 13, 2024
CVE-2024-54239
9.8 CRITICAL

Missing Authorization vulnerability in dugudlabs Eyewear prescription form eyewear-prescription-form allows Privilege Escalation.This issue affects Eyewear prescription form: from n/a through <= 4.0.18.

Dec 13, 2024
CVE-2024-54234
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wp-buy Limit Login Attempts wp-limit-failed-login-attempts allows SQL Injection.This issue affects Limit …

Dec 13, 2024
CVE-2022-46838
9.1 CRITICAL

Missing Authorization vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This …

Dec 13, 2024
CVE-2024-11986
9.6 CRITICAL

Improper input handling in the 'Host Header' allows an unauthenticated attacker to store a payload in web application logs. When an Administrator views the logs …

Dec 13, 2024
CVE-2024-21577
10.0 CRITICAL

ComfyUI-Ace-Nodes is vulnerable to Code Injection. The ACE_ExpressionEval node contains an eval() in its entrypoint function that accepts arbitrary user-controlled data. A user can create …

Dec 13, 2024
CVE-2024-21576
10.0 CRITICAL

ComfyUI-Bmad-Nodes is vulnerable to Code Injection. The issue stems from a validation bypass in the BuildColorRangeHSVAdvanced, FilterContour and FindContour custom nodes. In the entrypoint function …

Dec 13, 2024
CVE-2024-52061
9.8 CRITICAL

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core Libraries, Queuing Service, Recording Service, Routing Service) allows Overflow …

Dec 13, 2024
CVE-2024-9290
9.8 CRITICAL

The Super Backup & Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and …

Dec 13, 2024
CVE-2024-52057
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RTI Connext Professional (Queuing Service) allows SQL Injection.This issue affects Connext …

Dec 13, 2024
CVE-2024-11838
9.8 CRITICAL

External Control of File Name or Path vulnerability in PlexTrac allows Local Code Inclusion through use of an undocumented API endpoint.This issue affects PlexTrac: from …

Dec 13, 2024
CVE-2024-11837
9.8 CRITICAL

Improper Neutralization of Special Elements used in an N1QL Command ('N1QL Injection') vulnerability in PlexTrac allows N1QL Injection.This issue affects PlexTrac: from 1.61.3 before 2.8.1.

Dec 13, 2024
CVE-2024-11834
9.1 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in PlexTrac allows arbitrary file writes.This issue affects PlexTrac: from 1.61.3 before 2.8.1.

Dec 13, 2024
CVE-2024-11833
9.1 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in PlexTrac allows arbitrary file writes.This issue affects PlexTrac: from 1.61.3 before 2.8.1.

Dec 13, 2024
CVE-2024-12603
9.8 CRITICAL

A logic vulnerability in the the mobile application (com.transsion.applock) can lead to bypassing the application password.

Dec 13, 2024
CVE-2024-55879
9.1 CRITICAL

XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary …

Dec 12, 2024
CVE-2024-55877
9.9 CRITICAL

XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can …

Dec 12, 2024
CVE-2024-55875
9.8 CRITICAL

http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k …

Dec 12, 2024
CVE-2024-55663
9.8 CRITICAL

XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned …

Dec 12, 2024
CVE-2024-54811
9.8 CRITICAL

A SQL injection vulnerability in /index.php in PHPGurukul Park Ticketing Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "login" parameter.

Dec 12, 2024
CVE-2024-49147
9.3 CRITICAL

Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s webserver.

Dec 12, 2024
CVE-2024-55662
9.9 CRITICAL

XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is …

Dec 12, 2024
CVE-2024-54810
9.8 CRITICAL

A SQL Injection vulnerability was found in /preschool/admin/password-recovery.php in PHPGurukul Pre-School Enrollment System Project v1.0, which allows remote attackers to execute arbitrary code via the …

Dec 12, 2024
CVE-2024-55099
9.8 CRITICAL

A SQL Injection vulnerability was found in /admin/index.php in phpgurukul Online Nurse Hiring System v1.0, which allows remote attackers to execute arbitrary SQL commands to …

Dec 12, 2024
CVE-2024-54842
9.8 CRITICAL

A SQL injection vulnerability was found in phpgurukul Online Nurse Hiring System v1.0 in /admin/password-recovery.php via the mobileno parameter.

Dec 12, 2024
CVE-2024-21574
10.0 CRITICAL

The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes …

Dec 12, 2024
CVE-2024-10124
9.8 CRITICAL

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a …

Dec 12, 2024
CVE-2024-11015
9.8 CRITICAL

The Sign In With Google plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.8.0. This is due to …

Dec 12, 2024
CVE-2024-55660
9.8 CRITICAL

SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template …

Dec 12, 2024
CVE-2024-54534
9.8 CRITICAL

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.2, iOS 18.2 and iPadOS 18.2, iPadOS 17.7.6, macOS Sequoia 15.2, …

Dec 12, 2024
CVE-2024-54506
9.8 CRITICAL

An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.2. An attacker may be able to cause …

Dec 12, 2024
CVE-2024-54465
9.8 CRITICAL

A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2. An app may be able to elevate privileges.

Dec 12, 2024
CVE-2024-44299
9.8 CRITICAL

The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1. An attacker may be …

Dec 12, 2024
CVE-2024-44242
9.8 CRITICAL

The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1. An attacker may be …

Dec 12, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.