CVE Database

9279+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-51367
9.8 CRITICAL

An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers to execute arbitrary code via uploading a crafted .xml file.

Nov 21, 2024
CVE-2024-51366
9.8 CRITICAL

An arbitrary file upload vulnerability in the component \Roaming\Omega of OmegaT v6.0.1 allows attackers to execute arbitrary code via uploading a crafted .conf file.

Nov 21, 2024
CVE-2024-52289
9.8 CRITICAL

authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. When no Redirect URIs are configured …

Nov 21, 2024
CVE-2024-29224
9.8 CRITICAL

An OS command injection vulnerability exists in the NAT parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An …

Nov 21, 2024
CVE-2024-28892
9.8 CRITICAL

An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An …

Nov 21, 2024
CVE-2024-21855
9.8 CRITICAL

A lack of authentication vulnerability exists in the HTTP API functionality of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. …

Nov 21, 2024
CVE-2024-30896
9.1 CRITICAL

InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource …

Nov 21, 2024
CVE-2024-11320
9.8 CRITICAL

Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora FMS: from 700 through …

Nov 21, 2024
CVE-2024-51151
9.8 CRITICAL

D-Link DI-8200 16.07.26A1 is vulnerable to remote command execution in the msp_info_htm function via the flag parameter and cmd parameter.

Nov 21, 2024
CVE-2024-52765
9.8 CRITICAL

H3C GR-1800AX MiniGRW1B0V100R007 is vulnerable to remote code execution (RCE) via the aspForm parameter.

Nov 20, 2024
CVE-2024-52677
9.8 CRITICAL

HkCms <= v2.3.2.240702 is vulnerable to file upload in the getFileName method in /app/common/library/Upload.php.

Nov 20, 2024
CVE-2024-48984
9.8 CRITICAL

An issue was discovered in MBed OS 6.16.0. When parsing hci reports, the hci parsing software dynamically determines the length of a list of reports …

Nov 20, 2024
CVE-2024-33439
9.1 CRITICAL

An issue in Kasda LinkSmart Router KW5515 v1.7 and before allows an authenticated remote attacker to execute arbitrary OS commands via cgi parameters.

Nov 20, 2024
CVE-2024-29292
9.1 CRITICAL

Multiple OS Command Injection vulnerabilities affecting Kasda LinkSmart Router KW6512 <= v1.3 enable an authenticated remote attacker to execute arbitrary OS commands via various cgi …

Nov 20, 2024
CVE-2018-9479
9.8 CRITICAL

In process_service_attr_req and process_service_search_attr_req of sdp_server.cc, there is an out of bounds write due to a missing bounds check. This could lead to remote code …

Nov 20, 2024
CVE-2018-9478
9.8 CRITICAL

In process_service_attr_req and process_service_search_attr_req of sdp_server.cc, there is an out of bounds write due to a missing bounds check. This could lead to remote code …

Nov 20, 2024
CVE-2024-52771
9.1 CRITICAL

DedeBIZ v6.3.0 was discovered to contain an arbitrary file deletion vulnerability via the component /admin/file_manage_view.

Nov 20, 2024
CVE-2024-52770
9.8 CRITICAL

An arbitrary file upload vulnerability in the component /admin/file_manage_control of DedeBIZ v6.3.0 allows attackers to execute arbitrary code via uploading a crafted file.

Nov 20, 2024
CVE-2024-10094
9.1 CRITICAL

Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code

Nov 20, 2024
CVE-2024-52443
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in masikonis Geolocator geolocator allows Object Injection.This issue affects Geolocator: from n/a through <= 1.1.

Nov 20, 2024
CVE-2024-52442
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in userplus UserPlus userplus allows Privilege Escalation.This issue affects UserPlus: from n/a through <= 2.0.

Nov 20, 2024
CVE-2024-52441
9.8 CRITICAL

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick Learn quick-learn allows Object Injection.This issue affects Quick Learn: from n/a …

Nov 20, 2024
CVE-2024-52440
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in xpresslane Xpresslane Fast Checkout xpresslane-integration-for-woocommerce allows Object Injection.This issue affects Xpresslane Fast Checkout: from n/a through <= 1.0.0.

Nov 20, 2024
CVE-2024-52439
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Mark O'Donnell Team Rosters team-rosters allows Object Injection.This issue affects Team Rosters: from n/a through <= 4.8.2.

Nov 20, 2024
CVE-2024-10127
9.8 CRITICAL

Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when …

Nov 20, 2024
CVE-2018-9467
9.8 CRITICAL

In the getHost() function of UriTest.java, there is the possibility of incorrect web origin determination. This could lead to incorrect security decisions with no additional …

Nov 20, 2024
CVE-2024-52759
9.8 CRITICAL

D-LINK DI-8003 v16.07.26A1 was discovered to contain a buffer overflow via the ip parameter in the ip_position_asp function.

Nov 19, 2024
CVE-2024-52714
9.8 CRITICAL

Tenda AC6 v2.0 v15.03.06.50 was discovered to contain a buffer overflow in the function 'fromSetSysTime.

Nov 19, 2024
CVE-2024-48694
9.8 CRITICAL

File Upload vulnerability in Xi'an Daxi Information technology OfficeWeb365 v.8.6.1.0 and v7.18.23.0 allows a remote attacker to execute arbitrary code via the pw/savedraw component.

Nov 19, 2024
CVE-2024-48072
9.8 CRITICAL

Weaver Ecology v9.* was discovered to contain a SQL injection vulnerability via the component /mobilemode/Action.jsp?invoker=com.weaver.formmodel.mobile.mec.servlet.MECAction&action=getFieldTriggerValue&searchField=*&fromTable=HrmResourceManager&whereClause=1%3d1&triggerCondition=1&expression=%3d&fieldValue=1.

Nov 19, 2024
CVE-2024-48070
9.8 CRITICAL

An issue in Weaver E-cology v. attackers construct special requests to insert remote malicious code and to trigger malicious code execution, and control server privileges

Nov 19, 2024
CVE-2024-48069
9.8 CRITICAL

A vulnerability was found in Weaver E-cology allows attackers use race conditions to bypass security mechanisms to upload malicious files and control server privileges

Nov 19, 2024
CVE-2024-42450
10.0 CRITICAL

The Versa Director uses PostgreSQL (Postgres) to store operational and configuration data. It is also needed for High Availability function of the Versa Director. The …

Nov 19, 2024
CVE-2024-52402
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in gunghoinc Exclusive Content Password Protect exclusive-content-password-protect allows Upload a Web Shell to a Web Server.This issue affects Exclusive Content …

Nov 19, 2024
CVE-2024-52401
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in HuangYe WuDeng Hacklog DownloadManager hacklog-downloadmanager allows Upload a Web Shell to a Web Server.This issue affects Hacklog DownloadManager: from …

Nov 19, 2024
CVE-2024-52675
9.8 CRITICAL

SourceCodester Sentiment Based Movie Rating System 1.0 is vulnerable to SQL Injection in /msrps/movies.php.

Nov 19, 2024
CVE-2024-51051
9.8 CRITICAL

AVSCMS v8.2.0 was discovered to contain weak default credentials for the Administrator account.

Nov 18, 2024
CVE-2024-51053
9.8 CRITICAL

An arbitrary file upload vulnerability in the component /main/fileupload.php of AVSCMS v8.2.0 allows attackers to execute arbitrary code via uploading a crafted file.

Nov 18, 2024
CVE-2024-50919
9.8 CRITICAL

Jpress until v5.1.1 has arbitrary file uploads on the windows platform, and the construction of non-standard file formats such as .jsp. can lead to arbitrary …

Nov 18, 2024
CVE-2024-47533
9.8 CRITICAL

Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior …

Nov 18, 2024
CVE-2024-44756
9.8 CRITICAL

NUS-M9 ERP Management Software v3.0.0 was discovered to contain a SQL injection vulnerability via the usercode parameter at /UserWH/checkLogin.

Nov 18, 2024
CVE-2024-0012
9.8 CRITICAL KEV

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator …

Nov 18, 2024
CVE-2024-52434
9.1 CRITICAL

Deserialization of Untrusted Data vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Command Injection.This issue affects Popup by Supsystic: from n/a through <= 1.10.29.

Nov 18, 2024
CVE-2024-52433
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Mindstien Technologies My Geo Posts Free my-geo-posts-free allows Object Injection.This issue affects My Geo Posts Free: from n/a through …

Nov 18, 2024
CVE-2024-52432
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in NIX Solutions Ltd NIX Anti-Spam Light nix-anti-spam-light allows Object Injection.This issue affects NIX Anti-Spam Light: from n/a through <= …

Nov 18, 2024
CVE-2024-52431
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pressaholic WordPress Video Robot - The Ultimate Video Importer allows SQL …

Nov 18, 2024
CVE-2024-52430
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in bublick Lis Video Gallery lis-video-gallery allows Object Injection.This issue affects Lis Video Gallery: from n/a through <= 0.2.1.

Nov 18, 2024
CVE-2024-52429
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in AntonHoelstad WP Quick Setup wp-quick-setup allows Upload a Web Shell to a Web Server.This issue affects …

Nov 18, 2024
CVE-2024-52427
9.9 CRITICAL

Deserialization of Untrusted Data vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Server Side Include (SSI) Injection.This issue affects Event Tickets with Ticket …

Nov 18, 2024
CVE-2024-52316
9.8 CRITICAL

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an …

Nov 18, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.