CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2023-29119
9.6 CRITICAL

Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/dbstore.php.

Nov 5, 2024
CVE-2023-29118
9.6 CRITICAL

Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/versions.php.

Nov 5, 2024
CVE-2024-10687
9.8 CRITICAL

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons plugin for WordPress is vulnerable to …

Nov 5, 2024
CVE-2024-48061
9.8 CRITICAL

langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather …

Nov 4, 2024
CVE-2024-48050
9.8 CRITICAL

In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Within this function, the line result = eval(s) poses a security risk as it can …

Nov 4, 2024
CVE-2024-51327
9.8 CRITICAL

SQL Injection in loginform.php in ProjectWorld's Travel Management System v1.0 allows remote attackers to bypass authentication via SQL Injection in the 'username' and 'password' fields.

Nov 4, 2024
CVE-2024-51136
9.8 CRITICAL

An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted …

Nov 4, 2024
CVE-2024-50531
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in davidfcarr RSVPMaker for Toastmasters rsvpmaker-for-toastmasters allows Upload a Web Shell to a Web Server.This issue affects …

Nov 4, 2024
CVE-2024-50530
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutionz Stars SMTP Mailer stars-smtp-mailer allows Upload a Web Shell to a Web Server.This issue …

Nov 4, 2024
CVE-2024-50529
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in rudrainn Training – Courses training allows Upload a Web Shell to a Web Server.This issue affects …

Nov 4, 2024
CVE-2024-50527
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Upload a Web Shell to a Web Server.This issue …

Nov 4, 2024
CVE-2024-50526
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Lindeni Mahlalela Multi Purpose Mail Form multi-purpose-mail-form allows Upload a Web Shell to a Web Server.This …

Nov 4, 2024
CVE-2024-50525
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in helloprint Helloprint helloprint allows Upload a Web Shell to a Web Server.This issue affects Helloprint: from …

Nov 4, 2024
CVE-2024-50523
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in RainbowLink Inc. All Post Contact Form allpost-contactform allows Upload a Web Shell to a Web Server.This …

Nov 4, 2024
CVE-2024-51558
9.8 CRITICAL

This vulnerability exists in the Wave 2.0 due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could …

Nov 4, 2024
CVE-2024-10035
9.8 CRITICAL

Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used …

Nov 4, 2024
CVE-2024-51661
9.1 CRITICAL

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Command Injection.This issue …

Nov 4, 2024
CVE-2024-23590
9.1 CRITICAL

Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, …

Nov 4, 2024
CVE-2024-51252
9.8 CRITICAL

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the restore function.

Nov 1, 2024
CVE-2024-51431
9.8 CRITICAL

LB-LINK BL-WR 1300H v.1.0.4 contains hardcoded credentials stored in /etc/shadow which are easily guessable.

Nov 1, 2024
CVE-2024-28265
9.1 CRITICAL

IBOS v4.5.5 has an arbitrary file deletion vulnerability via \system\modules\dashboard\controllers\LoginController.php.

Nov 1, 2024
CVE-2024-7456
9.8 CRITICAL

A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior …

Nov 1, 2024
CVE-2024-48359
9.8 CRITICAL

Qualitor v8.24 was discovered to contain a remote code execution (RCE) vulnerability via the gridValoresPopHidden parameter.

Oct 31, 2024
CVE-2024-51065
9.8 CRITICAL

Phpgurukul Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in admin/index.php via the the username parameter.

Oct 31, 2024
CVE-2024-51064
9.8 CRITICAL

Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection via the tid parameter to admin/queries.php.

Oct 31, 2024
CVE-2024-51063
9.1 CRITICAL

Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection in add-teacher.php via the mobile number or email parameter.

Oct 31, 2024
CVE-2024-51060
9.1 CRITICAL

Projectworlds Online Admission System v1 is vulnerable to SQL Injection in index.php via the 'a_id' parameter.

Oct 31, 2024
CVE-2024-42515
9.9 CRITICAL

Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g., <>), the underlying library converts these …

Oct 31, 2024
CVE-2024-39332
9.8 CRITICAL

Webswing 23.2.2 allows remote attackers to modify client-side JavaScript code to achieve path traversal, likely leading to remote code execution via modification of shell scripts …

Oct 31, 2024
CVE-2023-52044
9.8 CRITICAL

Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension.

Oct 31, 2024
CVE-2024-51482
9.9 CRITICAL

ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This …

Oct 31, 2024
CVE-2024-51478
9.9 CRITICAL

YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the …

Oct 31, 2024
CVE-2024-51260
9.8 CRITICAL

DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the acme_process function.

Oct 31, 2024
CVE-2024-51255
9.8 CRITICAL

DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ruequest_certificate function.

Oct 31, 2024
CVE-2024-48910
9.1 CRITICAL

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.

Oct 31, 2024
CVE-2024-51259
9.8 CRITICAL

DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function.

Oct 31, 2024
CVE-2024-42835
9.8 CRITICAL

langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.

Oct 31, 2024
CVE-2024-49674
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in lukashuser EKC Tournament Manager ekc-tournament-manager allows Upload a Web Shell to a Web Server.This issue affects EKC Tournament Manager: …

Oct 31, 2024
CVE-2024-43984
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Podcast Publisher allows Code Injection.This issue affects Podlove Podcast Publisher: from n/a through 4.1.13.

Oct 31, 2024
CVE-2024-10392
9.8 CRITICAL

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload' function …

Oct 31, 2024
CVE-2024-48307
9.8 CRITICAL

JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData.

Oct 31, 2024
CVE-2024-51427
9.8 CRITICAL

An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the …

Oct 30, 2024
CVE-2024-51424
9.8 CRITICAL

An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the …

Oct 30, 2024
CVE-2024-48112
9.8 CRITICAL

A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.

Oct 30, 2024
CVE-2024-48202
9.8 CRITICAL

icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile.

Oct 30, 2024
CVE-2024-10456
9.8 CRITICAL

Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary …

Oct 30, 2024
CVE-2024-51298
9.8 CRITICAL

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doGRETunnel function.

Oct 30, 2024
CVE-2024-33699
9.9 CRITICAL

The LevelOne WBR-6012 router's web application has a vulnerability in its firmware version R0.40e6, allowing attackers to change the administrator password and gain higher privileges …

Oct 30, 2024
CVE-2024-23309
9.0 CRITICAL

The LevelOne WBR-6012 router with firmware R0.40e6 has an authentication bypass vulnerability in its web application due to reliance on client IP addresses for authentication. …

Oct 30, 2024
CVE-2024-10525
9.8 CRITICAL

In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto …

Oct 30, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.