9215+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.
Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions.
Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions.
Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions.
Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions.
Unauthenticated SQL Injection in wpForo Forum <= 3.0.4 versions.
Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions.
Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions.
Unauthenticated Privilege Escalation in Datalogics Ecommerce Delivery <= 2.6.62 versions.
Unauthenticated SQL Injection in SpeakOut! Email Petitions <= 4.6.5 versions.
Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions.
Unauthenticated SQL Injection in GeoDirectory <= 2.8.152 versions.
Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions.
Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions.
Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions.
Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions.
Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions.
Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions.
Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.
Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.
Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive …
A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a …
Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.
An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.
An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request.
An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or …
An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a …
An OS command injection vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying …
An issue in the api/plugin.php component of Bludit v3.19.0 allows attackers to execute a directory traversal via supplying a crafted request.
Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore …
Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the …
In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, …
In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not …
Datadog, Inc Vector v0.54.0 was discovered to contain a SQL injection vulnerability in the set_uri_query parameter in the KeyPartitioner::partition function. This vulnerability allows attackers to …
An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component.
RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with …
Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks …
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the ims_apn parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_dial_call via the dialNumber parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the ratMode parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin parameter.
ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter …
remotion-dev remotion v4.0.409 was discovered to contain an arbitrary file write vulnerability.
remotion-dev remotion v4.0.409 was discovered to contain a remote code execution (RCE) vulnerability.
Fortra's Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service …
Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF …
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php …
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend …
Free website and port scanning — find vulnerabilities before attackers do.