CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-48779
9.8 CRITICAL

An issue in Wanxing Technology's Yitu project Management Software 3.2.2 allows a remote attacker to execute arbitrary code via the platformpluginpath parameter to specify that …

Oct 15, 2024
CVE-2024-48411
9.8 CRITICAL

itsourcecode Online Tours and Travels Management System v1.0 is vulnerable to SQL Injection (SQLI) via a crafted payload to the val-email parameter in forget_password.php.

Oct 15, 2024
CVE-2024-49195
9.8 CRITICAL

Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun in pkwrite when writing an opaque key pair

Oct 15, 2024
CVE-2024-21216
9.8 CRITICAL

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability …

Oct 15, 2024
CVE-2024-21172
9.0 CRITICAL

Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.19, 5.6.25.8 and 5.6.26.4. …

Oct 15, 2024
CVE-2024-48914
9.1 CRITICAL

Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft …

Oct 15, 2024
CVE-2024-48283
9.8 CRITICAL

Phpgurukul User Registration & Login and User Management System 3.2 is vulnerable to SQL Injection in /admin//search-result.php via the searchkey parameter.

Oct 15, 2024
CVE-2024-49388
9.1 CRITICAL

Sensitive information manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690.

Oct 15, 2024
CVE-2024-45275
9.8 CRITICAL

The devices contain two hard coded user accounts with hardcoded passwords that allow an unauthenticated remote attacker for full control of the affected devices.

Oct 15, 2024
CVE-2024-45274
9.8 CRITICAL

An unauthenticated remote attacker can execute OS commands via UDP on the device due to missing authentication.

Oct 15, 2024
CVE-2024-47945
9.8 CRITICAL

The devices are vulnerable to session hijacking due to insufficient entropy in its session ID generation algorithm. The session IDs are predictable, with only 32,768 …

Oct 15, 2024
CVE-2024-9985
10.0 CRITICAL

Enterprise Cloud Database from Ragic does not properly validate the file type for uploads. Attackers with regular privileges can upload a webshell and use it …

Oct 15, 2024
CVE-2024-9984
9.8 CRITICAL

Enterprise Cloud Database from Ragic does not authenticate access to specific functionality, allowing unauthenticated remote attackers to use this functionality to obtain any user's session …

Oct 15, 2024
CVE-2024-9925
9.8 CRITICAL

SQL injection vulnerability in TAI Smart Factory's QPLANT SF version 1.0. Exploitation of this vulnerability could allow a remote attacker to retrieve all database information …

Oct 15, 2024
CVE-2024-47943
9.8 CRITICAL

The firmware upgrade function in the admin web interface of the Rittal IoT Interface & CMC III Processing Unit devices checks if the patch files …

Oct 15, 2024
CVE-2024-9982
9.8 CRITICAL

AIM LINE Marketing Platform from Esi Technology does not properly validate a specific query parameter. When the LINE Campaign Module is enabled, unauthenticated remote attackers …

Oct 15, 2024
CVE-2024-9972
9.8 CRITICAL

Property Management System from ChanGate has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database …

Oct 15, 2024
CVE-2024-48823
9.8 CRITICAL

Local file inclusion in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the PassageAutoServer.php page.

Oct 14, 2024
CVE-2023-48082
9.1 CRITICAL

Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for …

Oct 14, 2024
CVE-2024-48168
9.8 CRITICAL

A stack overflow vulnerability exists in the sub_402280 function of the HNAP service of D-Link DCS-960L 1.09, allowing an attacker to execute arbitrary code.

Oct 14, 2024
CVE-2024-46535
9.8 CRITICAL

Jepaas v7.2.8 was discovered to contain a SQL injection vulnerability via the orderSQL parameter at /homePortal/loadUserMsg.

Oct 14, 2024
CVE-2024-48153
9.8 CRITICAL

DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the get_subconfig function.

Oct 14, 2024
CVE-2024-48150
9.8 CRITICAL

D-Link DIR-820L 1.05B03 has a stack overflow vulnerability in the sub_451208 function.

Oct 14, 2024
CVE-2024-48257
9.8 CRITICAL

Wavelog 1.8.5 allows Oqrs_model.php get_worked_modes station_id SQL injectioin.

Oct 14, 2024
CVE-2024-48251
9.8 CRITICAL

Wavelog 1.8.5 allows Activated_gridmap_model.php get_band_confirmed SQL injection via band, sat, propagation, or mode.

Oct 14, 2024
CVE-2024-48255
9.8 CRITICAL

Cloudlog 2.6.15 allows Oqrs.php get_station_info station_id SQL injection.

Oct 14, 2024
CVE-2024-48253
9.8 CRITICAL

Cloudlog 2.6.15 allows Oqrs.php delete_oqrs_line id SQL injection.

Oct 14, 2024
CVE-2024-9137
9.4 CRITICAL

The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified …

Oct 14, 2024
CVE-2024-9924
9.8 CRITICAL

The fix for CVE-2024-26261 was incomplete, and and the specific package for OAKlouds from Hgiga remains at risk. Unauthenticated remote attackers still can download arbitrary …

Oct 14, 2024
CVE-2024-9921
9.8 CRITICAL

The Team+ from TEAMPLUS TECHNOLOGY does not properly validate specific page parameter, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify and …

Oct 14, 2024
CVE-2024-7099
9.8 CRITICAL

netease-youdao/qanything version 1.4.1 contains a vulnerability where unsafe data obtained from user input is concatenated in SQL queries, leading to SQL injection. The affected functions …

Oct 13, 2024
CVE-2024-9047
9.8 CRITICAL

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it …

Oct 12, 2024
CVE-2024-48772
9.1 CRITICAL

An issue in C-CHIP (com.cchip.cchipamaota) v.1.2.8 allows a remote attacker to obtain sensitive information via the firmware update process.

Oct 11, 2024
CVE-2024-48787
9.1 CRITICAL

An issue in Revic Optics Revic Ops (us.revic.revicops) 1.12.5 allows a remote attacker to obtain sensitive information via the firmware update process.

Oct 11, 2024
CVE-2024-48786
9.1 CRITICAL

An issue in SWITCHBOT INC SwitchBot (com.theswitchbot.switchbot) 5.0.4 allows a remote attacker to obtain sensitive information via the firmware update process.

Oct 11, 2024
CVE-2024-48784
9.8 CRITICAL

An Incorrect Access Control issue in SAMPMAX com.sampmax.homemax 2.1.2.7 allows a remote attacker to obtain sensitive information via the firmware update process.

Oct 11, 2024
CVE-2024-48778
9.1 CRITICAL

An issue in GIANT MANUFACTURING CO., LTD RideLink (tw.giant.ridelink) 2.0.7 allows a remote attacker to obtain sensitive information via the firmware update process.

Oct 11, 2024
CVE-2024-48769
9.1 CRITICAL

An issue in BURG-WCHTER KG de.burgwachter.keyapp.app 4.5.0 allows a remote attacker to obtain sensitve information via the firmware update process.

Oct 11, 2024
CVE-2024-48033
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in baptiste.gourdin Talkback talkback-secure-linkback-protocol allows Object Injection.This issue affects Talkback: from n/a through <= 1.0.

Oct 11, 2024
CVE-2024-47331
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ninja Team Multi Step for Contact Form cf7-multi-step allows SQL Injection.This …

Oct 11, 2024
CVE-2024-46532
9.8 CRITICAL

SQL Injection vulnerability in OpenHIS v.1.0 allows an attacker to execute arbitrary code via the refund function in the PayController.class.php component.

Oct 11, 2024
CVE-2024-46088
9.8 CRITICAL

An arbitrary file upload vulnerability in the ProductAction.entphone interface of Zhejiang University Entersoft Customer Resource Management System v2002 to v2024 allows attackers to execute arbitrary …

Oct 11, 2024
CVE-2024-44730
9.1 CRITICAL

Incorrect access control in the function handleDataChannelChat(dataMessage) of Mirotalk before commit c21d58 allows attackers to forge chat messages using an arbitrary sender name.

Oct 11, 2024
CVE-2024-42640
9.8 CRITICAL

angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the …

Oct 11, 2024
CVE-2024-47875
10.0 CRITICAL

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 …

Oct 11, 2024
CVE-2024-47830
9.3 CRITICAL

Plane is an open-source project management tool. Plane uses the ** wildcard support to retrieve the image from any hostname as in /web/next.config.js. This may …

Oct 11, 2024
CVE-2024-47074
9.8 CRITICAL

DataEase is an open source data visualization analysis tool. In Dataease, the PostgreSQL data source in the data source function can customize the JDBC connection …

Oct 11, 2024
CVE-2024-9707
9.8 CRITICAL

The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in …

Oct 11, 2024
CVE-2024-9234
9.8 CRITICAL

The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a …

Oct 11, 2024
CVE-2024-9164
9.6 CRITICAL

An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from …

Oct 11, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.