CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-21534
9.8 CRITICAL

All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on …

Oct 11, 2024
CVE-2024-9822
9.8 CRITICAL

The Pedalo Connector plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.5. This is due to insufficient restriction on …

Oct 11, 2024
CVE-2024-47871
9.1 CRITICAL

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when …

Oct 10, 2024
CVE-2024-9487
9.1 CRITICAL

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be bypassed resulting in unauthorized provisioning …

Oct 10, 2024
CVE-2024-47167
9.8 CRITICAL

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/queue/join` endpoint. Gradio’s `async_save_url_to_cache` function …

Oct 10, 2024
CVE-2024-47636
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in eyecix JobSearch wp-jobsearch allows Object Injection.This issue affects JobSearch: from n/a through <= 2.5.9.

Oct 10, 2024
CVE-2024-9201
9.4 CRITICAL

The SEUR plugin, in its versions prior to 2.5.11, is vulnerable to time-based SQL injection through the use of the ‘id_order’ parameter of the ‘/modules/seur/ajax/saveCodFee.php’ …

Oct 10, 2024
CVE-2024-45115
9.8 CRITICAL

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could …

Oct 10, 2024
CVE-2024-9798
9.0 CRITICAL

The health endpoint is public so everybody can see a list of all services. It is potentially valuable information for attackers.

Oct 10, 2024
CVE-2024-9796
9.8 CRITICAL

The WP-Advanced-Search WordPress plugin before 3.3.9.2 does not sanitize and escape the t parameter before using it in a SQL statement, allowing unauthenticated users to …

Oct 10, 2024
CVE-2024-9518
9.8 CRITICAL

The UserPlus plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0 due to insufficient restriction on the 'form_actions' and …

Oct 10, 2024
CVE-2024-48949
9.1 CRITICAL

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

Oct 10, 2024
CVE-2024-47832
9.8 CRITICAL

ssoready is a single sign on provider implemented via docker. Affected versions are vulnerable to XML signature bypass attacks. An attacker can carry out signature …

Oct 9, 2024
CVE-2024-9465
9.1 CRITICAL KEV

An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, …

Oct 9, 2024
CVE-2024-45746
9.8 CRITICAL

An issue was discovered in Trusted Firmware-M through 2.1.0. User provided (and controlled) mailbox messages contain a pointer to a list of input arguments (in_vec) …

Oct 9, 2024
CVE-2024-25825
9.8 CRITICAL

FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114 were discovered to be configured with the …

Oct 9, 2024
CVE-2024-8015
9.1 CRITICAL

In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure type …

Oct 9, 2024
CVE-2024-9680
9.8 CRITICAL KEV

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this …

Oct 9, 2024
CVE-2023-46586
9.1 CRITICAL

cgi.c in weborf .0.17, 0.18, 0.19, and 0.20 (before 1.0) lacks '\0' termination of the path for CGI scripts because strncpy is misused.

Oct 9, 2024
CVE-2024-45160
9.1 CRITICAL

Incorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2 allows attackers to bypass OAuth2 client authentication via an empty client_password parameter (client secret).

Oct 9, 2024
CVE-2024-32608
9.8 CRITICAL

HDF5 library through 1.14.3 has memory corruption in H5A__close resulting in the corruption of the instruction pointer and causing denial of service or potential code …

Oct 9, 2024
CVE-2024-47823
9.8 CRITICAL

Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file …

Oct 8, 2024
CVE-2024-43468
9.8 CRITICAL KEV

Microsoft Configuration Manager Remote Code Execution Vulnerability

Oct 8, 2024
CVE-2024-38124
9.0 CRITICAL

Windows Netlogon Elevation of Privilege Vulnerability

Oct 8, 2024
CVE-2024-45918
9.8 CRITICAL

Fujian Kelixin Communication Command and Dispatch Platform <=7.6.6.4391 is vulnerable to SQL Injection via /client/get_gis_fence.php.

Oct 8, 2024
CVE-2024-44349
9.8 CRITICAL

A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure …

Oct 8, 2024
CVE-2024-3057
9.8 CRITICAL

A flaw exists whereby a user can make a specific call to a FlashArray endpoint allowing privilege escalation.

Oct 8, 2024
CVE-2024-8884
9.8 CRITICAL

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause exposure of credentials when attacker has access to application on network …

Oct 8, 2024
CVE-2024-8943
9.8 CRITICAL

The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the …

Oct 8, 2024
CVE-2024-8911
9.8 CRITICAL

The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due …

Oct 8, 2024
CVE-2024-47553
9.9 CRITICAL

A vulnerability has been identified in SINEC Security Monitor (All versions < V4.9.0). The affected application does not properly validate user input to the ```ssmctl-client``` …

Oct 8, 2024
CVE-2024-41798
9.8 CRITICAL

A vulnerability has been identified in SENTRON 7KM PAC3200 (All versions). Affected devices only provide a 4-digit PIN to protect from administrative access via Modbus …

Oct 8, 2024
CVE-2024-45874
9.8 CRITICAL

A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the …

Oct 7, 2024
CVE-2024-45873
9.8 CRITICAL

A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the …

Oct 7, 2024
CVE-2024-46076
9.8 CRITICAL

RuoYi v4.7.9 and before has a security flaw that allows escaping from comments within the code generation feature, enabling the injection of malicious code.

Oct 7, 2024
CVE-2024-46446
9.8 CRITICAL

Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed …

Oct 7, 2024
CVE-2024-9574
9.8 CRITICAL

SQL injection vulnerability in SOPlanning <1.45, via /soplanning/www/user_groupes.php in the by parameter, which could allow a remote user to submit a specially crafted query, allowing …

Oct 7, 2024
CVE-2024-33066
9.8 CRITICAL

Memory corruption while redirecting log file to any file location with any file name.

Oct 7, 2024
CVE-2024-20103
9.8 CRITICAL

In wlan firmware, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no …

Oct 7, 2024
CVE-2024-20101
9.8 CRITICAL

In wlan driver, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no …

Oct 7, 2024
CVE-2024-20100
9.8 CRITICAL

In wlan driver, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no …

Oct 7, 2024
CVE-2024-47350
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YITHEMES YITH WooCommerce Ajax Search yith-woocommerce-ajax-search.This issue affects YITH WooCommerce Ajax …

Oct 6, 2024
CVE-2024-45252
9.8 CRITICAL

Elsight – CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Oct 6, 2024
CVE-2024-45251
9.8 CRITICAL

Elsight – CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Oct 6, 2024
CVE-2024-45249
9.8 CRITICAL

Cavok – CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Oct 6, 2024
CVE-2024-44014
9.6 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Vmax Studio Vmax Project Manager vmax-project-manager allows PHP Local File Inclusion.This issue …

Oct 5, 2024
CVE-2024-47849
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.This issue affects …

Oct 5, 2024
CVE-2024-43685
9.8 CRITICAL

Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

Oct 4, 2024
CVE-2023-26770
9.8 CRITICAL

TaskCafe 0.3.2 lacks validation in the Cookie value. Any unauthenticated attacker who knows a registered UserID can change the password of that user.

Oct 4, 2024
CVE-2024-47656
9.8 CRITICAL

This vulnerability exists in Shilpi Client Dashboard due to missing restrictions for incorrect login attempts on its API based login. A remote attacker could exploit …

Oct 4, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.