CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-45367
9.1 CRITICAL

The web server for ONS-S8 - Spectra Aggregation Switch includes an incomplete authentication process, which can lead to an attacker authenticating without a password.

Oct 3, 2024
CVE-2024-43699
9.8 CRITICAL

Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. An unauthenticated attacker may be able to exploit this issue to obtain …

Oct 3, 2024
CVE-2024-41925
9.8 CRITICAL

The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass …

Oct 3, 2024
CVE-2024-41593
9.8 CRITICAL

DrayTek Vigor310 devices through 4.3.2.6 allow a remote attacker to execute arbitrary code via the function ft_payload_dns(), because a byte sign-extension operation occurs for the …

Oct 3, 2024
CVE-2024-7826
9.8 CRITICAL

Improper Check for Unusual or Exceptional Conditions vulnerability in Webroot SecureAnywhere - Web Shield on Windows, ARM, 64 bit, 32 bit (wrURL.Dll modules) allows Functionality …

Oct 3, 2024
CVE-2024-7825
9.8 CRITICAL

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Webroot SecureAnywhere - Web Shield on Windows, ARM, 64 bit, 32 bit (wrUrl.Dll modules) allows …

Oct 3, 2024
CVE-2024-7824
9.8 CRITICAL

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Webroot SecureAnywhere - Web Shield on Windows, ARM, 64 bit, 32 bit (wrUrl.Dll modules) allows …

Oct 3, 2024
CVE-2024-45519
10.0 CRITICAL KEV

The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows …

Oct 2, 2024
CVE-2024-24117
9.8 CRITICAL

Insecure Permissions vulnerability in Ruijie RG-NBS2009G-P RGOS v.10.4(1)P2 Release (9736) allows a remote attacker to gain privileges via the login check state component.

Oct 2, 2024
CVE-2024-9441
9.8 CRITICAL

The Linear eMerge e3-Series through version 1.00-07 is vulnerable to an OS command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary OS commands …

Oct 2, 2024
CVE-2024-24116
9.8 CRITICAL

An issue in Ruijie RG-NBS2009G-P RGOS v.10.4(1)P2 Release(9736) allows a remote attacker to gain privileges via the system/config_menu.htm.

Oct 2, 2024
CVE-2024-20432
9.9 CRITICAL

A vulnerability in the REST API and web UI of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, low-privileged, remote attacker to perform …

Oct 2, 2024
CVE-2024-6360
9.8 CRITICAL

Incorrect Permission Assignment for Critical Resource vulnerability in OpenText™ Vertica could allow Privilege Abuse and result in unauthorized access or privileges to Vertica agent apikey. …

Oct 2, 2024
CVE-2024-44097
9.8 CRITICAL

According to the researcher: "The TLS connections are encrypted against tampering or eavesdropping. However, the application does not validate the server certificate properly while initializing …

Oct 2, 2024
CVE-2024-35293
9.1 CRITICAL

An unauthenticated remote attacker may use a missing authentication for critical function vulnerability to reboot or erase the affected devices resulting in data loss and/or …

Oct 2, 2024
CVE-2024-45186
9.8 CRITICAL

FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials.

Oct 2, 2024
CVE-2024-45999
9.8 CRITICAL

A SQL Injection vulnerability was discovered in Cloudlog 2.6.15, specifically within the get_station_info()function located in the file /application/models/Oqrs_model.php. The vulnerability is exploitable via the station_id …

Oct 1, 2024
CVE-2024-47608
9.8 CRITICAL

Logicytics is designed to harvest and collect data for forensic analysis. Logicytics has a basic vuln affecting compromised devices from shell injections. This vulnerability is …

Oct 1, 2024
CVE-2024-9402
9.8 CRITICAL

Memory safety bugs present in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume …

Oct 1, 2024
CVE-2024-9401
9.8 CRITICAL

Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption …

Oct 1, 2024
CVE-2024-9392
9.8 CRITICAL

A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox …

Oct 1, 2024
CVE-2024-25660
9.0 CRITICAL

The WebDAV service in Infinera TNMS (Transcend Network Management System) 19.10.3 allows a low-privileged remote attacker to conduct unauthorized file operations, because of execution with …

Oct 1, 2024
CVE-2024-41276
9.8 CRITICAL

A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit …

Oct 1, 2024
CVE-2024-9289
9.8 CRITICAL

The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due …

Oct 1, 2024
CVE-2024-9265
9.8 CRITICAL

The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. This is due …

Oct 1, 2024
CVE-2024-9108
9.8 CRITICAL

The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions …

Oct 1, 2024
CVE-2024-9106
9.8 CRITICAL

The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. This is due to insufficient verification …

Oct 1, 2024
CVE-2024-9194
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL …

Sep 30, 2024
CVE-2024-42017
10.0 CRITICAL

An issue was discovered in Atos Eviden iCare 2.7.1 through 2.7.11. The application exposes a web interface locally. In the worst-case scenario, if the application …

Sep 30, 2024
CVE-2024-46293
9.8 CRITICAL

Sourcecodester Online Medicine Ordering System 1.0 is vulnerable to Incorrect Access Control. There is a lack of authorization checks for admin operations. Specifically, an attacker …

Sep 30, 2024
CVE-2024-8456
9.8 CRITICAL

Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware …

Sep 30, 2024
CVE-2024-8353
9.8 CRITICAL

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 …

Sep 28, 2024
CVE-2024-46256
9.8 CRITICAL

A Command injection vulnerability in requestLetsEncryptSsl in NginxProxyManager 2.11.3 allows an attacker to RCE via Add Let's Encrypt Certificate.

Sep 27, 2024
CVE-2024-8630
9.4 CRITICAL

Alisonic Sibylla devices are vulnerable to SQL injection attacks, which could allow complete access to the database.

Sep 27, 2024
CVE-2024-8310
9.8 CRITICAL

OPW Fuel Management Systems SiteSentinel could allow an attacker to bypass authentication to the server and obtain full admin privileges.

Sep 27, 2024
CVE-2024-6981
9.8 CRITICAL

OMNTEC Proteus Tank Monitoring OEL8000III Series could allow an attacker to perform administrative actions without proper authentication.

Sep 27, 2024
CVE-2024-46367
9.6 CRITICAL

A Stored Cross-Site Scripting (XSS) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to inject arbitrary JavaScript code by submitting a malicious payload within …

Sep 27, 2024
CVE-2024-47070
9.0 CRITICAL

authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header …

Sep 27, 2024
CVE-2024-8643
9.8 CRITICAL

Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking.This issue affects ValeApp: before v2.0.0.

Sep 27, 2024
CVE-2024-8607
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oceanic Software ValeApp allows SQL Injection.This issue affects ValeApp: before v2.0.0.

Sep 27, 2024
CVE-2024-46628
9.8 CRITICAL

Tenda G3 Router firmware v15.03.05.05 was discovered to contain a remote code execution (RCE) vulnerability via the usbPartitionName parameter in the formSetUSBPartitionUmount function.

Sep 26, 2024
CVE-2024-46627
9.1 CRITICAL

Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests.

Sep 26, 2024
CVE-2024-7108
9.8 CRITICAL

Incorrect Authorization vulnerability in National Keep Cyber Security Services CyberMath allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CyberMath: before CYBM.240816253.

Sep 26, 2024
CVE-2024-0132
9.0 CRITICAL

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain …

Sep 26, 2024
CVE-2024-7772
9.8 CRITICAL

The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file uploads due to a mishandled file type validation in the 'validate' function in …

Sep 26, 2024
CVE-2024-6593
9.1 CRITICAL

Incorrect Authorization vulnerability in WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows allows an attacker with network access to execute restricted management commands. This …

Sep 25, 2024
CVE-2024-6592
9.1 CRITICAL

Incorrect Authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on …

Sep 25, 2024
CVE-2024-8275
9.8 CRITICAL

The The Events Calendar plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'tribe_has_next_event' function in all versions up to, …

Sep 25, 2024
CVE-2024-8514
9.1 CRITICAL

The Prisna GWT – Google Website Translator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.11 via …

Sep 25, 2024
CVE-2024-7385
9.1 CRITICAL

The WordPress Simple HTML Sitemap plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 3.1 …

Sep 25, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.