CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-8621
9.9 CRITICAL

The Daily Prayer Time plugin for WordPress is vulnerable to SQL Injection via the 'max_word' attribute of the 'quran_verse' shortcode in all versions up to, …

Sep 25, 2024
CVE-2024-8485
9.8 CRITICAL

The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via …

Sep 25, 2024
CVE-2024-9148
9.6 CRITICAL

Flowise < 2.1.1 suffers from a Stored Cross-Site vulnerability due to a lack of input sanitization in Flowise Chat Embed < 2.0.0.

Sep 25, 2024
CVE-2024-9142
9.8 CRITICAL

External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to …

Sep 25, 2024
CVE-2024-8940
10.0 CRITICAL

Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ via a POST request. An attacker could upload …

Sep 25, 2024
CVE-2024-8878
9.8 CRITICAL

The password recovery mechanism for the forgotten password in Riello Netman 204 allows an attacker to reset the admin password and take over control of …

Sep 25, 2024
CVE-2024-8877
9.8 CRITICAL

Improper neutralization of special elements results in a SQL Injection vulnerability in Riello Netman 204. It is only limited to the SQLite database of measurement …

Sep 25, 2024
CVE-2024-8436
9.9 CRITICAL

The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to SQL Injection via the 'edit_imageId' and 'edit_imageDelete' parameters in all versions …

Sep 25, 2024
CVE-2024-46957
9.8 CRITICAL

Mellium mellium.im/xmpp 0.0.1 through 0.21.4 allows response spoofing if the implementation uses predictable IDs because the stanza type is not checked. This is fixed in …

Sep 25, 2024
CVE-2024-46612
9.8 CRITICAL

IceCMS v3.4.7 and before was discovered to contain a hardcoded JWT key, allowing an attacker to forge JWT authentication information.

Sep 25, 2024
CVE-2024-45066
10.0 CRITICAL

A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands.

Sep 25, 2024
CVE-2024-43693
10.0 CRITICAL

A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands.

Sep 25, 2024
CVE-2024-43692
9.8 CRITICAL

An attacker can directly request the ProGauge MAGLINK LX CONSOLE resource sub page with full privileges by requesting the URL directly.

Sep 25, 2024
CVE-2024-43423
9.8 CRITICAL

The web application for ProGauge MAGLINK LX4 CONSOLE contains an administrative-level user account with a password that cannot be changed.

Sep 25, 2024
CVE-2024-42797
9.8 CRITICAL

An Incorrect Access Control vulnerability was found in /music/ajax.php?action=delete_playlist in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to delete the valid …

Sep 25, 2024
CVE-2024-42507
9.8 CRITICAL

Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's …

Sep 25, 2024
CVE-2024-42506
9.8 CRITICAL

Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's …

Sep 25, 2024
CVE-2024-42505
9.8 CRITICAL

Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's …

Sep 25, 2024
CVE-2023-26689
9.8 CRITICAL

An issue discovered in CS-Cart MultiVendor 4.16.1 allows attackers to alter arbitrary user account profiles via crafted post request.

Sep 25, 2024
CVE-2023-26686
9.8 CRITICAL

File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop.

Sep 25, 2024
CVE-2024-8791
9.8 CRITICAL

The Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up …

Sep 24, 2024
CVE-2024-8671
9.1 CRITICAL

The WooEvents - Calendar and Event Booking plugin for WordPress is vulnerable to arbitrary file overwrite due to insufficient file path validation in the inc/barcode.php …

Sep 24, 2024
CVE-2024-8624
9.9 CRITICAL

The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' attribute of the 'mdf_select_title' shortcode in …

Sep 24, 2024
CVE-2024-7024
9.6 CRITICAL

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. …

Sep 23, 2024
CVE-2024-47222
9.8 CRITICAL

New Cloud MyOffice SDK Collaborative Editing Server 2.2.2 through 2.8 allows SSRF via manipulation of requests from external document storage via the MS-WOPI protocol.

Sep 23, 2024
CVE-2024-0005
9.1 CRITICAL

A condition exists in FlashArray and FlashBlade Purity whereby a malicious user could execute arbitrary commands remotely through a specifically crafted SNMP configuration.

Sep 23, 2024
CVE-2024-0004
9.1 CRITICAL

A condition exists in FlashArray Purity whereby an user with array admin role can execute arbitrary commands remotely to escalate privilege on the array.

Sep 23, 2024
CVE-2024-0003
9.1 CRITICAL

A condition exists in FlashArray Purity whereby a malicious user could use a remote administrative service to create an account on the array allowing privileged …

Sep 23, 2024
CVE-2024-0002
10.0 CRITICAL

A condition exists in FlashArray Purity whereby an attacker can employ a privileged account allowing remote access to the array.

Sep 23, 2024
CVE-2024-0001
10.0 CRITICAL

A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated …

Sep 23, 2024
CVE-2024-9014
9.9 CRITICAL

pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID …

Sep 23, 2024
CVE-2024-47066
9.0 CRITICAL

Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.19.13, server-side request forgery protection implemented in `src/app/api/proxy/route.ts` does not consider redirect and …

Sep 23, 2024
CVE-2024-46997
9.8 CRITICAL

DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, an attacker can achieve remote command execution by adding a carefully constructed …

Sep 23, 2024
CVE-2024-34331
9.8 CRITICAL

A lack of code signature verification in Parallels Desktop for Mac v19.3.0 and below allows attackers to escalate privileges via a crafted macOS installer, because …

Sep 23, 2024
CVE-2024-47219
9.8 CRITICAL

An issue was discovered in vesoft NebulaGraph through 3.8.0. It allows shell command injection.

Sep 22, 2024
CVE-2024-47218
9.8 CRITICAL

An issue was discovered in vesoft NebulaGraph through 3.8.0. It allows bypassing authentication.

Sep 22, 2024
CVE-2024-46640
9.8 CRITICAL

SeaCMS 13.2 has a remote code execution vulnerability located in the file sql.class.chp. Although the system has a check function, the check function is not …

Sep 20, 2024
CVE-2024-46103
9.8 CRITICAL

SEMCMS 4.8 is vulnerable to SQL Injection via SEMCMS_Main.php.

Sep 20, 2024
CVE-2024-46101
9.8 CRITICAL

GDidees CMS <= v3.9.1 has a file upload vulnerability.

Sep 20, 2024
CVE-2024-45489
9.8 CRITICAL

Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), …

Sep 20, 2024
CVE-2024-46652
9.8 CRITICAL

Tenda AC8v4 V16.03.34.06 has a stack overflow vulnerability in the fromAdvSetMacMtuWan function.

Sep 20, 2024
CVE-2024-9043
9.8 CRITICAL

Secure Email Gateway from Cellopoint has Buffer Overflow Vulnerability in authentication process. Remote unauthenticated attackers can send crafted packets to crash the process, thereby bypassing …

Sep 20, 2024
CVE-2024-8853
9.8 CRITICAL

The Webo-facto plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.40 due to insufficient restriction on the 'doSsoAuthentification' function. …

Sep 20, 2024
CVE-2024-46983
9.8 CRITICAL

sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization …

Sep 19, 2024
CVE-2024-45410
9.8 CRITICAL

Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are …

Sep 19, 2024
CVE-2023-27584
9.8 CRITICAL

Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating …

Sep 19, 2024
CVE-2024-40125
9.8 CRITICAL

An arbitrary file upload vulnerability in the Media Manager function of Closed-Loop Technology CLESS Server v4.5.2 allows attackers to execute arbitrary code via uploading a …

Sep 19, 2024
CVE-2024-33109
9.9 CRITICAL

Directory Traversal in the web interface of the Tiptel IP 286 with firmware version 2.61.13.10 allows attackers to overwrite arbitrary files on the phone via …

Sep 19, 2024
CVE-2024-8963
9.4 CRITICAL KEV

Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

Sep 19, 2024
CVE-2024-31570
9.8 CRITICAL

libfreeimage in FreeImage 3.4.0 through 3.18.0 has a stack-based buffer overflow in the PluginXPM.cpp Load function via an XPM file.

Sep 19, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.