CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-42559
9.8 CRITICAL

An issue in the login component (process_login.php) of Hotel Management System commit 79d688 allows attackers to authenticate without providing a valid password.

Aug 20, 2024
CVE-2024-42558
9.8 CRITICAL

Hotel Management System commit 91caab8 was discovered to contain a SQL injection vulnerability via the book_id parameter at admin_modify_room.php.

Aug 20, 2024
CVE-2024-42556
9.8 CRITICAL

Hotel Management System commit 91caab8 was discovered to contain a SQL injection vulnerability via the room_type parameter at admin_room_removed.php.

Aug 20, 2024
CVE-2024-43202
9.8 CRITICAL

Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, …

Aug 20, 2024
CVE-2024-6847
9.8 CRITICAL

The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to …

Aug 20, 2024
CVE-2024-7777
9.0 CRITICAL

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable …

Aug 20, 2024
CVE-2024-5932
10.0 CRITICAL

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 …

Aug 20, 2024
CVE-2024-43354
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Saad Iqbal myCred mycred.This issue affects myCred: from n/a through <= 2.7.2.

Aug 19, 2024
CVE-2024-43311
9.8 CRITICAL

Improper Privilege Management vulnerability in Geek Code Lab Login As Users allows Privilege Escalation.This issue affects Login As Users: from n/a through 1.4.2.

Aug 19, 2024
CVE-2024-42815
9.8 CRITICAL

In the TP-Link RE365 V1_180213, there is a buffer overflow vulnerability due to the lack of length verification for the USER_AGENT field in /usr/bin/httpd. Attackers …

Aug 19, 2024
CVE-2024-42813
9.8 CRITICAL

In TRENDnet TEW-752DRU FW1.03B01, there is a buffer overflow vulnerability due to the lack of length verification for the service field in gena.cgi. Attackers who …

Aug 19, 2024
CVE-2024-42812
9.8 CRITICAL

In D-Link DIR-860L v2.03, there is a buffer overflow vulnerability due to the lack of length verification for the SID field in gena.cgi. Attackers who …

Aug 19, 2024
CVE-2024-43261
9.6 CRITICAL

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hamed Naderfar Compute Links allows PHP Remote File Inclusion.This …

Aug 19, 2024
CVE-2024-43252
9.0 CRITICAL

Deserialization of Untrusted Data vulnerability in Crew HRM Crew HRM hr-management.This issue affects Crew HRM: from n/a through <= 1.1.1.

Aug 19, 2024
CVE-2024-43249
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form Pro allows Command Injection.This issue affects Bit Form Pro: from n/a through …

Aug 19, 2024
CVE-2024-43245
9.8 CRITICAL

Improper Privilege Management vulnerability in eyecix JobSearch allows Privilege Escalation.This issue affects JobSearch: from n/a through 2.3.4.

Aug 19, 2024
CVE-2024-43242
9.0 CRITICAL

Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through <= 12.7.

Aug 19, 2024
CVE-2024-43401
9.0 CRITICAL

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a …

Aug 19, 2024
CVE-2024-43400
9.0 CRITICAL

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script …

Aug 19, 2024
CVE-2024-43240
9.4 CRITICAL

Improper Authentication vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through <= 12.7.

Aug 19, 2024
CVE-2024-42658
9.8 CRITICAL

An issue in wishnet Nepstech Wifi Router NTPL-XPON1GFEVN v1.0 allows a remote attacker to obtain sensitive information via the cookie's parameter

Aug 19, 2024
CVE-2024-37099
10.0 CRITICAL

Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.14.1.

Aug 19, 2024
CVE-2024-6330
9.8 CRITICAL

The GEO my WP WordPress plugin before 4.5.0.2 does not prevent unauthenticated attackers from including arbitrary files in PHP's execution context, which leads to Remote …

Aug 19, 2024
CVE-2024-44076
9.8 CRITICAL

In Microcks before 1.10.0, the POST /api/import and POST /api/export endpoints allow non-administrator access.

Aug 19, 2024
CVE-2024-6459
9.8 CRITICAL

The News Element Elementor Blog Magazine WordPress plugin before 1.0.6 is vulnerable to Local File Inclusion via the template parameter. This makes it possible for …

Aug 17, 2024
CVE-2024-6500
10.0 CRITICAL

The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability …

Aug 17, 2024
CVE-2024-43042
9.8 CRITICAL

Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack.

Aug 16, 2024
CVE-2024-42850
9.8 CRITICAL

An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity requirements.

Aug 16, 2024
CVE-2024-42639
9.8 CRITICAL

H3C GR1100-P v100R009 was discovered to use a hardcoded password in /etc/shadow, which allows attackers to log in as root.

Aug 16, 2024
CVE-2024-42638
9.8 CRITICAL

H3C Magic B1ST v100R012 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.

Aug 16, 2024
CVE-2024-42637
9.8 CRITICAL

H3C R3010 v100R002L02 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.

Aug 16, 2024
CVE-2024-42634
9.8 CRITICAL

A Command Injection vulnerability exists in formWriteFacMac of the httpd binary in Tenda AC9 v15.03.06.42. As a result, attacker can execute OS commands with root …

Aug 16, 2024
CVE-2024-42466
9.8 CRITICAL

Improper Restriction of Excessive Authentication Attempts vulnerability in upKeeper Solutions product upKeeper Manager allows Authentication Abuse.This issue affects upKeeper Manager: through 5.1.9.

Aug 16, 2024
CVE-2024-42465
9.8 CRITICAL

Improper Restriction of Excessive Authentication Attempts vulnerability in upKeeper Solutions product upKeeper Manager allows Authentication Abuse.This issue affects upKeeper Manager: through 5.1.9.

Aug 16, 2024
CVE-2024-42462
9.8 CRITICAL

Improper Authentication vulnerability in upKeeper Solutions product upKeeper Manager allows Authentication Bypass.This issue affects upKeeper Manager: through 5.1.9.

Aug 16, 2024
CVE-2024-6460
9.8 CRITICAL

The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to …

Aug 16, 2024
CVE-2024-42757
9.8 CRITICAL

Command injection vulnerability in Asus RT-N15U 3.0.0.4.376_3754 allows a remote attacker to execute arbitrary code via the netstat function page.

Aug 15, 2024
CVE-2024-42472
10.0 CRITICAL

Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could …

Aug 15, 2024
CVE-2024-27730
9.8 CRITICAL

Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar …

Aug 15, 2024
CVE-2024-23168
9.8 CRITICAL

Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution.

Aug 15, 2024
CVE-2024-42978
9.8 CRITICAL

An issue in the handler function in /goform/telnet of Tenda FH1206 v02.03.01.35 allows attackers to execute arbitrary commands via a crafted HTTP request.

Aug 15, 2024
CVE-2024-42967
9.8 CRITICAL

Incorrect access control in TOTOLINK LR350 V9.3.5u.6369_B20220309 allows attackers to obtain the apmib configuration file, which contains the username and the password, via a crafted …

Aug 15, 2024
CVE-2024-42966
9.8 CRITICAL

Incorrect access control in TOTOLINK N350RT V9.3.5u.6139_B20201216 allows attackers to obtain the apmib configuration file, which contains the username and the password, via a crafted …

Aug 15, 2024
CVE-2024-42947
9.8 CRITICAL

An issue in the handler function in /goform/telnet of Tenda FH1201 v1.2.0.14 (408) allows attackers to execute arbitrary commands via a crafted HTTP request.

Aug 15, 2024
CVE-2024-42843
9.8 CRITICAL

Projectworlds Online Examination System v1.0 is vulnerable to SQL Injection via the subject parameter in feed.php.

Aug 15, 2024
CVE-2024-42360
9.8 CRITICAL

SequenceServer lets you rapidly set up a BLAST+ server with an intuitive user interface for personal or group use. Several HTTP endpoints did not properly …

Aug 14, 2024
CVE-2024-5914
9.8 CRITICAL

A command injection issue in Palo Alto Networks Cortex XSOAR CommonScripts Pack allows an unauthenticated attacker to execute arbitrary commands within the context of an …

Aug 14, 2024
CVE-2024-39397
9.0 CRITICAL

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in …

Aug 14, 2024
CVE-2024-7732
9.8 CRITICAL

Dr.ID Access Control System from SECOM does not properly validate a specific page parameter, allowing unauthenticated remote attackers to inject SQL commands to read, modify, …

Aug 14, 2024
CVE-2024-7731
9.8 CRITICAL

Dr.ID Access Control System from SECOM does not properly validate a specific page parameter, allowing unauthenticated remote attackers to inject SQL commands to read, modify, …

Aug 14, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.