9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.
Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.
JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, 7.55.18 are vulnerable to Improper Input Validation that could potentially lead to cache poisoning.
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via …
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a …
SQL Injection vulnerability in PuneethReddyHC Online Shopping sysstem advanced v.1.0 allows an attacker to execute arbitrary code via the register.php
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. …
Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB …
A Plaintext Storage of a Password vulnerability in ebooknote function in Hamastar MeetingHub Paperless Meetings 2021 allows remote attackers to obtain the other users’ credentials …
Multiple Pimax products accept WebSocket connections from unintended endpoints. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker.
The YayExtra – WooCommerce Extra Product Options plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_upload_file …
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to expand control over the operating …
FOG is a cloning/imaging/rescue suite/inventory management system. FOG Server 1.5.10.41.2 can leak AD username and password when registering a computer. This vulnerability is fixed in …
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform SQL Injection due to …
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Traffic Injection attack …
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Drop Encryption Level …
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform command line execution through …
anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute …
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to …
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.
server.c in Neat VNC (aka neatvnc) before 0.8.1 does not properly validate the security type, a related issue to CVE-2006-2369.
Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CridioStudio ListingPro listingpro-plugin allows PHP Local File Inclusion.This issue affects ListingPro: from …
Improper Privilege Management vulnerability in Revmakx Backup and Staging by WP Time Capsule allows Privilege Escalation, Authentication Bypass.This issue affects Backup and Staging by WP …
Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of …
A vulnerability was found in TOTOLINK CP450 4.1.0cu.747_B20191224. It has been classified as critical. This affects an unknown part of the file /web_cste/cgi-bin/product.ini of the …
Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network.
slpd-lite is a unicast SLP UDP server. Any OpenBMC system that includes the slpd-lite package is impacted. Installing this package is the default when building …
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with …
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page …
A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This …
it's possible for an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions. This is …
Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via …
In D-Link DIR-860L REVA FIRMWARE PATCH 1.10..B04, the Telnet service contains hardcoded credentials, enabling attackers to log in remotely to the Telnet service and perform …
D-Link DIR-820LW REVB FIRMWARE PATCH 2.03.B01_TC contains hardcoded credentials in the Telnet service, enabling attackers to log in remotely to the Telnet service and perform …
ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows attackers to execute arbitrary code or cause a …
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the …
chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a …
Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge …
Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via the __proto__ property.
Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.
Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose …
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mikafon Electronic Inc. Mikafon MA7 allows SQL Injection.This issue affects Mikafon …
SiberianCMS - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any …
The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an …
The WpStickyBar WordPress plugin through 2.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action …
SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php.
An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. There is Incorrect Access Control.
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code …
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection …
Free website and port scanning — find vulnerabilities before attackers do.