CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-6782
9.8 CRITICAL

Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.

Aug 6, 2024
CVE-2024-6915
9.3 CRITICAL

JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, 7.55.18 are vulnerable to Improper Input Validation that could potentially lead to cache poisoning.

Aug 5, 2024
CVE-2024-42009
9.3 CRITICAL KEV

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via …

Aug 5, 2024
CVE-2024-42008
9.3 CRITICAL

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a …

Aug 5, 2024
CVE-2024-40498
9.8 CRITICAL

SQL Injection vulnerability in PuneethReddyHC Online Shopping sysstem advanced v.1.0 allows an attacker to execute arbitrary code via the register.php

Aug 5, 2024
CVE-2024-38856
9.8 CRITICAL KEV

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. …

Aug 5, 2024
CVE-2024-42447
9.8 CRITICAL

Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB …

Aug 5, 2024
CVE-2024-6118
9.1 CRITICAL

A Plaintext Storage of a Password vulnerability in ebooknote function in Hamastar MeetingHub Paperless Meetings 2021 allows remote attackers to obtain the other users’ credentials …

Aug 5, 2024
CVE-2024-41889
9.8 CRITICAL

Multiple Pimax products accept WebSocket connections from unintended endpoints. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker.

Aug 5, 2024
CVE-2024-7257
9.8 CRITICAL

The YayExtra – WooCommerce Extra Product Options plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_upload_file …

Aug 3, 2024
CVE-2024-38887
9.8 CRITICAL

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to expand control over the operating …

Aug 2, 2024
CVE-2024-42348
9.3 CRITICAL

FOG is a cloning/imaging/rescue suite/inventory management system. FOG Server 1.5.10.41.2 can leak AD username and password when registering a computer. This vulnerability is fixed in …

Aug 2, 2024
CVE-2024-38889
9.8 CRITICAL

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform SQL Injection due to …

Aug 2, 2024
CVE-2024-38886
9.8 CRITICAL

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Traffic Injection attack …

Aug 2, 2024
CVE-2024-38883
9.1 CRITICAL

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Drop Encryption Level …

Aug 2, 2024
CVE-2024-38882
9.8 CRITICAL

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform command line execution through …

Aug 2, 2024
CVE-2024-7314
9.8 CRITICAL

anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute …

Aug 2, 2024
CVE-2024-36268
9.8 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to …

Aug 2, 2024
CVE-2024-42461
9.1 CRITICAL

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

Aug 2, 2024
CVE-2024-42458
9.8 CRITICAL

server.c in Neat VNC (aka neatvnc) before 0.8.1 does not properly validate the security type, a related issue to CVE-2006-2369.

Aug 2, 2024
CVE-2024-41259
9.1 CRITICAL

Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information.

Aug 1, 2024
CVE-2024-39619
9.0 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CridioStudio ListingPro listingpro-plugin allows PHP Local File Inclusion.This issue affects ListingPro: from …

Aug 1, 2024
CVE-2024-38770
9.8 CRITICAL

Improper Privilege Management vulnerability in Revmakx Backup and Staging by WP Time Capsule allows Privilege Escalation, Authentication Bypass.This issue affects Backup and Staging by WP …

Aug 1, 2024
CVE-2024-41961
9.6 CRITICAL

Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of …

Aug 1, 2024
CVE-2024-7332
9.8 CRITICAL

A vulnerability was found in TOTOLINK CP450 4.1.0cu.747_B20191224. It has been classified as critical. This affects an unknown part of the file /web_cste/cgi-bin/product.ini of the …

Aug 1, 2024
CVE-2024-38182
9.0 CRITICAL

Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network.

Jul 31, 2024
CVE-2024-41660
9.8 CRITICAL

slpd-lite is a unicast SLP UDP server. Any OpenBMC system that includes the slpd-lite package is impacted. Installing this package is the default when building …

Jul 31, 2024
CVE-2024-41947
9.0 CRITICAL

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with …

Jul 31, 2024
CVE-2024-37901
9.9 CRITICAL

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page …

Jul 31, 2024
CVE-2024-6980
9.8 CRITICAL

A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This …

Jul 31, 2024
CVE-2024-6695
9.8 CRITICAL

it's possible for an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions. This is …

Jul 31, 2024
CVE-2024-38983
9.8 CRITICAL

Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via …

Jul 30, 2024
CVE-2024-41611
9.8 CRITICAL

In D-Link DIR-860L REVA FIRMWARE PATCH 1.10..B04, the Telnet service contains hardcoded credentials, enabling attackers to log in remotely to the Telnet service and perform …

Jul 30, 2024
CVE-2024-41610
9.8 CRITICAL

D-Link DIR-820LW REVB FIRMWARE PATCH 2.03.B01_TC contains hardcoded credentials in the Telnet service, enabling attackers to log in remotely to the Telnet service and perform …

Jul 30, 2024
CVE-2024-39012
9.8 CRITICAL

ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows attackers to execute arbitrary code or cause a …

Jul 30, 2024
CVE-2024-39011
9.8 CRITICAL

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the …

Jul 30, 2024
CVE-2024-39010
9.8 CRITICAL

chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a …

Jul 30, 2024
CVE-2024-38986
9.8 CRITICAL

Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge …

Jul 30, 2024
CVE-2024-38984
9.8 CRITICAL

Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via the __proto__ property.

Jul 30, 2024
CVE-2024-36572
9.8 CRITICAL

Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.

Jul 30, 2024
CVE-2024-38909
9.8 CRITICAL

Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose …

Jul 30, 2024
CVE-2024-6699
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mikafon Electronic Inc. Mikafon MA7 allows SQL Injection.This issue affects Mikafon …

Jul 30, 2024
CVE-2024-41702
9.8 CRITICAL

SiberianCMS - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Jul 30, 2024
CVE-2023-48396
9.1 CRITICAL

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any …

Jul 30, 2024
CVE-2024-5975
9.1 CRITICAL

The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an …

Jul 30, 2024
CVE-2024-5765
9.8 CRITICAL

The WpStickyBar WordPress plugin through 2.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action …

Jul 30, 2024
CVE-2024-37858
9.8 CRITICAL

SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php.

Jul 29, 2024
CVE-2024-28805
9.1 CRITICAL

An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. There is Incorrect Access Control.

Jul 29, 2024
CVE-2024-38529
9.0 CRITICAL

Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code …

Jul 29, 2024
CVE-2024-37906
9.9 CRITICAL

Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection …

Jul 29, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.