9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality …
The query functionality of WinMatrix3 Web package from Simopro Technology lacks proper validation of user input, allowing unauthenticated remote attackers to inject SQL commands to …
The login functionality of WinMatrix3 Web package from Simopro Technology lacks proper validation of user input, allowing unauthenticated remote attackers to inject SQL commands to …
The web services of Softnext's products, Mail SQR Expert and Mail Archiving Expert do not properly validate user input, allowing unauthenticated remote attackers to inject …
Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.This issue affects Escargot: 4.0.0.
TightVNC (Server for Windows) before 2.8.84 allows attackers to connect to the control pipe via a network connection.
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `url` variable on line 63 of `pages/9_🔲_Vector_Data_Visualization.py` takes user input, which …
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 80 in `8_🏜️_Raster_Data_Visualization.py` takes user input, which …
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 115 in `pages/10_🌍_Earth_Engine_Datasets.py` takes user input, which …
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 1254 in `pages/1_📷_Timelapse.py` takes user input, which …
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `palette` variable on line 488 in `pages/1_📷_Timelapse.py` takes user input, which …
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `palette` variable on line 430 in `pages/1_📷_Timelapse.py` takes user input, which …
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 383 or line 390 in `pages/1_📷_Timelapse.py` takes …
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the palette variable in `pages/1_📷_Timelapse.py` takes user input, which is later used …
Incorrect access control in Solar-Log 1000 before v2.8.2 and build 52- 23.04.2013 allows attackers to obtain Administrative privileges via connecting to the web administration server. …
An issue in Hangzhou Xiongwei Technology Development Co., Ltd. Restaurant Digital Comprehensive Management platform v1 allows an attacker to bypass authentication and perform arbitrary password …
In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While …
Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the mac parameter at ip/goform/WriteFacMac
Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the cmdinput parameter at /goform/exeCommand
Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote, anonymous attackers can exploit this vulnerability to gain full server access as …
A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to extract hashed passwords …
The password-reset mechanism in the Forgot Password functionality in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to force the application into resetting the administrator's …
Positron Broadcast Signal Processor TRA7005 v1.20 is vulnerable to an authentication bypass exploit that could allow an attacker to have unauthorized access to protected areas …
Access control vulnerability in the security verification module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload …
Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the list1 parameter at ip/goform/DhcpListClient.
Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the entrys parameter at ip/goform/RouteStatic.
Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the PPPOEPassword parameter at ip/goform/QuickIndex.
CampCodes Supplier Management System v1.0 is vulnerable to SQL injection via Supply_Management_System/admin/view_order_items.php?id= .
Insecure permissions in meshery v0.7.51 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
Insecure permissions in volcano v1.8.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
Insecure permissions in fabedge v0.8.1 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could …
Insecure permissions in external-secrets v0.9.16 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter …
In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.
Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) …
An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on …
TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the cmd parameter in the webcmd function.
On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication …
Use of hard-coded MSSQL credentials in PerkinElmer ProcessPlus on Windows allows an attacker to login remove on all prone installations.This issue affects ProcessPlus: through 1.11.6507.0.
The NI VeriStand Gateway is missing authorization checks when an actor attempts to access Project resources. These missing checks may result in remote code execution. …
A deserialization of untrusted data vulnerability exists in NI VeriStand Waveform Streaming Server that may result in remote code execution. Successful exploitation requires an attacker …
A deserialization of untrusted data vulnerability exists in NI VeriStand DataLogging Server that may result in remote code execution. Successful exploitation requires an attacker to …
SQL injection vulnerability in Hospital Management System Project in ASP.Net MVC 1 allows aremote attacker to execute arbitrary code via the btn_login_b_Click function of the …
EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.
An issue in Intelight X-1L Traffic controller Maxtime v.1.9.6 allows a remote attacker to execute arbitrary code via the /cgi-bin/generateForm.cgi?formID=142 component.
Directory Traversal vulnerability in Marimer LLC CSLA .Net before 8.0 allows a remote attacker to execute arbitrary code via a crafted script to the MobileFormatter …
Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) …
Free website and port scanning — find vulnerabilities before attackers do.