CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-6366
9.1 CRITICAL

The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality …

Jul 29, 2024
CVE-2024-7202
9.8 CRITICAL

The query functionality of WinMatrix3 Web package from Simopro Technology lacks proper validation of user input, allowing unauthenticated remote attackers to inject SQL commands to …

Jul 29, 2024
CVE-2024-7201
9.8 CRITICAL

The login functionality of WinMatrix3 Web package from Simopro Technology lacks proper validation of user input, allowing unauthenticated remote attackers to inject SQL commands to …

Jul 29, 2024
CVE-2024-5670
9.8 CRITICAL

The web services of Softnext's products, Mail SQR Expert and Mail Archiving Expert do not properly validate user input, allowing unauthenticated remote attackers to inject …

Jul 29, 2024
CVE-2024-32671
9.8 CRITICAL

Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.This issue affects Escargot: 4.0.0.

Jul 29, 2024
CVE-2024-42049
9.1 CRITICAL

TightVNC (Server for Windows) before 2.8.84 allows attackers to connect to the control pipe via a network connection.

Jul 28, 2024
CVE-2024-41120
9.8 CRITICAL

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `url` variable on line 63 of `pages/9_🔲_Vector_Data_Visualization.py` takes user input, which …

Jul 26, 2024
CVE-2024-41119
9.8 CRITICAL

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 80 in `8_🏜️_Raster_Data_Visualization.py` takes user input, which …

Jul 26, 2024
CVE-2024-41117
9.8 CRITICAL

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 115 in `pages/10_🌍_Earth_Engine_Datasets.py` takes user input, which …

Jul 26, 2024
CVE-2024-41116
9.8 CRITICAL

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 1254 in `pages/1_📷_Timelapse.py` takes user input, which …

Jul 26, 2024
CVE-2024-41115
9.8 CRITICAL

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `palette` variable on line 488 in `pages/1_📷_Timelapse.py` takes user input, which …

Jul 26, 2024
CVE-2024-41114
9.8 CRITICAL

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `palette` variable on line 430 in `pages/1_📷_Timelapse.py` takes user input, which …

Jul 26, 2024
CVE-2024-41113
9.8 CRITICAL

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 383 or line 390 in `pages/1_📷_Timelapse.py` takes …

Jul 26, 2024
CVE-2024-41112
9.8 CRITICAL

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the palette variable in `pages/1_📷_Timelapse.py` takes user input, which is later used …

Jul 26, 2024
CVE-2024-40117
9.8 CRITICAL

Incorrect access control in Solar-Log 1000 before v2.8.2 and build 52- 23.04.2013 allows attackers to obtain Administrative privileges via connecting to the web administration server. …

Jul 26, 2024
CVE-2024-26520
9.8 CRITICAL

An issue in Hangzhou Xiongwei Technology Development Co., Ltd. Restaurant Digital Comprehensive Management platform v1 allows an attacker to bypass authentication and perform arbitrary password …

Jul 26, 2024
CVE-2024-4447
9.9 CRITICAL

In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While …

Jul 26, 2024
CVE-2024-41473
9.8 CRITICAL

Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the mac parameter at ip/goform/WriteFacMac

Jul 25, 2024
CVE-2024-41468
9.8 CRITICAL

Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the cmdinput parameter at /goform/exeCommand

Jul 25, 2024
CVE-2024-24621
9.8 CRITICAL

Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote, anonymous attackers can exploit this vulnerability to gain full server access as …

Jul 25, 2024
CVE-2024-38289
9.8 CRITICAL

A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to extract hashed passwords …

Jul 25, 2024
CVE-2024-38287
9.8 CRITICAL

The password-reset mechanism in the Forgot Password functionality in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to force the application into resetting the administrator's …

Jul 25, 2024
CVE-2024-7007
9.8 CRITICAL

Positron Broadcast Signal Processor TRA7005 v1.20 is vulnerable to an authentication bypass exploit that could allow an attacker to have unauthorized access to protected areas …

Jul 25, 2024
CVE-2024-39671
9.3 CRITICAL

Access control vulnerability in the security verification module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Jul 25, 2024
CVE-2024-37084
9.8 CRITICAL

In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload …

Jul 25, 2024
CVE-2024-41461
9.8 CRITICAL

Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the list1 parameter at ip/goform/DhcpListClient.

Jul 24, 2024
CVE-2024-41460
9.8 CRITICAL

Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the entrys parameter at ip/goform/RouteStatic.

Jul 24, 2024
CVE-2024-41459
9.8 CRITICAL

Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the PPPOEPassword parameter at ip/goform/QuickIndex.

Jul 24, 2024
CVE-2024-41551
9.8 CRITICAL

CampCodes Supplier Management System v1.0 is vulnerable to SQL injection via Supply_Management_System/admin/view_order_items.php?id= .

Jul 24, 2024
CVE-2024-36535
9.8 CRITICAL

Insecure permissions in meshery v0.7.51 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

Jul 24, 2024
CVE-2024-36533
9.8 CRITICAL

Insecure permissions in volcano v1.8.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

Jul 24, 2024
CVE-2024-36536
9.8 CRITICAL

Insecure permissions in fabedge v0.8.1 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

Jul 24, 2024
CVE-2024-41110
9.9 CRITICAL

Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could …

Jul 24, 2024
CVE-2024-36540
9.8 CRITICAL

Insecure permissions in external-secrets v0.9.16 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

Jul 24, 2024
CVE-2024-36539
9.8 CRITICAL

Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

Jul 24, 2024
CVE-2024-40422
9.1 CRITICAL

The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter …

Jul 24, 2024
CVE-2024-6327
9.9 CRITICAL

In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.

Jul 24, 2024
CVE-2023-45249
9.8 CRITICAL KEV

Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) …

Jul 24, 2024
CVE-2024-38164
9.6 CRITICAL

An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on …

Jul 23, 2024
CVE-2024-41319
9.8 CRITICAL

TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the cmd parameter in the webcmd function.

Jul 23, 2024
CVE-2024-29070
9.1 CRITICAL

On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication …

Jul 23, 2024
CVE-2024-6912
9.8 CRITICAL

Use of hard-coded MSSQL credentials in PerkinElmer ProcessPlus on Windows allows an attacker to login remove on all prone installations.This issue affects ProcessPlus: through 1.11.6507.0.

Jul 22, 2024
CVE-2024-6806
9.8 CRITICAL

The NI VeriStand Gateway is missing authorization checks when an actor attempts to access Project resources. These missing checks may result in remote code execution. …

Jul 22, 2024
CVE-2024-6794
9.8 CRITICAL

A deserialization of untrusted data vulnerability exists in NI VeriStand Waveform Streaming Server that may result in remote code execution. Successful exploitation requires an attacker …

Jul 22, 2024
CVE-2024-6793
9.8 CRITICAL

A deserialization of untrusted data vulnerability exists in NI VeriStand DataLogging Server that may result in remote code execution. Successful exploitation requires an attacker to …

Jul 22, 2024
CVE-2024-40502
9.8 CRITICAL

SQL injection vulnerability in Hospital Management System Project in ASP.Net MVC 1 allows aremote attacker to execute arbitrary code via the btn_login_b_Click function of the …

Jul 22, 2024
CVE-2024-39250
9.8 CRITICAL

EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.

Jul 22, 2024
CVE-2024-38944
9.8 CRITICAL

An issue in Intelight X-1L Traffic controller Maxtime v.1.9.6 allows a remote attacker to execute arbitrary code via the /cgi-bin/generateForm.cgi?formID=142 component.

Jul 22, 2024
CVE-2024-28698
9.8 CRITICAL

Directory Traversal vulnerability in Marimer LLC CSLA .Net before 8.0 allows a remote attacker to execute arbitrary code via a crafted script to the MobileFormatter …

Jul 22, 2024
CVE-2024-39686
9.8 CRITICAL

Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) …

Jul 22, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.