CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-40394
9.8 CRITICAL

Simple Library Management System Project Using PHP/MySQL v1.0 was discovered to contain an arbitrary file upload vulnerability via the component ajax.php.

Jul 16, 2024
CVE-2024-40393
9.8 CRITICAL

Online Clinic Management System In PHP With Free Source code v1.0 was discovered to contain a SQL injection vulnerability via the user parameter at login.php.

Jul 16, 2024
CVE-2024-40392
9.8 CRITICAL

SourceCodester Pharmacy/Medical Store Point of Sale System Using PHP/MySQL and Bootstrap Framework with Source Code 1.0 was discovered to contain a SQL injection vulnerability via …

Jul 16, 2024
CVE-2024-40130
9.8 CRITICAL

open5gs v2.6.4 is vulnerable to Buffer Overflow. via /lib/core/abts.c.

Jul 16, 2024
CVE-2024-40129
9.8 CRITICAL

Open5GS v2.6.4 is vulnerable to Buffer Overflow. via /lib/pfcp/context.c.

Jul 16, 2024
CVE-2024-40425
9.8 CRITICAL

File Upload vulnerability in Nanjin Xingyuantu Technology Co Sparkshop (Spark Mall B2C Mall v.1.1.6 and before allows a remote attacker to execute arbitrary code via …

Jul 16, 2024
CVE-2024-39700
9.9 CRITICAL

JupyterLab extension template is a `copier` template for JupyterLab extensions. Repositories created using this template with `test` option include `update-integration-tests.yml` workflow which has an RCE …

Jul 16, 2024
CVE-2019-16639
9.8 CRITICAL

An issue was found on the Ruijie EG-2000 series gateway. There is a newcli.php API interface without access control, which can allow an attacker (who …

Jul 16, 2024
CVE-2024-35338
9.8 CRITICAL

Tenda i29V1.0 V1.0.0.5 was discovered to contain a hardcoded password for root.

Jul 16, 2024
CVE-2024-33182
9.8 CRITICAL

Tenda AC18 V15.03.3.10_EN was discovered to contain a stack-based buffer overflow vulnerability via the deviceId parameter at ip/goform/addWifiMacFilter.

Jul 16, 2024
CVE-2024-33180
9.8 CRITICAL

Tenda AC18 V15.03.3.10_EN was discovered to contain a stack-based buffer overflow vulnerability via the deviceId parameter at ip/goform/saveParentControlInfo.

Jul 16, 2024
CVE-2024-22442
9.8 CRITICAL

The vulnerability could be remotely exploited to bypass authentication.

Jul 16, 2024
CVE-2024-6457
9.8 CRITICAL

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ‘woof_author’ parameter in all versions up …

Jul 16, 2024
CVE-2024-40524
9.8 CRITICAL

Directory Traversal vulnerability in xmind2testcase v.1.5 allows a remote attacker to execute arbitrary code via the webtool\application.py component.

Jul 15, 2024
CVE-2024-4143
9.8 CRITICAL

A potential security vulnerability has been identified in certain HP PC products using AMI BIOS, which might allow arbitrary code execution. AMI has released firmware …

Jul 15, 2024
CVE-2024-40624
9.8 CRITICAL

TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled …

Jul 15, 2024
CVE-2024-39915
9.9 CRITICAL

Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with …

Jul 15, 2024
CVE-2024-40416
9.8 CRITICAL

A vulnerability in /goform/SetVirtualServerCfg in the sub_6320C function in Tenda AX1806 1.0.0.1 firmware leads to stack-based buffer overflow.

Jul 15, 2024
CVE-2024-40415
9.8 CRITICAL

A vulnerability in /goform/SetStaticRouteCfg in the sub_519F4 function in Tenda AX1806 1.0.0.1 firmware leads to stack-based buffer overflow.

Jul 15, 2024
CVE-2024-40414
9.8 CRITICAL

A vulnerability in /goform/SetNetControlList in the sub_656BC function in Tenda AX1806 1.0.0.1 firmware leads to stack-based buffer overflow.

Jul 15, 2024
CVE-2024-6744
9.8 CRITICAL

The SMTP Listener of Secure Email Gateway from Cellopoint does not properly validate user input, leading to a Buffer Overflow vulnerability. An unauthenticated remote attacker …

Jul 15, 2024
CVE-2024-6743
9.8 CRITICAL

AguardNet's Space Management System does not properly validate user input, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database …

Jul 15, 2024
CVE-2024-5450
9.1 CRITICAL

The Bug Library WordPress plugin before 2.1.1 does not check the file type on user-submitted bug reports, allowing an unauthenticated user to upload PHP files

Jul 13, 2024
CVE-2024-40110
9.8 CRITICAL

Sourcecodester Poultry Farm Management System v1.0 contains an Unauthenticated Remote Code Execution (RCE) vulnerability via the productimage parameter at /farm/product.php.

Jul 12, 2024
CVE-2024-40542
9.8 CRITICAL

my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/role?offset.

Jul 12, 2024
CVE-2024-40541
9.8 CRITICAL

my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/dept/build.

Jul 12, 2024
CVE-2024-40540
9.8 CRITICAL

my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/dept.

Jul 12, 2024
CVE-2024-40539
9.8 CRITICAL

my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/user.

Jul 12, 2024
CVE-2024-38736
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Realtyna Realtyna Organic IDX plugin allows Code Injection.This issue affects Realtyna Organic IDX plugin: from n/a …

Jul 12, 2024
CVE-2024-38734
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in SpreadsheetConverter Import Spreadsheets from Microsoft Excel allows Code Injection.This issue affects Import Spreadsheets from Microsoft Excel: …

Jul 12, 2024
CVE-2024-39914
9.8 CRITICAL

FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php. …

Jul 12, 2024
CVE-2024-37933
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in anhvnit Woocommerce OpenPos.This issue affects Woocommerce OpenPos: from n/a through 6.4.4.

Jul 12, 2024
CVE-2024-37927
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in NooTheme Jobmonster noo-jobmonster allows Privilege Escalation.This issue affects Jobmonster: from n/a through <= 4.7.5.

Jul 12, 2024
CVE-2024-36522
9.8 CRITICAL

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are …

Jul 12, 2024
CVE-2024-6328
9.8 CRITICAL

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up …

Jul 12, 2024
CVE-2024-6396
9.8 CRITICAL

A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. …

Jul 12, 2024
CVE-2024-36435
9.8 CRITICAL

An issue was discovered on Supermicro BMC firmware in select X11, X12, H12, B12, X13, H13, and B13 motherboards (and CMM6 modules). An unauthenticated user …

Jul 11, 2024
CVE-2024-6407
9.8 CRITICAL

CWE-200: Information Exposure vulnerability exists that could cause disclosure of credentials when a specially crafted message is sent to the device.

Jul 11, 2024
CVE-2024-6624
9.8 CRITICAL

The JSON API User plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.9.3. This is due to improper …

Jul 11, 2024
CVE-2024-6385
9.6 CRITICAL

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from …

Jul 11, 2024
CVE-2024-6397
9.8 CRITICAL

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. …

Jul 11, 2024
CVE-2024-40618
9.6 CRITICAL

Whale browser before 3.26.244.21 allows an attacker to execute malicious JavaScript due to improper sanitization when processing a built-in extension.

Jul 11, 2024
CVE-2024-6037
9.1 CRITICAL

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240410 allows an attacker to create arbitrary folders at any location on the server, including the root directory (C: dir). …

Jul 10, 2024
CVE-2024-6036
9.1 CRITICAL

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240410 allows any user to restart the server at will by sending a specific request to the `/queue/join?` endpoint with …

Jul 10, 2024
CVE-2024-37310
9.0 CRITICAL

EVerest is an EV charging software stack. An integer overflow in the "v2g_incoming_v2gtp" function in the v2g_server.cpp implementation can allow a remote attacker to overflow …

Jul 10, 2024
CVE-2024-25077
9.8 CRITICAL

An issue was discovered on Renesas SmartBond DA14691, DA14695, DA14697, and DA14699 devices. The Nonce used for on-the-fly decryption of flash images is stored in …

Jul 10, 2024
CVE-2024-5910
9.8 CRITICAL KEV

Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to …

Jul 10, 2024
CVE-2024-37770
9.1 CRITICAL

14Finger v1.1 was discovered to contain a remote command execution (RCE) vulnerability in the fingerprint function. This vulnerability allows attackers to execute arbitrary commands via …

Jul 10, 2024
CVE-2024-37113
9.8 CRITICAL

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7.

Jul 10, 2024
CVE-2024-5217
9.8 CRITICAL KEV

ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an …

Jul 10, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.