CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-4879
9.8 CRITICAL KEV

ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user …

Jul 10, 2024
CVE-2024-6422
9.8 CRITICAL

An unauthenticated remote attacker can manipulate the device via Telnet, stop processes, read, delete and change data.

Jul 10, 2024
CVE-2024-39071
9.8 CRITICAL

Fujian Kelixun <=7.6.6.4391 is vulnerable to SQL Injection in send_event.php.

Jul 9, 2024
CVE-2024-37873
9.8 CRITICAL

SQL injection vulnerability in view_payslip.php in Itsourcecode Payroll Management System Project In PHP With Source Code 1.0 allows remote attackers to execute arbitrary SQL commands …

Jul 9, 2024
CVE-2024-37870
9.8 CRITICAL

SQL injection vulnerability in processscore.php in Learning Management System Project In PHP With Source Code 1.0 allows attackers to execute arbitrary SQL commands via the …

Jul 9, 2024
CVE-2023-48194
9.8 CRITICAL

Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8 being overwritten with \x0. After executing set_client_qos, control over the gp …

Jul 9, 2024
CVE-2024-39171
9.8 CRITICAL

Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess …

Jul 9, 2024
CVE-2024-38089
9.1 CRITICAL

Microsoft Defender for IoT Elevation of Privilege Vulnerability

Jul 9, 2024
CVE-2024-38077
9.8 CRITICAL

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

Jul 9, 2024
CVE-2024-38076
9.8 CRITICAL

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

Jul 9, 2024
CVE-2024-38074
9.8 CRITICAL

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

Jul 9, 2024
CVE-2024-36526
9.8 CRITICAL

ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key.

Jul 9, 2024
CVE-2024-6611
9.8 CRITICAL

A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox < 128 and Thunderbird < 128.

Jul 9, 2024
CVE-2024-6602
9.8 CRITICAL

A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, …

Jul 9, 2024
CVE-2024-3596
9.0 CRITICAL

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to …

Jul 9, 2024
CVE-2024-39872
9.6 CRITICAL

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly assign rights to temporary …

Jul 9, 2024
CVE-2024-37424
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Automattic Newspack Blocks allows Upload a Web Shell to a Web Server.This issue affects Newspack Blocks: …

Jul 9, 2024
CVE-2024-37420
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in WPZita Zita Elementor Site Library allows Upload a Web Shell to a Web Server.This issue affects …

Jul 9, 2024
CVE-2024-37418
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.4.6.

Jul 9, 2024
CVE-2023-3287
9.9 CRITICAL

A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege …

Jul 9, 2024
CVE-2023-38055
9.6 CRITICAL

A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). …

Jul 9, 2024
CVE-2023-38054
9.9 CRITICAL

A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results …

Jul 9, 2024
CVE-2023-38053
9.9 CRITICAL

A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). …

Jul 9, 2024
CVE-2023-38052
9.9 CRITICAL

A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results …

Jul 9, 2024
CVE-2023-38051
9.9 CRITICAL

A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results …

Jul 9, 2024
CVE-2023-38050
9.1 CRITICAL

A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). …

Jul 9, 2024
CVE-2023-38049
9.9 CRITICAL

A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). …

Jul 9, 2024
CVE-2023-38048
9.9 CRITICAL

A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in …

Jul 9, 2024
CVE-2024-3604
9.9 CRITICAL

The OSM – OpenStreetMap plugin for WordPress is vulnerable to SQL Injection via the 'tagged_filter' attribute of the 'osm_map_v3' shortcode in all versions up to, …

Jul 9, 2024
CVE-2024-37112
10.0 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from …

Jul 9, 2024
CVE-2024-6314
9.8 CRITICAL

The IQ Testimonials plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'process_image_upload' function in versions up …

Jul 9, 2024
CVE-2024-6313
9.8 CRITICAL

The Gutenberg Forms plugin for WordPress is vulnerable to arbitrary file uploads due to the users can specify the allowed file types in the 'upload' …

Jul 9, 2024
CVE-2024-37555
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in ZealousWeb Generate PDF using Contact Form 7 generate-pdf-using-contact-form-7.This issue affects Generate PDF using Contact Form 7: …

Jul 9, 2024
CVE-2024-28751
9.1 CRITICAL

An high privileged remote attacker can enable telnet access that accepts hardcoded credentials.

Jul 9, 2024
CVE-2024-28747
9.8 CRITICAL

An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges.

Jul 9, 2024
CVE-2024-5488
9.8 CRITICAL

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow …

Jul 9, 2024
CVE-2024-6365
9.8 CRITICAL

The Product Table by WBW plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'saveCustomTitle' …

Jul 9, 2024
CVE-2024-1305
9.8 CRITICAL

tap-windows6 driver version 9.26 and earlier does not properly check the size data of incomming write operations which an attacker can use to overflow memory …

Jul 8, 2024
CVE-2023-46685
9.8 CRITICAL

A hard-coded password vulnerability exists in the telnetd functionality of LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623. A set of specially crafted network packets can lead to arbitrary command …

Jul 8, 2024
CVE-2024-27903
9.8 CRITICAL

OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which …

Jul 8, 2024
CVE-2024-40614
9.8 CRITICAL

EGroupware before 23.1.20240624 mishandles an ORDER BY clause. This leads to json.php?menuaction=EGroupware\Api\Etemplate\Widget\Nextmatch::ajax_get_rows sort.id SQL injection by authenticated users for Address Book or InfoLog sorting.

Jul 7, 2024
CVE-2024-27712
9.8 CRITICAL

An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the User Account Mangemnt component …

Jul 5, 2024
CVE-2024-27710
9.8 CRITICAL

An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the authentication mechanism.

Jul 5, 2024
CVE-2024-27709
9.8 CRITICAL

SQL Injection vulnerability in Eskooly Web Product v.3.0 allows a remote attacker to execute arbitrary code via the searchby parameter of the allstudents.php component and …

Jul 5, 2024
CVE-2024-37768
9.1 CRITICAL

14Finger v1.1 was discovered to contain an arbitrary user deletion vulnerability via the component /api/admin/user?id.

Jul 5, 2024
CVE-2024-29319
9.8 CRITICAL

Volmarg Personal Management System 1.4.64 is vulnerable to SSRF (Server Side Request Forgery) via uploading a SVG file. The server can make unintended HTTP and …

Jul 5, 2024
CVE-2024-23998
9.6 CRITICAL

goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.vue.

Jul 5, 2024
CVE-2024-23997
9.6 CRITICAL

Lukas Bach yana =<1.0.16 is vulnerable to Cross Site Scripting (XSS) via src/electron-main.ts.

Jul 5, 2024
CVE-2024-39864
9.8 CRITICAL

The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal …

Jul 5, 2024
CVE-2024-39028
9.8 CRITICAL

An issue was discovered in SeaCMS <=12.9 which allows remote attackers to execute arbitrary code via admin_ping.php.

Jul 5, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.