CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-38346
9.8 CRITICAL

The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server …

Jul 5, 2024
CVE-2024-6298
10.0 CRITICAL

Unauthorized file access in WEB Server in ABB ASPECT - Enterprise v3.08.01; NEXUS Series v3.08.01 ; MATRIX Series v3.08.01 allows Attacker to execute arbitrary code …

Jul 5, 2024
CVE-2024-6209
10.0 CRITICAL

Unauthorized file access in WEB Server in ABB ASPECT - Enterprise v3.08.01; NEXUS Series v3.08.01 ; MATRIX Series v3.08.01 allows Attacker to access files unauthorized

Jul 5, 2024
CVE-2024-39943
9.9 CRITICAL

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have …

Jul 4, 2024
CVE-2024-39932
9.9 CRITICAL

Gogs through 0.13.0 allows argument injection during the previewing of changes.

Jul 4, 2024
CVE-2024-39931
9.9 CRITICAL

Gogs through 0.13.0 allows deletion of internal files.

Jul 4, 2024
CVE-2024-39930
9.9 CRITICAL

The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening …

Jul 4, 2024
CVE-2024-39165
9.8 CRITICAL

QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with …

Jul 4, 2024
CVE-2024-39844
9.8 CRITICAL

In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.

Jul 3, 2024
CVE-2024-39223
9.8 CRITICAL

An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey

Jul 3, 2024
CVE-2024-37082
9.1 CRITICAL

When deploying Cloud Foundry together with the haproxy-boshrelease and using a non default configuration, it might be possible to craft HTTP requests that bypass mTLS …

Jul 3, 2024
CVE-2024-4708
9.8 CRITICAL

mySCADA myPRO uses a hard-coded password which could allow an attacker to remotely execute code on the affected device.

Jul 2, 2024
CVE-2023-24531
9.8 CRITICAL

Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as …

Jul 2, 2024
CVE-2024-36404
9.8 CRITICAL

GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is …

Jul 2, 2024
CVE-2024-32755
9.1 CRITICAL

Under certain circumstances the web interface will accept characters unrelated to the expected input.

Jul 2, 2024
CVE-2023-41921
9.8 CRITICAL

A vulnerability allows attackers to download source code or an executable from a remote location and execute the code without sufficiently verifying the origin and …

Jul 2, 2024
CVE-2023-41920
9.8 CRITICAL

The vulnerability allows attackers access to the root account without having to authenticate. Specifically, if the device is configured with the IP address of 10.10.10.10, …

Jul 2, 2024
CVE-2023-41919
9.8 CRITICAL

Hardcoded credentials are discovered within the application's source code, creating a potential security risk for unauthorized access.

Jul 2, 2024
CVE-2023-41918
10.0 CRITICAL

A vulnerability allows unauthorized access to functionality inadequately constrained by ACLs. Attackers may exploit this to unauthenticated execute commands potentially leading to unauthorized data manipulation, …

Jul 2, 2024
CVE-2023-41917
10.0 CRITICAL

Inadequate input validation exposes the system to potential remote code execution (RCE) risks. Attackers can exploit this vulnerability by appending shell commands to the Speed-Measurement …

Jul 2, 2024
CVE-2024-6172
9.8 CRITICAL

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via …

Jul 2, 2024
CVE-2024-39309
9.8 CRITICAL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 …

Jul 1, 2024
CVE-2024-37762
9.9 CRITICAL

MachForm up to version 21 is affected by an authenticated unrestricted file upload which leads to a remote code execution.

Jul 1, 2024
CVE-2024-5322
9.1 CRITICAL

The N-central server is vulnerable to session rebinding of already authenticated users when using Entra SSO, which can lead to authentication bypass. This vulnerability is …

Jul 1, 2024
CVE-2024-38368
9.3 CRITICAL

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. A vulnerability affected older pods which migrated from the pre-2014 pull request workflow to trunk. …

Jul 1, 2024
CVE-2024-38366
10.0 CRITICAL

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on …

Jul 1, 2024
CVE-2024-28200
9.1 CRITICAL

The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2. …

Jul 1, 2024
CVE-2024-39251
10.0 CRITICAL

An issue in the component ControlCenter.sys/ControlCenter64.sys of ThundeRobot Control Center v2.0.0.10 allows attackers to access sensitive information, execute arbitrary code, or escalate privileges via sending …

Jul 1, 2024
CVE-2024-39236
9.8 CRITICAL

Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier …

Jul 1, 2024
CVE-2024-38513
10.0 CRITICAL

Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions …

Jul 1, 2024
CVE-2024-38476
9.8 CRITICAL

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response …

Jul 1, 2024
CVE-2024-38475
9.1 CRITICAL KEV

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted …

Jul 1, 2024
CVE-2024-38474
9.8 CRITICAL

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not …

Jul 1, 2024
CVE-2024-36401
9.8 CRITICAL KEV

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC …

Jul 1, 2024
CVE-2024-6425
9.1 CRITICAL

Incorrect Provision of Specified Functionality vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can register user accounts without being authenticated from the route "/account/Register/" …

Jul 1, 2024
CVE-2024-6424
9.3 CRITICAL

External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint "/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST" or "/api/Proxy/Get?userName=&password=&uri=<ARCHIVO|URL INTERNA|IP/HOST" to …

Jul 1, 2024
CVE-2024-39017
9.8 CRITICAL

agreejs shared v0.0.1 was discovered to contain a prototype pollution via the function mergeInternalComponents. This vulnerability allows attackers to execute arbitrary code or cause a …

Jul 1, 2024
CVE-2024-39015
9.8 CRITICAL

cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a …

Jul 1, 2024
CVE-2024-39014
9.8 CRITICAL

ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a …

Jul 1, 2024
CVE-2024-39013
9.8 CRITICAL

2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial …

Jul 1, 2024
CVE-2024-39008
10.0 CRITICAL

robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a …

Jul 1, 2024
CVE-2024-38999
10.0 CRITICAL

jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a …

Jul 1, 2024
CVE-2024-38996
9.8 CRITICAL

ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or …

Jul 1, 2024
CVE-2024-38993
9.8 CRITICAL

rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function empty. This vulnerability allows attackers to execute arbitrary code or cause a …

Jul 1, 2024
CVE-2024-20080
9.8 CRITICAL

In gnss service, there is a possible escalation of privilege due to improper certificate validation. This could lead to remote escalation of privilege with no …

Jul 1, 2024
CVE-2024-20078
9.8 CRITICAL

In venc, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege with System execution …

Jul 1, 2024
CVE-2024-5926
9.1 CRITICAL

A path traversal vulnerability in the get-project-files functionality of stitionai/devika allows attackers to read arbitrary files from the filesystem and cause a Denial of Service …

Jun 30, 2024
CVE-2024-39848
9.1 CRITICAL

Internet2 Grouper before 5.6 allows authentication bypass when LDAP authentication is used in certain ways. This is related to internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication and the use of the …

Jun 29, 2024
CVE-2024-6265
9.8 CRITICAL

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection …

Jun 29, 2024
CVE-2019-25211
9.1 CRITICAL

parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is …

Jun 29, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.