CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-37371
9.1 CRITICAL

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with …

Jun 28, 2024
CVE-2024-5827
9.8 CRITICAL

Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and …

Jun 28, 2024
CVE-2024-29039
9.0 CRITICAL

tpm2 is the source repository for the Trusted Platform Module (TPM2.0) tools. This vulnerability allows attackers to manipulate tpm2_checkquote outputs by altering the TPML_PCR_SELECTION in …

Jun 28, 2024
CVE-2024-3816
9.8 CRITICAL

Sites managed in S@M CMS (Concept Intermedia) might be vulnerable to a blind SQL Injection executed using the search bar. Only a part of observed …

Jun 28, 2024
CVE-2024-39704
9.8 CRITICAL

Soft Circle French-Bread Melty Blood: Actress Again: Current Code through 1.07 Rev. 1.4.0 allows a remote attacker to execute arbitrary code on a client's machine …

Jun 28, 2024
CVE-2024-39349
9.8 CRITICAL

A vulnerability regarding buffer copy without checking size of input ('Classic Buffer Overflow') is found in the libjansson component and it does not affect the …

Jun 28, 2024
CVE-2024-6071
10.0 CRITICAL

PTC Creo Elements/Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server.

Jun 27, 2024
CVE-2024-39705
9.8 CRITICAL

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, …

Jun 27, 2024
CVE-2024-36059
9.4 CRITICAL

Directory Traversal vulnerability in Kalkitech ASE ASE61850 IEDSmart upto and including version 2.3.5 allows attackers to read/write arbitrary files via the IEC61850 File Transfer protocol.

Jun 27, 2024
CVE-2024-36072
9.8 CRITICAL

Netwrix CoSoSys Endpoint Protector through 5.9.3 and CoSoSys Unify through 7.0.6 contain a remote code execution vulnerability in the logging component of the Endpoint Protector …

Jun 27, 2024
CVE-2024-2973
10.0 CRITICAL

An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running with a redundant peer allows a …

Jun 27, 2024
CVE-2024-6127
9.8 CRITICAL

BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit …

Jun 27, 2024
CVE-2024-39208
9.8 CRITICAL

luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials.

Jun 27, 2024
CVE-2024-5980
9.8 CRITICAL

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running …

Jun 27, 2024
CVE-2024-5826
9.8 CRITICAL

In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack …

Jun 27, 2024
CVE-2024-5822
9.8 CRITICAL

A Server-Side Request Forgery (SSRF) vulnerability exists in the upload processing interface of gaizhenbiao/ChuanhuChatGPT versions <= ChuanhuChatGPT-20240410-git.zip. This vulnerability allows attackers to send crafted requests …

Jun 27, 2024
CVE-2024-5751
9.8 CRITICAL

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts …

Jun 27, 2024
CVE-2024-3330
9.9 CRITICAL

Vulnerability in Spotfire Spotfire Analyst, Spotfire Spotfire Server, Spotfire Spotfire for AWS Marketplace allows In the case of the installed Windows client: Successful execution of …

Jun 27, 2024
CVE-2024-39669
9.8 CRITICAL

In the Console in Soffid IAM before 3.5.39, necessary checks were not applied to some Java objects. A malicious agent could possibly execute arbitrary code …

Jun 27, 2024
CVE-2024-39376
9.8 CRITICAL

TELSAT marKoni FM Transmitters are vulnerable to users gaining unauthorized access to sensitive information or performing actions beyond their designated permissions.

Jun 27, 2024
CVE-2024-39375
9.8 CRITICAL

TELSAT marKoni FM Transmitters are vulnerable to an attacker bypassing authentication and gaining administrator privileges.

Jun 27, 2024
CVE-2024-39374
9.8 CRITICAL

TELSAT marKoni FM Transmitters are vulnerable to an attacker exploiting a hidden admin account that can be accessed through the use of hard-coded credentials.

Jun 27, 2024
CVE-2024-1107
9.8 CRITICAL

Authorization Bypass Through User-Controlled Key vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel APPS: before v17.0.68.

Jun 27, 2024
CVE-2024-5535
9.1 CRITICAL

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent …

Jun 27, 2024
CVE-2024-0949
9.8 CRITICAL

Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before …

Jun 27, 2024
CVE-2024-0947
9.8 CRITICAL

Reliance on Cookies without Validation and Integrity Checking vulnerability in Talya Informatics Elektraweb allows Session Credential Falsification through Manipulation, Accessing/Intercepting/Modifying HTTP Cookies, Manipulating Opaque Client-based …

Jun 27, 2024
CVE-2024-5655
9.6 CRITICAL

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from …

Jun 27, 2024
CVE-2024-37734
9.8 CRITICAL

An issue in OpenEMR 7.0.2 allows a remote attacker to escalate privileges viaa crafted POST request using the noteid parameter.

Jun 26, 2024
CVE-2024-1839
10.0 CRITICAL

Intrado 911 Emergency Gateway login form is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an unauthenticated remote attacker to execute malicious …

Jun 26, 2024
CVE-2024-39243
9.8 CRITICAL

An issue discovered in skycaiji 2.8 allows attackers to run arbitrary code via crafted POST request to /index.php?s=/admin/develop/editor_save.

Jun 26, 2024
CVE-2024-4228
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE …

Jun 26, 2024
CVE-2024-37252
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Icegram Email Subscribers & Newsletters allows SQL Injection.This issue affects Email …

Jun 26, 2024
CVE-2024-5181
9.8 CRITICAL

A command injection vulnerability exists in the mudler/localai version 2.14.0. The vulnerability arises from the application's handling of the backend parameter in the configuration file, …

Jun 26, 2024
CVE-2024-35527
9.8 CRITICAL

An arbitrary file upload vulnerability in /fileupload/upload.cfm in Daemon PTY Limited FarCry Core framework before 7.2.14 allows attackers to execute arbitrary code via uploading a …

Jun 25, 2024
CVE-2024-37843
9.8 CRITICAL

Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.

Jun 25, 2024
CVE-2024-21741
9.8 CRITICAL

GigaDevice GD32E103C8T6 devices have Incorrect Access Control.

Jun 25, 2024
CVE-2024-5276
9.8 CRITICAL

A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or …

Jun 25, 2024
CVE-2024-4885
9.8 CRITICAL KEV

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges.

Jun 25, 2024
CVE-2024-4884
9.8 CRITICAL

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The Apm.UI.Areas.APM.Controllers.CommunityController allows execution of commands with iisapppool\nmconsole privileges.

Jun 25, 2024
CVE-2024-4883
9.8 CRITICAL

In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve …

Jun 25, 2024
CVE-2024-5989
9.8 CRITICAL

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a …

Jun 25, 2024
CVE-2024-5988
9.8 CRITICAL

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a …

Jun 25, 2024
CVE-2024-5806
9.1 CRITICAL

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before …

Jun 25, 2024
CVE-2024-5805
9.1 CRITICAL

Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP modules) allows Authentication Bypass.This issue affects MOVEit Gateway: 2024.0.0.

Jun 25, 2024
CVE-2024-39462
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: clk: bcm: dvp: Assign ->num before accessing ->hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with …

Jun 25, 2024
CVE-2024-6303
9.9 CRITICAL

Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for …

Jun 25, 2024
CVE-2024-5261
9.8 CRITICAL

Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is …

Jun 25, 2024
CVE-2024-6028
9.8 CRITICAL

The Quiz Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'ays_questions' parameter in all versions up to, and including, 6.5.8.3 due …

Jun 25, 2024
CVE-2024-6297
10.0 CRITICAL

Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of …

Jun 25, 2024
CVE-2024-4197
9.9 CRITICAL

An unrestricted file upload vulnerability in Avaya IP Office was discovered that could allow remote command or code execution via the One-X component. Affected versions …

Jun 25, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.