CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-4196
10.0 CRITICAL

An improper input validation vulnerability was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request …

Jun 25, 2024
CVE-2023-6198
9.3 CRITICAL

Use of Hard-coded Credentials vulnerability in Baicells Snap Router BaiCE_BMI on EP3011 (User Passwords modules) allows unauthorized access to the device.

Jun 25, 2024
CVE-2024-36681
9.8 CRITICAL

SQL Injection vulnerability in the module "Isotope" (pk_isotope) <=1.7.3 from Promokit.eu for PrestaShop allows attackers to obtain sensitive information and cause other impacts via `pk_isotope::saveData` …

Jun 24, 2024
CVE-2024-34988
9.8 CRITICAL

SQL injection vulnerability in the module "Complete for Create a Quote in Frontend + Backend Pro" (askforaquotemodul) <= 1.0.51 from Buy Addons for PrestaShop allows …

Jun 24, 2024
CVE-2023-50029
10.0 CRITICAL

PHP Injection vulnerability in the module "M4 PDF Extensions" (m4pdf) up to version 3.3.2 from PrestaAddons for PrestaShop allows attackers to run arbitrary code via …

Jun 24, 2024
CVE-2024-33898
9.8 CRITICAL

Axiros AXESS Auto Configuration Server (ACS) 4.x and 5.0.0 is affected by an Incorrect Access Control vulnerability. An authorization bypass allows remote attackers to achieve …

Jun 24, 2024
CVE-2024-38902
9.8 CRITICAL

H3C Magic R230 V100R002 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.

Jun 24, 2024
CVE-2024-37759
9.8 CRITICAL

DataGear v5.0.0 and earlier was discovered to contain a SpEL (Spring Expression Language) expression injection vulnerability via the Data Viewing interface.

Jun 24, 2024
CVE-2024-34313
9.8 CRITICAL

An issue in VPL Jail System up to v4.0.2 allows attackers to execute a directory traversal via a crafted request to a public endpoint.

Jun 24, 2024
CVE-2024-38373
9.6 CRITICAL

FreeRTOS-Plus-TCP is a lightweight TCP/IP stack for FreeRTOS. FreeRTOS-Plus-TCP versions 4.0.0 through 4.1.0 contain a buffer over-read issue in the DNS Response Parser when parsing …

Jun 24, 2024
CVE-2024-38369
9.9 CRITICAL

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include …

Jun 24, 2024
CVE-2024-33879
9.8 CRITICAL

An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows arbitrary file download and deletion via …

Jun 24, 2024
CVE-2024-33278
9.8 CRITICAL

Buffer Overflow vulnerability in ASUS router RT-AX88U with firmware versions v3.0.0.4.388_24198 allows a remote attacker to execute arbitrary code via the connection_state_machine due to improper …

Jun 24, 2024
CVE-2024-37228
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.38.

Jun 24, 2024
CVE-2024-37109
9.9 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Membership Software WishList Member X allows Code Injection.This issue affects WishList Member X: from n/a …

Jun 24, 2024
CVE-2024-37091
9.9 CRITICAL

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in StylemixThemes Consulting Elementor Widgets, StylemixThemes Masterstudy Elementor Widgets allows OS Command Injection.This …

Jun 24, 2024
CVE-2024-37089
9.0 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in StylemixThemes Consulting Elementor Widgets allows PHP Local File Inclusion.This issue affects Consulting …

Jun 24, 2024
CVE-2024-29868
9.1 CRITICAL

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the …

Jun 24, 2024
CVE-2024-5683
9.8 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Remote Code Inclusion.This issue affects …

Jun 24, 2024
CVE-2024-36497
9.1 CRITICAL

The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the existing restrictions and …

Jun 24, 2024
CVE-2024-39331
9.8 CRITICAL

In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org …

Jun 23, 2024
CVE-2024-5443
9.8 CRITICAL

CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the `ExtensionBuilder().build_extension()` function. The vulnerability arises from the `/mount_extension` endpoint, where a path traversal issue …

Jun 22, 2024
CVE-2024-36532
10.0 CRITICAL

Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

Jun 21, 2024
CVE-2024-34989
9.8 CRITICAL

In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().'

Jun 21, 2024
CVE-2014-5470
9.8 CRITICAL

Actual Analyzer through 2014-08-29 allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval …

Jun 21, 2024
CVE-2012-6664
9.1 CRITICAL

Multiple directory traversal vulnerabilities in the TFTP Server in Distinct Intranet Servers 3.10 and earlier allow remote attackers to read or write arbitrary files via …

Jun 21, 2024
CVE-2020-27352
9.3 CRITICAL

When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will …

Jun 21, 2024
CVE-2024-35767
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Code Injection.This issue affects Squeeze: from n/a through 1.4.

Jun 21, 2024
CVE-2023-38389
9.8 CRITICAL

Incorrect Authorization vulnerability in Artbees JupiterX Core allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JupiterX Core: from n/a through 3.3.8.

Jun 21, 2024
CVE-2023-45197
9.8 CRITICAL

The file upload plugin in Adminer and AdminerEvo allows an attacker to upload a file with a table name of “..” to the root of …

Jun 21, 2024
CVE-2024-38623
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Use variable length array instead of fixed size Should fix smatch warning: ntfs_set_label() error: …

Jun 21, 2024
CVE-2024-6027
9.8 CRITICAL

The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and …

Jun 21, 2024
CVE-2024-5756
9.8 CRITICAL

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via …

Jun 21, 2024
CVE-2024-37899
9.0 CRITICAL

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the …

Jun 20, 2024
CVE-2024-37699
9.8 CRITICAL

An issue in DataLife Engine v.17.1 and before is vulnerable to SQL Injection in dboption.

Jun 20, 2024
CVE-2022-48716
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd938x: fix incorrect used of portid Mixer controls have the channel id in …

Jun 20, 2024
CVE-2024-4098
9.8 CRITICAL

The Shariff Wrapper plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.6.13 via the shariff3uu_fetch_sharecounts function. This allows …

Jun 20, 2024
CVE-2024-5432
9.8 CRITICAL

The Lifeline Donation plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.6. This is due to insufficient verification on …

Jun 20, 2024
CVE-2024-3605
10.0 CRITICAL

The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions …

Jun 20, 2024
CVE-2024-5182
9.1 CRITICAL

A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the `model` parameter during the model deletion process to delete arbitrary …

Jun 20, 2024
CVE-2024-36684
9.8 CRITICAL

In the module "Custom links" (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL …

Jun 19, 2024
CVE-2024-36679
10.0 CRITICAL

In the module "Module Live Chat Pro (All in One Messaging)" (livechatpro) <=8.4.0, a guest can perform PHP Code injection. Due to a predictable token, …

Jun 19, 2024
CVE-2024-36678
9.8 CRITICAL

In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL …

Jun 19, 2024
CVE-2024-34994
9.8 CRITICAL

In the module "Channable" (channable) up to version 3.2.1 from Channable for PrestaShop, a guest can perform SQL injection via `ChannableFeedModuleFrontController::postProcess()`.

Jun 19, 2024
CVE-2024-34990
10.0 CRITICAL

In the module "Help Desk - Customer Support Management System" (helpdesk) up to version 2.4.0 from FME Modules for PrestaShop, a customer can upload .php …

Jun 19, 2024
CVE-2024-33836
9.8 CRITICAL

In the module "JA Marketplace" (jamarketplace) up to version 9.0.1 from JA Module for PrestaShop, a guest can upload files with extensions .php. In version …

Jun 19, 2024
CVE-2023-39312
9.1 CRITICAL

Missing Authorization vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1.

Jun 19, 2024
CVE-2024-38612
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix invalid unregister error path The error path of seg6_init() is wrong in …

Jun 19, 2024
CVE-2024-38541
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias() In of_modalias(), if the buffer happens to …

Jun 19, 2024
CVE-2024-37124
9.8 CRITICAL

Use of potentially dangerous function issue exists in Ricoh Streamline NX PC Client. If this vulnerability is exploited, an attacker may create an arbitrary file …

Jun 19, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.