CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-36480
9.8 CRITICAL

Use of hard-coded credentials issue exists in Ricoh Streamline NX PC Client ver.3.7.2 and earlier. If this vulnerability is exploited, an attacker may obtain LocalSystem …

Jun 19, 2024
CVE-2024-5853
9.9 CRITICAL

The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the …

Jun 19, 2024
CVE-2024-3229
9.8 CRITICAL

The Salon booking system plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the SLN_Action_Ajax_ImportAssistants function along with …

Jun 19, 2024
CVE-2024-5021
9.3 CRITICAL

The WordPress Picture / Portfolio / Media Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.1 …

Jun 19, 2024
CVE-2024-37080
9.8 CRITICAL

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this …

Jun 18, 2024
CVE-2024-37079
9.8 CRITICAL KEV

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this …

Jun 18, 2024
CVE-2024-34833
9.8 CRITICAL

Sourcecodester Payroll Management System v1.0 is vulnerable to File Upload. Users can upload images via the "save_settings" page. An unauthenticated attacker can leverage this functionality …

Jun 17, 2024
CVE-2023-37058
9.8 CRITICAL

Insecure Permissions vulnerability in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to escalate privileges via a crafted command.

Jun 17, 2024
CVE-2023-37057
9.8 CRITICAL

An issue in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to execute arbitrary code via the router's authentication mechanism.

Jun 17, 2024
CVE-2024-37902
10.0 CRITICAL

DeepJavaLibrary(DJL) is an Engine-Agnostic Deep Learning Framework in Java. DJL versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files …

Jun 17, 2024
CVE-2024-36543
9.8 CRITICAL

Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka …

Jun 17, 2024
CVE-2024-36575
9.8 CRITICAL

A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor.

Jun 17, 2024
CVE-2024-36573
9.8 CRITICAL

almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) component.

Jun 17, 2024
CVE-2024-36582
9.8 CRITICAL

alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js)

Jun 17, 2024
CVE-2024-36580
9.8 CRITICAL

A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.

Jun 17, 2024
CVE-2024-6057
9.8 CRITICAL

Improper authentication in the vault password feature in Devolutions Remote Desktop Manager 2024.1.31.0 and earlier allows an attacker that has compromised an access to an …

Jun 17, 2024
CVE-2024-6048
9.8 CRITICAL

Openfind's MailGates and MailAudit fail to properly filter user input when analyzing email attachments. An unauthenticated remote attacker can exploit this vulnerability to inject system …

Jun 17, 2024
CVE-2024-6047
9.8 CRITICAL KEV

Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute …

Jun 17, 2024
CVE-2024-5163
9.8 CRITICAL

Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks.

Jun 17, 2024
CVE-2024-34451
9.1 CRITICAL

Ghost through 5.85.1 allows remote attackers to bypass an authentication rate-limit protection mechanism by using many X-Forwarded-For headers with different values. NOTE: the vendor's position …

Jun 16, 2024
CVE-2024-38396
9.8 CRITICAL

An issue was discovered in iTerm2 3.5.x before 3.5.2. Unfiltered use of an escape sequence to report a window title, in combination with the built-in …

Jun 16, 2024
CVE-2024-38468
9.8 CRITICAL

Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized password resets via the resetPassword API.

Jun 16, 2024
CVE-2024-38466
9.8 CRITICAL

Shenzhen Guoxin Synthesis image system before 8.3.0 has a 123456Qw default password.

Jun 16, 2024
CVE-2024-38462
9.8 CRITICAL

iRODS before 4.3.2 provides an msiSendMail function with a problematic dependency on the mail binary, such as in the mailMS.cpp#L94-L106 reference.

Jun 16, 2024
CVE-2024-38448
9.1 CRITICAL

htags in GNU Global through 6.6.12 allows code execution in situations where dbpath (aka -d) is untrusted, because shell metacharacters may be used.

Jun 16, 2024
CVE-2024-38441
9.8 CRITICAL

Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 …

Jun 16, 2024
CVE-2024-38439
9.8 CRITICAL

Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in login in etc/uams/uams_pam.c. 2.4.1 …

Jun 16, 2024
CVE-2024-38428
9.1 CRITICAL

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data …

Jun 16, 2024
CVE-2024-38395
9.8 CRITICAL

In iTerm2 before 3.5.2, the "Terminal may report window title" setting is not honored, and thus remote code execution might occur but "is not trivially …

Jun 16, 2024
CVE-2024-4258
9.8 CRITICAL

The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and …

Jun 15, 2024
CVE-2024-3105
9.9 CRITICAL

The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, …

Jun 15, 2024
CVE-2024-5871
9.8 CRITICAL

The WooCommerce - Social Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of …

Jun 15, 2024
CVE-2024-37831
9.8 CRITICAL

Itsourcecode Payroll Management System 1.0 is vulnerable to SQL Injection in payroll_items.php via the ID parameter.

Jun 14, 2024
CVE-2024-37642
9.1 CRITICAL

TRENDnet TEW-814DAP v1_(FW1.01B01) was discovered to contain a command injection vulnerability via the ipv4_ping, ipv6_ping parameter at /formSystemCheck .

Jun 14, 2024
CVE-2024-34539
9.4 CRITICAL

Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also …

Jun 14, 2024
CVE-2024-33375
9.8 CRITICAL

LB-LINK BL-W1210M v2.0 was discovered to store user credentials in plaintext within the router's firmware.

Jun 14, 2024
CVE-2024-33374
9.8 CRITICAL

Incorrect access control in the UART/Serial interface on the LB-LINK BL-W1210M v2.0 router allows attackers to access the root terminal without authentication.

Jun 14, 2024
CVE-2024-5671
9.8 CRITICAL

Insecure Deserialization in some workflows of the IPS Manager allows unauthenticated remote attackers to perform arbitrary code execution and access to the vulnerable Trellix IPS …

Jun 14, 2024
CVE-2024-37637
9.8 CRITICAL

TOTOLINK A3700R V9.1.2u.6165_20211012 was discovered to contain a stack overflow via ssid5g in the function setWizardCfg.

Jun 14, 2024
CVE-2024-3912
9.8 CRITICAL

Certain models of ASUS routers have an arbitrary firmware upload vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands on …

Jun 14, 2024
CVE-2024-2472
9.1 CRITICAL

The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the …

Jun 14, 2024
CVE-2024-5577
9.8 CRITICAL

The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER parameter …

Jun 14, 2024
CVE-2024-4936
9.8 CRITICAL

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes …

Jun 14, 2024
CVE-2024-27174
9.8 CRITICAL

Remote Command program allows an attacker to get Remote Code Execution. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute …

Jun 14, 2024
CVE-2024-27173
9.8 CRITICAL

Remote Command program allows an attacker to get Remote Code Execution by overwriting existing Python files containing executable code. This vulnerability can be executed in …

Jun 14, 2024
CVE-2024-27172
9.8 CRITICAL

Remote Command program allows an attacker to get Remote Code Execution. As for the affected products/models/versions, see the reference URL.

Jun 14, 2024
CVE-2024-3080
9.8 CRITICAL

Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device.

Jun 14, 2024
CVE-2024-27145
9.8 CRITICAL

The Toshiba printers provide several ways to upload files using the admin web interface. An attacker can remotely compromise any Toshiba printer. An attacker can …

Jun 14, 2024
CVE-2024-27144
9.8 CRITICAL

The Toshiba printers provide several ways to upload files using the web interface without authentication. An attacker can overwrite any insecure files. And the Toshiba …

Jun 14, 2024
CVE-2024-27143
9.8 CRITICAL

Toshiba printers use SNMP for configuration. Using the private community, it is possible to remotely execute commands as root on the remote printer. Using this …

Jun 14, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.