CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-32167
9.1 CRITICAL

Sourcecodester Online Medicine Ordering System 1.0 is vulnerable to Arbitrary file deletion vulnerability as the backend settings have the function of deleting pictures to delete …

Jun 10, 2024
CVE-2024-36410
9.6 CRITICAL

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in …

Jun 10, 2024
CVE-2024-36409
9.6 CRITICAL

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in …

Jun 10, 2024
CVE-2024-36408
9.6 CRITICAL

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in …

Jun 10, 2024
CVE-2024-35746
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Asghar Hatampoor BuddyPress Cover allows Code Injection.This issue affects BuddyPress Cover: from n/a through 2.1.4.2.

Jun 10, 2024
CVE-2024-31611
9.1 CRITICAL

SeaCMS 12.9 has a file deletion vulnerability via admin_template.php.

Jun 10, 2024
CVE-2024-37051
9.3 CRITICAL

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 …

Jun 10, 2024
CVE-2024-35677
9.0 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in StylemixThemes MegaMenu allows PHP Local File Inclusion.This issue affects MegaMenu: from n/a …

Jun 10, 2024
CVE-2024-34762
9.9 CRITICAL

Vulnerability discovered by executing a planned security audit. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPENGINE INC Advanced Custom …

Jun 10, 2024
CVE-2024-35307
9.8 CRITICAL

Argument Injection Leading to Remote Code Execution in Realtime Graph Extension, allowing unauthenticated attackers to execute arbitrary code on the server. This issue affects Pandora …

Jun 10, 2024
CVE-2024-35306
9.8 CRITICAL

OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 …

Jun 10, 2024
CVE-2024-35305
9.8 CRITICAL

Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through <777.

Jun 10, 2024
CVE-2024-35304
9.8 CRITICAL

System command injection through Netflow function due to improper input validation, allowing attackers to execute arbitrary system commands. This issue affects Pandora FMS: from 700 …

Jun 10, 2024
CVE-2024-3700
9.8 CRITICAL

Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among …

Jun 10, 2024
CVE-2024-3699
9.8 CRITICAL

Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among …

Jun 10, 2024
CVE-2024-1228
9.8 CRITICAL

Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among …

Jun 10, 2024
CVE-2024-4577
9.8 CRITICAL KEV

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up …

Jun 9, 2024
CVE-2024-33565
9.1 CRITICAL

Missing Authorization vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.5.3.

Jun 9, 2024
CVE-2024-31244
9.8 CRITICAL

Missing Authorization vulnerability in Bricksforge.This issue affects Bricksforge: from n/a through 2.0.17.

Jun 9, 2024
CVE-2024-4146
9.8 CRITICAL

In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have …

Jun 8, 2024
CVE-2024-37407
9.1 CRITICAL

Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in slurp_central_directory in archive_read_support_format_zip.c.

Jun 8, 2024
CVE-2024-37388
9.1 CRITICAL

An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of …

Jun 7, 2024
CVE-2024-30163
9.8 CRITICAL

Invision Community before 4.7.16 allow SQL injection via the applications/nexus/modules/front/store/store.php IPS\nexus\modules\front\store\_store::_categoryView() method, where user input passed through the filter request parameter is not properly sanitized …

Jun 7, 2024
CVE-2024-36673
9.8 CRITICAL

Sourcecodester Pharmacy/Medical Store Point of Sale System 1.0 is vulnerable SQL Injection via login.php. This vulnerability stems from inadequate validation of user inputs for the …

Jun 7, 2024
CVE-2024-4620
9.8 CRITICAL

The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP …

Jun 7, 2024
CVE-2024-3592
9.9 CRITICAL

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'question_id' …

Jun 7, 2024
CVE-2024-37385
9.8 CRITICAL

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete …

Jun 7, 2024
CVE-2024-24192
9.1 CRITICAL

robdns commit d76d2e6 was discovered to contain a heap overflow via the component block->filename at /src/zonefile-insertion.c.

Jun 6, 2024
CVE-2024-32752
9.1 CRITICAL

The iSTAR door controllers running firmware prior to version 6.6.B, does not support authenticated communications with ICU, which may allow an attacker to gain unauthorized …

Jun 6, 2024
CVE-2024-22074
9.8 CRITICAL

Dynamsoft Service 1.8.1025 through 1.8.2013, 1.7.0330 through 1.7.2531, 1.6.0428 through 1.6.1112, 1.5.0625 through 1.5.3116, 1.4.0618 through 1.4.1230, and 1.0.516 through 1.3.0115 has Incorrect Access Control. …

Jun 6, 2024
CVE-2024-5328
9.3 CRITICAL

A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. The vulnerability arises due to the application's failure to …

Jun 6, 2024
CVE-2024-4320
9.8 CRITICAL

A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post("/install_extension")` route handler. The vulnerability arises due …

Jun 6, 2024
CVE-2024-3429
9.8 CRITICAL

A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\lollms\security.py`. This vulnerability allows for arbitrary file reading …

Jun 6, 2024
CVE-2024-3408
9.8 CRITICAL

man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded …

Jun 6, 2024
CVE-2024-3322
9.8 CRITICAL

A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vulnerability arises from the improper limitation …

Jun 6, 2024
CVE-2024-3234
9.8 CRITICAL

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict …

Jun 6, 2024
CVE-2024-3166
9.6 CRITICAL

A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability …

Jun 6, 2024
CVE-2024-2624
9.8 CRITICAL

A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_personal_path")` endpoint in `./lollms-webui/lollms_core/lollms/server/endpoints/lollms_user.py`. The vulnerability arises due to …

Jun 6, 2024
CVE-2024-2362
9.1 CRITICAL

A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux …

Jun 6, 2024
CVE-2024-2360
9.8 CRITICAL

parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' …

Jun 6, 2024
CVE-2024-2359
9.8 CRITICAL

A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling …

Jun 6, 2024
CVE-2024-1881
9.8 CRITICAL

AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command ('OS Command Injection') due to a …

Jun 6, 2024
CVE-2024-1873
9.1 CRITICAL

parisneo/lollms-webui is vulnerable to path traversal and denial of service attacks due to an exposed `/select_database` endpoint in version a9d16b0. The endpoint improperly handles file …

Jun 6, 2024
CVE-2024-5482
9.8 CRITICAL

A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application, affecting the latest version. The vulnerability arises because the application …

Jun 6, 2024
CVE-2024-5452
9.8 CRITICAL

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder …

Jun 6, 2024
CVE-2024-3104
9.8 CRITICAL

A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables …

Jun 6, 2024
CVE-2024-3033
9.4 CRITICAL

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive …

Jun 6, 2024
CVE-2024-36736
9.8 CRITICAL

An issue in the oneflow.permute component of OneFlow-Inc. Oneflow v0.9.1 causes an incorrect calculation when the same dimension operation is performed.

Jun 6, 2024
CVE-2024-34832
9.8 CRITICAL

Directory Traversal vulnerability in CubeCart v.6.5.5 and before allows an attacker to execute arbitrary code via a crafted file uploaded to the _g and node …

Jun 6, 2024
CVE-2024-5675
10.0 CRITICAL

Untrusted data deserialization vulnerability has been found in Mentor - Employee Portal, affecting version 3.83.35. This vulnerability could allow an attacker to execute arbitrary code, …

Jun 6, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.