CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-36779
9.8 CRITICAL

Sourcecodester Stock Management System v1.0 is vulnerable to SQL Injection via editCategories.php.

Jun 6, 2024
CVE-2024-36394
9.1 CRITICAL

SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jun 6, 2024
CVE-2024-36393
9.9 CRITICAL

SysAid - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Jun 6, 2024
CVE-2024-5153
9.1 CRITICAL

The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the 'dropzone_hash' parameter. This …

Jun 6, 2024
CVE-2024-5171
9.8 CRITICAL

Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers: * Calling aom_img_alloc() with …

Jun 5, 2024
CVE-2024-4009
9.2 CRITICAL

Replay Attack in ABB, Busch-Jaeger, FTS Display (version 1.00) and BCU (version 1.3.0.33) allows attacker to capture/replay KNX telegram to local KNX Bus-System

Jun 5, 2024
CVE-2024-4008
9.6 CRITICAL

FDSK Leak in ABB, Busch-Jaeger, FTS Display (version 1.00) and BCU (version 1.3.0.33) allows attacker to take control via access to local KNX Bus-System

Jun 5, 2024
CVE-2024-24790
9.8 CRITICAL

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in …

Jun 5, 2024
CVE-2024-4295
9.8 CRITICAL

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, …

Jun 5, 2024
CVE-2024-5262
9.8 CRITICAL

Files or Directories Accessible to External Parties vulnerability in smb server in ProjectDiscovery Interactsh allows remote attackers to read/write any files in the directory and …

Jun 5, 2024
CVE-2024-36675
9.1 CRITICAL

LyLme_spage v1.9.5 is vulnerable to Server-Side Request Forgery (SSRF) via the get_head function.

Jun 4, 2024
CVE-2024-37273
9.8 CRITICAL

An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.

Jun 4, 2024
CVE-2024-36858
9.8 CRITICAL

An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.

Jun 4, 2024
CVE-2024-36604
9.8 CRITICAL

Tenda O3V2 v1.0.0.12(3880) was discovered to contain a Blind Command Injection via stpEn parameter in the SetStp function. This vulnerability allows attackers to execute arbitrary …

Jun 4, 2024
CVE-2024-36400
9.4 CRITICAL

nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the …

Jun 4, 2024
CVE-2024-35700
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in DeluxeThemes Userpro userpro.This issue affects Userpro: from n/a through <= 5.1.8.

Jun 4, 2024
CVE-2024-35629
9.6 CRITICAL

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads – Recent Purchases allows PHP …

Jun 4, 2024
CVE-2024-34792
9.1 CRITICAL

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in dexta Dextaz Ping allows Command Injection.This issue affects Dextaz Ping: from n/a …

Jun 4, 2024
CVE-2024-34551
9.0 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Select-Themes Stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a …

Jun 4, 2024
CVE-2024-33560
9.0 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 8theme XStore allows PHP Local File Inclusion.This issue affects XStore: from n/a …

Jun 4, 2024
CVE-2024-25600
10.0 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection.This issue affects Bricks Builder: from n/a through 1.9.6.

Jun 4, 2024
CVE-2024-4253
9.1 CRITICAL

A command injection vulnerability exists in the gradio-app/gradio repository, specifically within the 'test-functional.yml' workflow. The vulnerability arises due to improper neutralization of special elements used …

Jun 4, 2024
CVE-2024-36104
9.1 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended …

Jun 4, 2024
CVE-2023-33930
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) allows Code Injection.This issue affects Unlimited …

Jun 4, 2024
CVE-2024-4180
9.1 CRITICAL

The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX.

Jun 4, 2024
CVE-2024-4552
9.8 CRITICAL

The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.6.0. This is due to …

Jun 4, 2024
CVE-2024-29974
9.8 CRITICAL

** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware …

Jun 4, 2024
CVE-2024-29973
9.8 CRITICAL

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before …

Jun 4, 2024
CVE-2024-29972
9.8 CRITICAL

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions …

Jun 4, 2024
CVE-2024-36782
9.8 CRITICAL

TOTOLINK CP300 V2.0.4-B20201102 was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows attackers to log in as root.

Jun 3, 2024
CVE-2024-36783
9.8 CRITICAL

TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection via the host_time parameter in the NTPSyncWithHost function.

Jun 3, 2024
CVE-2024-34987
9.1 CRITICAL

A SQL Injection vulnerability exists in the `ofrs/admin/index.php` script of PHPGurukul Online Fire Reporting System 1.2. The vulnerability allows attackers to bypass authentication and gain …

Jun 3, 2024
CVE-2024-31682
9.8 CRITICAL

Incorrect access control in the fingerprint authentication mechanism of Phone Cleaner: Boost & Clean v2.2.0 allows attackers to bypass fingerprint authentication due to the use …

Jun 3, 2024
CVE-2023-51219
9.6 CRITICAL

A deep link validation issue in KakaoTalk 10.4.3 allowed a remote adversary to direct users to run any attacker-controlled JavaScript within a WebView. The impact …

Jun 3, 2024
CVE-2024-37019
9.8 CRITICAL

Northern.tech Mender Enterprise before 3.6.4 and 3.7.x before 3.7.4 has Weak Authentication.

Jun 3, 2024
CVE-2024-5197
9.1 CRITICAL

There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may …

Jun 3, 2024
CVE-2024-36568
9.8 CRITICAL

Sourcecodester Gas Agency Management System v1.0 is vulnerable to SQL Injection via /gasmark/editbrand.php?id=.

Jun 3, 2024
CVE-2024-3829
9.1 CRITICAL

qdrant/qdrant version 1.9.0-dev is vulnerable to arbitrary file read and write during the snapshot recovery process. Attackers can exploit this vulnerability by manipulating snapshot files …

Jun 3, 2024
CVE-2023-43556
9.3 CRITICAL

Memory corruption in Hypervisor when platform information mentioned is not aligned.

Jun 3, 2024
CVE-2023-43551
9.1 CRITICAL

Cryptographic issue while performing attach with a LTE network, a rogue base station can skip the authentication phase and immediately send the Security Mode Command.

Jun 3, 2024
CVE-2023-43538
9.3 CRITICAL

Memory corruption in TZ Secure OS while Tunnel Invoke Manager initialization.

Jun 3, 2024
CVE-2024-5404
9.8 CRITICAL

An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism.

Jun 3, 2024
CVE-2024-5311
9.8 CRITICAL

DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records.

Jun 3, 2024
CVE-2024-36042
9.8 CRITICAL

Silverpeas before 6.3.5 allows authentication bypass by omitting the Password field to AuthenticationServlet, often providing an unauthenticated user with superadmin access.

Jun 3, 2024
CVE-2024-20067
9.8 CRITICAL

In modem, there is a possible out of bounds write due to improper input invalidation. This could lead to remote denial of service with no …

Jun 3, 2024
CVE-2024-36391
9.1 CRITICAL

MileSight DeviceHub - CWE-320: Key Management Errors may allow Authentication Bypass and Man-In-The-Middle Traffic

Jun 2, 2024
CVE-2024-36389
9.8 CRITICAL

MileSight DeviceHub - CWE-330 Use of Insufficiently Random Values may allow Authentication Bypass

Jun 2, 2024
CVE-2024-36388
10.0 CRITICAL

MileSight DeviceHub - CWE-305 Missing Authentication for Critical Function

Jun 2, 2024
CVE-2024-27776
9.8 CRITICAL

MileSight DeviceHub - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') may allow Unauthenticated RCE

Jun 2, 2024
CVE-2024-3820
10.0 CRITICAL

The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to SQL Injection via the 'id_key' parameter of …

Jun 1, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.