CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-35374
9.8 CRITICAL

Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, allowing remote attackers to execute arbitrary commands and potentially …

May 24, 2024
CVE-2024-35373
9.8 CRITICAL

Mocodo Mocodo Online 4.2.6 and below is vulnerable to Remote Code Execution via /web/rewrite.php.

May 24, 2024
CVE-2024-35387
9.8 CRITICAL

TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the http_host parameter in the function loginAuth.

May 24, 2024
CVE-2024-35396
9.8 CRITICAL

TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a hardcoded password for telnet in /web_cste/cgi-bin/product.ini, which allows attackers to log in as root.

May 24, 2024
CVE-2024-35339
9.8 CRITICAL

Tenda FH1206 V1.2.0.8(8155) was discovered to contain a command injection vulnerability via the mac parameter at ip/goform/WriteFacMac.

May 24, 2024
CVE-2024-31510
9.8 CRITICAL

An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker to escalate privileges via the crypto_sign_signature parameter in the /pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c component.

May 24, 2024
CVE-2021-47548
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() The if statement: if …

May 24, 2024
CVE-2024-35592
9.6 CRITICAL

An arbitrary file upload vulnerability in the Upload function of Box-IM v2.0 allows attackers to execute arbitrary code via uploading a crafted PDF file.

May 24, 2024
CVE-2024-5315
9.1 CRITICAL

Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially …

May 24, 2024
CVE-2024-5314
9.1 CRITICAL

Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially …

May 24, 2024
CVE-2024-4544
9.8 CRITICAL

The Pie Register - Social Sites Login (Add on) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.7. This …

May 24, 2024
CVE-2024-5296
9.8 CRITICAL

D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication …

May 23, 2024
CVE-2024-35570
9.8 CRITICAL

An arbitrary file upload vulnerability in the component \controller\ImageUploadController.class of inxedu v2.0.6 allows attackers to execute arbitrary code via uploading a crafted jsp file.

May 23, 2024
CVE-2024-35375
9.8 CRITICAL

There is an arbitrary file upload vulnerability on the media add .php page in the backend of the website in version 5.7.114 of DedeCMS

May 23, 2024
CVE-2024-35080
9.8 CRITICAL

An arbitrary file upload vulnerability in the gok4 method of inxedu v2024.4 allows attackers to execute arbitrary code via uploading a crafted .jsp file.

May 23, 2024
CVE-2024-35079
9.8 CRITICAL

An arbitrary file upload vulnerability in the uploadAudio method of inxedu v2024.4 allows attackers to execute arbitrary code via uploading a crafted .jsp file.

May 23, 2024
CVE-2024-35091
9.8 CRITICAL

J2EEFAST v2.7.0 was discovered to contain a SQL injection vulnerability via the findPage function in SysTenantMapper.xml.

May 23, 2024
CVE-2024-35086
9.8 CRITICAL

J2EEFAST v2.7.0 was discovered to contain a SQL injection vulnerability via the findPage function in BpmTaskFromMapper.xml .

May 23, 2024
CVE-2024-35084
9.8 CRITICAL

J2EEFAST v2.7.0 was discovered to contain a SQL injection vulnerability via the findPage function in SysMsgPushMapper.xml.

May 23, 2024
CVE-2024-34935
9.8 CRITICAL

A SQL injection vulnerability in /view/conversation_history_admin.php in Campcodes Complete Web-Based School Management System 1.0 allows an attacker to execute arbitrary SQL commands via the conversation_id …

May 23, 2024
CVE-2024-34934
9.8 CRITICAL

A SQL injection vulnerability in /view/emarks_range_grade_update_form.php in Campcodes Complete Web-Based School Management System 1.0 allows an attacker to execute arbitrary SQL commands via the conversation_id …

May 23, 2024
CVE-2024-34932
9.8 CRITICAL

A SQL injection vulnerability in /model/update_exam.php in Campcodes Complete Web-Based School Management System 1.0 allows an attacker to execute arbitrary SQL commands via the name …

May 23, 2024
CVE-2024-34931
9.8 CRITICAL

A SQL injection vulnerability in /model/update_subject.php in Campcodes Complete Web-Based School Management System 1.0 allows an attacker to execute arbitrary SQL commands via the name …

May 23, 2024
CVE-2024-34929
9.8 CRITICAL

A SQL injection vulnerability in /view/find_friends.php in Campcodes Complete Web-Based School Management System 1.0 allows an attacker to execute arbitrary SQL commands via the my_index …

May 23, 2024
CVE-2024-34927
9.8 CRITICAL

A SQL injection vulnerability in /model/update_classroom.php in Campcodes Complete Web-Based School Management System 1.0 allows an attacker to execute arbitrary SQL commands via the name …

May 23, 2024
CVE-2024-5084
9.8 CRITICAL

The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in …

May 23, 2024
CVE-2024-5168
9.8 CRITICAL

Improper access control vulnerability in Prodys' Quantum Audio codec affecting versions 2.3.4t and below. This vulnerability could allow an unauthenticated user to bypass authentication entirely …

May 23, 2024
CVE-2024-4399
9.1 CRITICAL

The does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack

May 23, 2024
CVE-2024-29849
9.8 CRITICAL

Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.

May 22, 2024
CVE-2024-4267
9.8 CRITICAL

A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the 'open_file' module, version 9.5. The vulnerability arises due to improper neutralization of …

May 22, 2024
CVE-2023-51637
9.8 CRITICAL

Sante PACS Server PG Patient Query SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of …

May 22, 2024
CVE-2024-25738
9.1 CRITICAL

A Server-Side Request Forgery (SSRF) vulnerability in the /Upgrade/FixConfig route in Open Library Foundation VuFind 2.0 through 9.1 before 9.1.1 allows a remote attacker to …

May 22, 2024
CVE-2024-33226
9.9 CRITICAL

An issue in the component Access64.sys of Wistron Corporation TBT Force Power Control v1.0.0.0 allows attackers to escalate privileges and execute arbitrary code via sending …

May 22, 2024
CVE-2024-35409
9.8 CRITICAL

WeBid 1.1.2 is vulnerable to SQL Injection via admin/tax.php.

May 22, 2024
CVE-2024-3495
9.8 CRITICAL

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and …

May 22, 2024
CVE-2024-5147
9.8 CRITICAL

The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.37 via …

May 22, 2024
CVE-2024-4443
9.8 CRITICAL

The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all …

May 22, 2024
CVE-2024-31989
9.0 CRITICAL

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the …

May 21, 2024
CVE-2024-35056
9.8 CRITICAL

NASA AIT-Core v2.5.2 was discovered to contain multiple SQL injection vulnerabilities via the query_packets and insert functions.

May 21, 2024
CVE-2023-52832
9.1 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't return unset power in ieee80211_get_tx_power() We can get a UBSAN warning if …

May 21, 2024
CVE-2023-52801
9.1 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix missing update of domains_itree after splitting iopt_area In iopt_area_split(), if the original iopt_area …

May 21, 2024
CVE-2023-52735
9.1 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself sock_map proto callbacks should never call themselves by …

May 21, 2024
CVE-2021-47378
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: nvme-rdma: destroy cm id before destroy qp to avoid use after free We should always …

May 21, 2024
CVE-2021-47354
9.1 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: drm/sched: Avoid data corruptions Wait for all dependencies of a job to complete before killing …

May 21, 2024
CVE-2021-47348
9.1 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid HDCP over-read and corruption Instead of reading the desired 5 bytes of the …

May 21, 2024
CVE-2021-47274
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: tracing: Correct the length check which causes memory corruption We've suffered from severe kernel crashes …

May 21, 2024
CVE-2023-3943
10.0 CRITICAL

Stack-based Buffer Overflow vulnerability in ZkTeco-based OEM devices allows, in some cases, the execution of arbitrary code. Due to the lack of protection mechanisms such …

May 21, 2024
CVE-2024-35361
9.8 CRITICAL

MTab Bookmark v1.9.5 has an SQL injection vulnerability in /LinkStore/getIcon. An attacker can execute arbitrary SQL statements through this vulnerability without requiring any user rights.

May 21, 2024
CVE-2023-3941
10.0 CRITICAL

Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to write any file on the system with root privileges. This issue affects ZkTeco-based …

May 21, 2024
CVE-2023-3939
10.0 CRITICAL

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in ZkTeco-based OEM devices allows OS Command Injection. Since all the …

May 21, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.