CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-4826
9.8 CRITICAL

SQL injection vulnerability in Simple PHP Shopping Cart affecting version 0.9. This vulnerability could allow an attacker to retrieve all the information stored in the …

May 16, 2024
CVE-2024-4326
9.8 CRITICAL

A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the `/apply_settings` and …

May 16, 2024
CVE-2024-4223
9.8 CRITICAL

The Tutor LMS plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check …

May 16, 2024
CVE-2024-4078
9.8 CRITICAL

A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises …

May 16, 2024
CVE-2024-2366
9.0 CRITICAL

A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. The vulnerability arises due …

May 16, 2024
CVE-2024-2361
9.6 CRITICAL

A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the …

May 16, 2024
CVE-2024-2358
9.8 CRITICAL

A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-supplied …

May 16, 2024
CVE-2024-4947
9.6 CRITICAL KEV

Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML …

May 15, 2024
CVE-2024-34025
9.8 CRITICAL

CyberPower PowerPanel business application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges.

May 15, 2024
CVE-2024-33625
9.8 CRITICAL

CyberPower PowerPanel business application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass authentication.

May 15, 2024
CVE-2024-32053
9.8 CRITICAL

Hard-coded credentials are used by the CyberPower PowerPanel platform to authenticate to the database, other services, and the cloud. This could result in an attacker …

May 15, 2024
CVE-2024-32047
9.8 CRITICAL

Hard-coded credentials for the CyberPower PowerPanel test server can be found in the production code. This might result in an attacker gaining access to the …

May 15, 2024
CVE-2024-3319
9.1 CRITICAL

An issue was identified in the Identity Security Cloud (ISC) Transform preview and IdentityProfile preview API endpoints that allowed an authenticated administrator to execute user-defined …

May 15, 2024
CVE-2024-34955
9.8 CRITICAL

Code-projects Budget Management 1.0 is vulnerable to SQL Injection via the delete parameter.

May 15, 2024
CVE-2024-4893
9.8 CRITICAL

DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, …

May 15, 2024
CVE-2024-32888
10.0 CRITICAL

The Amazon JDBC Driver for Redshift is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available …

May 15, 2024
CVE-2024-31473
9.8 CRITICAL

There is a command injection vulnerability in the underlying deauthentication service that could lead to unauthenticated remote code execution by sending specially crafted packets destined …

May 14, 2024
CVE-2024-31472
9.8 CRITICAL

There are command injection vulnerabilities in the underlying Soft AP Daemon service that could lead to unauthenticated remote code execution by sending specially crafted packets …

May 14, 2024
CVE-2024-31471
9.8 CRITICAL

There is a command injection vulnerability in the underlying Central Communications service that could lead to unauthenticated remote code execution by sending specially crafted packets …

May 14, 2024
CVE-2024-31470
9.8 CRITICAL

There is a buffer overflow vulnerability in the underlying SAE (Simultaneous Authentication of Equals) service that could lead to unauthenticated remote code execution by sending …

May 14, 2024
CVE-2024-31469
9.8 CRITICAL

There are buffer overflow vulnerabilities in the underlying Central Communications service that could lead to unauthenticated remote code execution by sending specially crafted packets destined …

May 14, 2024
CVE-2024-31468
9.8 CRITICAL

There are buffer overflow vulnerabilities in the underlying Central Communications service that could lead to unauthenticated remote code execution by sending specially crafted packets destined …

May 14, 2024
CVE-2024-31467
9.8 CRITICAL

There are buffer overflow vulnerabilities in the underlying CLI service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to …

May 14, 2024
CVE-2024-31466
9.8 CRITICAL

There are buffer overflow vulnerabilities in the underlying CLI service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to …

May 14, 2024
CVE-2024-32002
9.0 CRITICAL

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a …

May 14, 2024
CVE-2024-4778
9.8 CRITICAL

Memory safety bugs present in Firefox 125. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of …

May 14, 2024
CVE-2024-4764
9.8 CRITICAL

Multiple WebRTC threads could have claimed a newly connected audio input leading to use-after-free. This vulnerability affects Firefox < 126.

May 14, 2024
CVE-2024-33485
9.8 CRITICAL

SQL Injection vulnerability in CASAP Automated Enrollment System using PHP/MySQLi with Source Code V1.0 allows a remote attacker to obtain sensitive information via a crafted …

May 14, 2024
CVE-2024-27107
9.6 CRITICAL

Weak account password in GE HealthCare EchoPAC products

May 14, 2024
CVE-2024-34716
9.6 CRITICAL

PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting …

May 14, 2024
CVE-2024-34256
9.8 CRITICAL

OFCMS V1.1.2 is vulnerable to SQL Injection via the new table function.

May 14, 2024
CVE-2024-33868
9.8 CRITICAL

An issue was discovered in linqi before 1.4.0.1 on Windows. There is LDAP injection.

May 14, 2024
CVE-2024-33863
9.8 CRITICAL

An issue was discovered in linqi before 1.4.0.1 on Windows. There is /api/Cdn/GetFile local file inclusion.

May 14, 2024
CVE-2024-33499
9.1 CRITICAL

A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC …

May 14, 2024
CVE-2024-33006
9.6 CRITICAL

An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system.

May 14, 2024
CVE-2024-32741
10.0 CRITICAL

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V3.0). The affected device contains hard coded password which is used for the …

May 14, 2024
CVE-2024-32740
9.8 CRITICAL

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V3.0). The affected device contains undocumented users and credentials. An attacker could misuse …

May 14, 2024
CVE-2024-32353
9.8 CRITICAL

TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'port' parameter in the setSSServer function at /cgi-bin/cstecgi.cgi.

May 14, 2024
CVE-2024-30209
9.6 CRITICAL

A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC …

May 14, 2024
CVE-2024-30207
10.0 CRITICAL

A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC …

May 14, 2024
CVE-2024-27939
9.8 CRITICAL

A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow the upload of arbitrary files of any unauthenticated user. …

May 14, 2024
CVE-2024-22267
9.3 CRITICAL

VMware Workstation and Fusion contain a use-after-free vulnerability in the vbluetooth device. A malicious actor with local administrative privileges on a virtual machine may exploit …

May 14, 2024
CVE-2024-4825
9.8 CRITICAL

A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker …

May 14, 2024
CVE-2024-4824
9.8 CRITICAL

Vulnerability in School ERP Pro+Responsive 1.0 that allows SQL injection through the '/SchoolERP/office_admin/' index in the parameters groups_id, examname, classes_id, es_voucherid, es_class, etc. This vulnerability …

May 14, 2024
CVE-2024-4701
9.9 CRITICAL

A path traversal issue potentially leading to remote code execution in Genie for all versions prior to 4.3.18

May 14, 2024
CVE-2024-4671
9.6 CRITICAL KEV

Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a …

May 14, 2024
CVE-2024-4560
9.8 CRITICAL

The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the chatbot_chatgpt_upload_file_to_assistant function in …

May 14, 2024
CVE-2024-4434
9.8 CRITICAL

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the ‘term_id’ parameter in versions up to, and including, …

May 14, 2024
CVE-2024-4413
9.8 CRITICAL

The Hotel Booking Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.11.1 via deserialization of untrusted …

May 14, 2024
CVE-2024-3806
9.8 CRITICAL

The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes …

May 14, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.