CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-4406
9.6 CRITICAL

Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi …

May 2, 2024
CVE-2024-4405
9.6 CRITICAL

Xiaomi Pro 13 mimarket manual-upgrade Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi …

May 2, 2024
CVE-2024-34144
9.8 CRITICAL

A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed …

May 2, 2024
CVE-2024-33913
9.6 CRITICAL

Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary File Upload in Xserver Migrator.This issue affects Xserver Migrator: from n/a through 1.6.1.

May 2, 2024
CVE-2024-3955
9.8 CRITICAL

URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/http_endpoints/http_system.py" is subsequently passed to the "os.system" function in "cbpi/controller/system_controller.py" without prior validation allowing to …

May 2, 2024
CVE-2024-32971
9.0 CRITICAL

Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo …

May 2, 2024
CVE-2024-32962
10.0 CRITICAL

xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it …

May 2, 2024
CVE-2024-4142
9.0 CRITICAL

An Improper input validation vulnerability that could potentially lead to privilege escalation was discovered in JFrog Artifactory. Due to this vulnerability, users with low privileges …

May 1, 2024
CVE-2023-46295
9.8 CRITICAL

An issue was discovered in Teledyne FLIR M300 2.00-19. Unauthenticated remote code execution can occur in the web server. An attacker can exploit this by …

May 1, 2024
CVE-2023-26793
9.8 CRITICAL

libmodbus v3.1.10 has a heap-based buffer overflow vulnerability in read_io_status function in src/modbus.c.

May 1, 2024
CVE-2024-33078
9.8 CRITICAL

Tencent Libpag v4.3 is vulnerable to Buffer Overflow. A user can send a crafted image to trigger a overflow leading to remote code execution.

May 1, 2024
CVE-2023-49606
9.8 CRITICAL

A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of …

May 1, 2024
CVE-2023-47212
9.8 CRITICAL

A heap-based buffer overflow vulnerability exists in the comment functionality of stb _vorbis.c v1.22. A specially crafted .ogg file can lead to an out-of-bounds write. …

May 1, 2024
CVE-2024-33512
9.8 CRITICAL

There is a buffer overflow vulnerability in the underlying Local User Authentication Database service that could lead to unauthenticated remote code execution by sending specially …

May 1, 2024
CVE-2024-33511
9.8 CRITICAL

There is a buffer overflow vulnerability in the underlying Automatic Reporting service that could lead to unauthenticated remote code execution by sending specially crafted packets …

May 1, 2024
CVE-2024-26305
9.8 CRITICAL

There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined …

May 1, 2024
CVE-2024-26304
9.8 CRITICAL

There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote code execution by sending specially crafted packets …

May 1, 2024
CVE-2024-33775
9.8 CRITICAL

An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet.

May 1, 2024
CVE-2024-27053
9.1 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix RCU usage in connect path With lockdep enabled, calls to the connect …

May 1, 2024
CVE-2024-33835
9.8 CRITICAL

Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the remoteIp parameter from formSetSafeWanWebMan function.

May 1, 2024
CVE-2024-32017
9.8 CRITICAL

RIOT is a real-time multi-threading operating system that supports a range of devices that are typically 8-bit, 16-bit and 32-bit microcontrollers. The size check in …

May 1, 2024
CVE-2024-33768
9.8 CRITICAL

lunasvg v2.3.9 was discovered to contain a segmentation violation via the component composition_solid_source_over.

May 1, 2024
CVE-2024-3411
9.1 CRITICAL

Implementations of IPMI Authenticated sessions does not provide enough randomness to protect from session hijacking, allowing an attacker to use either predictable IPMI Session ID …

Apr 30, 2024
CVE-2023-49473
9.8 CRITICAL

Shenzhen JF6000 Cloud Media Collaboration Processing Platform firmware version V1.2.0 and software version V2.0.0 build 6245 is vulnerable to Incorrect Access Control.

Apr 30, 2024
CVE-2019-19755
9.1 CRITICAL

ethOS through 1.3.3 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes …

Apr 30, 2024
CVE-2019-19753
9.1 CRITICAL

SimpleMiningOS through v1259 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes …

Apr 30, 2024
CVE-2019-19752
9.8 CRITICAL

nvOC through 3.2 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes …

Apr 30, 2024
CVE-2024-33308
9.1 CRITICAL

An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to escalate privileges via the Emergency Contact …

Apr 30, 2024
CVE-2024-33275
9.8 CRITICAL

SQL injection vulnerability in Webbax supernewsletter v.1.4.21 and before allows a remote attacker to escalate privileges via the Super Newsletter module in the product_search.php components.

Apr 30, 2024
CVE-2024-33273
9.8 CRITICAL

SQL injection vulnerability in shipup before v.3.3.0 allows a remote attacker to escalate privileges via the getShopID function.

Apr 30, 2024
CVE-2024-33267
9.8 CRITICAL

SQL Injection vulnerability in Hero hfheropayment v.1.2.5 and before allows an attacker to escalate privileges via the HfHeropaymentGatewayBackModuleFrontController::initContent() function.

Apr 30, 2024
CVE-2024-34048
9.8 CRITICAL

O-RAN RIC I-Release e2mgr lacks array size checks in E2nodeConfigUpdateNotificationHandler.

Apr 30, 2024
CVE-2023-50434
9.8 CRITICAL

emdns_resolve_raw in emdns.c in emdns through fbd1eef calls strlen with an input that may not be '\0' terminated, leading to a stack-based buffer over-read. This …

Apr 29, 2024
CVE-2024-33350
9.8 CRITICAL

Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a remote attacker to execute arbitrary code and obtain sensitive information via the include/model/file.php component.

Apr 29, 2024
CVE-2024-33435
9.8 CRITICAL

Insecure Permissions vulnerability in Guangzhou Yingshi Electronic Technology Co. Ncast Yingshi high-definition intelligent recording and playback system 2007-2017 allows a remote attacker to execute arbitrary …

Apr 29, 2024
CVE-2024-33276
9.8 CRITICAL

SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method.

Apr 29, 2024
CVE-2024-33269
9.8 CRITICAL

SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before allows an attacker to run arbitrary SQL commands via the FsModel::getFlashSales method.

Apr 29, 2024
CVE-2024-33268
9.8 CRITICAL

SQL Injection vulnerability in Digincube mdgiftproduct before 1.4.1 allows an attacker to run arbitrary SQL commands via the MdGiftRule::addGiftToCart method.

Apr 29, 2024
CVE-2024-33266
9.8 CRITICAL

SQL Injection vulnerability in Helloshop deliveryorderautoupdate v.2.8.1 and before allows an attacker to run arbitrary SQL commands via the DeliveryorderautoupdateOrdersModuleFrontController::initContent function.

Apr 29, 2024
CVE-2024-31822
9.8 CRITICAL

An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the saveLanguageFiles method of the Languages.php component.

Apr 29, 2024
CVE-2024-31820
9.8 CRITICAL

An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the getLangFolderForEdit method of the Languages.php component.

Apr 29, 2024
CVE-2024-31705
9.8 CRITICAL

An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input.

Apr 29, 2024
CVE-2024-33449
9.8 CRITICAL

An SSRF issue in the PDFMyURL service allows a remote attacker to obtain sensitive information and execute arbitrary code via a POST request in the …

Apr 29, 2024
CVE-2024-33445
9.8 CRITICAL

An issue in hisiphp v2.0.111 allows a remote attacker to execute arbitrary code via a crafted script to the SystemPlugins::mkInfo parameter in the SystemPlugins.php component.

Apr 29, 2024
CVE-2024-33444
9.8 CRITICAL

SQL injection vulnerability in onethink v.1.1 allows a remote attacker to escalate privileges via a crafted script to the ModelModel.class.php component.

Apr 29, 2024
CVE-2024-32491
9.8 CRITICAL

An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file …

Apr 29, 2024
CVE-2024-4306
9.9 CRITICAL

Critical unrestricted file upload vulnerability in HubBank affecting version 1.0.2. This vulnerability allows a registered user to upload malicious PHP files via upload document fields, …

Apr 29, 2024
CVE-2024-3375
9.4 CRITICAL

Incorrect Permission Assignment for Critical Resource vulnerability in Havelsan Inc. Dialogue allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Dialogue: from v1.83 before …

Apr 29, 2024
CVE-2024-33566
10.0 CRITICAL

Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4.

Apr 29, 2024
CVE-2024-33553
9.0 CRITICAL

Deserialization of Untrusted Data vulnerability in 8theme XStore Core.This issue affects XStore Core: from n/a through 5.3.5.

Apr 29, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.