CVE Database

9306+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-29500
9.8 CRITICAL

An issue in the kiosk mode of Secure Lockdown Multi Application Edition v2.00.219 allows attackers to execute arbitrary code via running a ClickOnce application instance.

Apr 10, 2024
CVE-2024-3157
9.6 CRITICAL

Out of bounds memory access in Compositing in Google Chrome prior to 123.0.6312.122 allowed a remote attacker who had compromised the GPU process to potentially …

Apr 10, 2024
CVE-2024-31461
9.1 CRITICAL

Plane, an open-source project management tool, has a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 0.17-dev. This issue may allow an attacker to …

Apr 10, 2024
CVE-2024-31214
9.6 CRITICAL

Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. …

Apr 10, 2024
CVE-2024-3568
9.6 CRITICAL

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute …

Apr 10, 2024
CVE-2024-3098
9.8 CRITICAL

A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code …

Apr 10, 2024
CVE-2024-3025
9.9 CRITICAL

mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by …

Apr 10, 2024
CVE-2024-2952
9.8 CRITICAL

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the …

Apr 10, 2024
CVE-2024-2221
9.8 CRITICAL

qdrant/qdrant is vulnerable to a path traversal and arbitrary file upload vulnerability via the `/collections/{COLLECTION}/snapshots/upload` endpoint, specifically through the `snapshot` parameter. This vulnerability allows attackers …

Apr 10, 2024
CVE-2024-2195
9.8 CRITICAL

A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides …

Apr 10, 2024
CVE-2024-2029
9.8 CRITICAL

A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. …

Apr 10, 2024
CVE-2024-1741
9.1 CRITICAL

lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite …

Apr 10, 2024
CVE-2024-1740
9.1 CRITICAL

In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an …

Apr 10, 2024
CVE-2024-1643
9.1 CRITICAL

By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that …

Apr 10, 2024
CVE-2024-1600
9.3 CRITICAL

A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a …

Apr 10, 2024
CVE-2024-1520
9.8 CRITICAL

An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussion_id' parameter. …

Apr 10, 2024
CVE-2024-1511
9.8 CRITICAL

The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplied file paths. This flaw allows an unauthenticated attacker to …

Apr 10, 2024
CVE-2024-3566
9.8 CRITICAL

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions …

Apr 10, 2024
CVE-2024-23080
9.1 CRITICAL

Joda Time v2.12.5 was discovered to contain a NullPointerException via the component org.joda.time.format.PeriodFormat::wordBased(Locale). NOTE: this is disputed by multiple third parties who believe there was …

Apr 10, 2024
CVE-2024-20758
9.0 CRITICAL

Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution on …

Apr 10, 2024
CVE-2024-3120
9.0 CRITICAL

A stack-buffer overflow vulnerability exists in all versions of sngrep since v1.4.1. The flaw is due to inadequate bounds checking when copying 'Content-Length' and 'Warning' …

Apr 10, 2024
CVE-2024-3119
9.0 CRITICAL

A buffer overflow vulnerability exists in all versions of sngrep since v0.4.2, due to improper handling of 'Call-ID' and 'X-Call-ID' SIP headers. The functions sip_get_callid …

Apr 10, 2024
CVE-2024-3136
9.8 CRITICAL

The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This …

Apr 9, 2024
CVE-2024-2804
9.8 CRITICAL

The Network Summary plugin for WordPress is vulnerable to SQL Injection via the 'category' parameter in all versions up to, and including, 2.0.11 due to …

Apr 9, 2024
CVE-2024-1813
9.8 CRITICAL

The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.11.0 via deserialization of untrusted …

Apr 9, 2024
CVE-2024-24576
10.0 CRITICAL

Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape …

Apr 9, 2024
CVE-2024-29990
9.0 CRITICAL

Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

Apr 9, 2024
CVE-2024-31866
9.8 CRITICAL

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES. This …

Apr 9, 2024
CVE-2024-31864
9.8 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database …

Apr 9, 2024
CVE-2023-45590
9.6 CRITICAL

An improper control of generation of code ('code injection') in Fortinet FortiClientLinux version 7.2.0, 7.0.6 through 7.0.10 and 7.0.3 through 7.0.4 allows attacker to execute …

Apr 9, 2024
CVE-2023-6320
9.1 CRITICAL

A command injection vulnerability exists in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint on webOS versions 5 and 6. A series of specially crafted requests can lead to command …

Apr 9, 2024
CVE-2023-6319
9.1 CRITICAL

A command injection vulnerability exists in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service on webOS version 4 through 7. A series of specially crafted requests …

Apr 9, 2024
CVE-2023-6318
9.1 CRITICAL

A command injection vulnerability exists in the processAnalyticsReport method from the com.webos.service.cloudupload service on webOS version 5 through 7. A series of specially crafted requests …

Apr 9, 2024
CVE-2023-1083
9.8 CRITICAL

An unauthenticated remote attacker who is aware of a MQTT topic name can send and receive messages, including GET/SET configuration commands, reboot commands and firmware …

Apr 9, 2024
CVE-2024-22949
9.1 CRITICAL

JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /chart/annotations/CategoryLineAnnotation. NOTE: this is disputed by multiple third parties who believe there was not …

Apr 8, 2024
CVE-2024-23086
9.8 CRITICAL

Apfloat v1.10.1 was discovered to contain a stack overflow via the component org.apfloat.internal.DoubleModMath::modPow(double. NOTE: this is disputed by multiple third parties who believe there was …

Apr 8, 2024
CVE-2024-23078
9.1 CRITICAL

JGraphT Core v1.5.2 was discovered to contain a NullPointerException via the component org.jgrapht.alg.util.ToleranceDoubleComparator::compare(Double, Double). NOTE: this is disputed by multiple third parties who believe there …

Apr 8, 2024
CVE-2024-31224
9.8 CRITICAL

GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic versions 3.64 through 3.73. The server deserializes untrustworthy data from …

Apr 8, 2024
CVE-2024-31815
9.1 CRITICAL

In TOTOLINK EX200 V4.0.3c.7314_B20191204, an attacker can obtain the configuration file without authorization through /cgi-bin/ExportSettings.sh

Apr 8, 2024
CVE-2024-31807
9.8 CRITICAL

TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the hostTime parameter in the NTPSyncWithHost function.

Apr 8, 2024
CVE-2022-43216
9.1 CRITICAL

AbrhilSoft Employee's Portal before v5.6.2 was discovered to contain a SQL injection vulnerability in the login page.

Apr 8, 2024
CVE-2023-52538
9.1 CRITICAL

Vulnerability of package name verification being bypassed in the HwIms module. Impact: Successful exploitation of this vulnerability will affect availability.

Apr 8, 2024
CVE-2024-31022
9.8 CRITICAL

An issue was discovered in CandyCMS version 1.0.0, allows remote attackers to execute arbitrary code via the install.php component.

Apr 8, 2024
CVE-2024-27488
9.8 CRITICAL

Incorrect Access Control vulnerability in ZLMediaKit versions 1.0 through 8.0, allows remote attackers to escalate privileges and obtain sensitive information. The application system enables the …

Apr 8, 2024
CVE-2024-31345
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Sukhchain Singh Auto Poster.This issue affects Auto Poster: from n/a through 1.2.

Apr 7, 2024
CVE-2024-31286
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a …

Apr 7, 2024
CVE-2024-31280
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.1.5.

Apr 7, 2024
CVE-2024-30415
9.1 CRITICAL

Vulnerability of improper permission control in the window management module. Impact: Successful exploitation of this vulnerability will affect availability.

Apr 7, 2024
CVE-2024-25029
9.0 CRITICAL

IBM Personal Communications 14.0.6 through 15.0.1 includes a Windows service that is vulnerable to remote code execution (RCE) and local privilege escalation (LPE). The vulnerability …

Apr 6, 2024
CVE-2024-29756
9.8 CRITICAL

In afe_callback of q6afe.c, there is a possible out of bounds write due to a buffer overflow. This could lead to local escalation of privilege …

Apr 5, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.