CVE Database

9309+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-30415
9.1 CRITICAL

Vulnerability of improper permission control in the window management module. Impact: Successful exploitation of this vulnerability will affect availability.

Apr 7, 2024
CVE-2024-25029
9.0 CRITICAL

IBM Personal Communications 14.0.6 through 15.0.1 includes a Windows service that is vulnerable to remote code execution (RCE) and local privilege escalation (LPE). The vulnerability …

Apr 6, 2024
CVE-2024-29756
9.8 CRITICAL

In afe_callback of q6afe.c, there is a possible out of bounds write due to a buffer overflow. This could lead to local escalation of privilege …

Apr 5, 2024
CVE-2024-31849
9.8 CRITICAL

A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an …

Apr 5, 2024
CVE-2024-31848
9.8 CRITICAL

A path traversal vulnerability exists in the Java version of CData API Server < 23.4.8844 when running using the embedded Jetty server, which could allow …

Apr 5, 2024
CVE-2024-22004
10.0 CRITICAL

Due to length check, an attacker with privilege access on a Linux Nonsecure operating system can trigger a vulnerability and leak the secure memory from …

Apr 5, 2024
CVE-2023-48426
10.0 CRITICAL

u-boot bug that allows for u-boot shell and interrupt over UART

Apr 5, 2024
CVE-2024-31218
9.8 CRITICAL

Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing …

Apr 5, 2024
CVE-2024-30849
9.8 CRITICAL

Arbitrary file upload vulnerability in Sourcecodester Complete E-Commerce Site v1.0, allows remote attackers to execute arbitrary code via filename parameter in admin/products_photo.php.

Apr 5, 2024
CVE-2024-27448
9.1 CRITICAL

MailDev 2 through 2.1.0 allows Remote Code Execution via a crafted Content-ID header for an e-mail attachment, leading to lib/mailserver.js writing arbitrary code into the …

Apr 5, 2024
CVE-2024-27981
9.8 CRITICAL

A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.0.28 and earlier) allows a malicious actor with …

Apr 4, 2024
CVE-2024-21894
9.8 CRITICAL

A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially …

Apr 4, 2024
CVE-2024-25693
9.9 CRITICAL

There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to traverse the file …

Apr 4, 2024
CVE-2023-36645
9.1 CRITICAL

SQL injection vulnerability in ITB-GmbH TradePro v9.5, allows remote attackers to run SQL queries via oordershow component in customer function.

Apr 4, 2024
CVE-2024-29006
9.8 CRITICAL

By default the CloudStack management server honours the x-forwarded-for HTTP header and logs it as the source IP of an API request. This could lead …

Apr 4, 2024
CVE-2024-29375
9.8 CRITICAL

CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, …

Apr 4, 2024
CVE-2024-2692
9.0 CRITICAL

SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS.

Apr 4, 2024
CVE-2024-3272
9.8 CRITICAL KEV

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to …

Apr 4, 2024
CVE-2023-44039
9.1 CRITICAL

In VeridiumID before 3.5.0, the WebAuthn API allows an internal unauthenticated attacker (who can pass enrollment verifications and is allowed to enroll a FIDO key) …

Apr 3, 2024
CVE-2024-30568
9.8 CRITICAL

Netgear R6850 1.1.0.88 was discovered to contain a command injection vulnerability via the c4-IPAddr parameter.

Apr 3, 2024
CVE-2024-25096
10.0 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Canto Inc. Canto allows Code Injection.This issue affects Canto: from n/a through 3.0.7.

Apr 3, 2024
CVE-2024-24707
9.9 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Cwicly Builder, SL. Cwicly allows Code Injection.This issue affects Cwicly: from n/a through 1.4.0.2.

Apr 3, 2024
CVE-2023-25699
9.0 CRITICAL

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in VideoWhisper.Com VideoWhisper Live Streaming Integration allows OS Command Injection.This issue …

Apr 3, 2024
CVE-2024-31390
9.9 CRITICAL

: Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Breakdance allows : Code Injection.This issue affects Breakdance: from n/a through 1.7.2.

Apr 3, 2024
CVE-2024-31380
9.9 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.This …

Apr 3, 2024
CVE-2024-27972
9.9 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Jack Arturo WP Fusion Lite wp-fusion-lite.This issue affects WP Fusion Lite: from n/a through <= …

Apr 3, 2024
CVE-2024-27951
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Themeisle Multiple Page Generator Plugin – MPG allows Upload a Web Shell to a Web Server.This …

Apr 3, 2024
CVE-2024-25918
9.9 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.8.

Apr 3, 2024
CVE-2024-28515
9.8 CRITICAL

Buffer Overflow vulnerability in CSAPP_Lab CSAPP Lab3 15-213 Fall 20xx allows a remote attacker to execute arbitrary code via the lab3 of csapp,lab3/buflab-update.pl component.

Apr 3, 2024
CVE-2024-30998
9.8 CRITICAL

SQL Injection vulnerability in PHPGurukul Men Salon Management System v.2.0, allows remote attackers to execute arbitrary code and obtain sensitive information via the email parameter …

Apr 3, 2024
CVE-2021-27312
9.4 CRITICAL

Server Side Request Forgery (SSRF) vulnerability in Gleez Cms 1.2.0, allows remote attackers to execute arbitrary code and obtain sensitive information via modules/gleez/classes/request.php.

Apr 3, 2024
CVE-2024-31011
9.8 CRITICAL

Arbitrary file write vulnerability in beescms v.4.0, allows a remote attacker to execute arbitrary code via a file path that was not isolated and the …

Apr 3, 2024
CVE-2024-31012
9.8 CRITICAL

An issue was discovered in SEMCMS v.4.8, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the upload.php file.

Apr 3, 2024
CVE-2024-2879
9.8 CRITICAL

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the …

Apr 3, 2024
CVE-2024-30166
9.1 CRITICAL

In Mbed TLS 3.3.0 through 3.5.2 before 3.6.0, a malicious client can cause information disclosure or a denial of service because of a stack buffer …

Apr 3, 2024
CVE-2024-25864
9.1 CRITICAL

Server Side Request Forgery (SSRF) vulnerability in Friendica versions after v.2023.12, allows a remote attacker to execute arbitrary code and obtain sensitive information via the …

Apr 3, 2024
CVE-2024-24724
9.8 CRITICAL

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without …

Apr 3, 2024
CVE-2024-29432
9.8 CRITICAL

Alldata v0.4.6 was discovered to contain a SQL injection vulnerability via the tablename parameter at /data/masterdata/datas.

Apr 2, 2024
CVE-2024-27604
9.8 CRITICAL

Alldata V0.4.6 is vulnerable to Command execution vulnerability. System commands can be deserialized.

Apr 2, 2024
CVE-2024-27602
9.1 CRITICAL

Alldata V0.4.6 is vulnerable to Incorrect Access Control. A total of many modules interface documents have been leaked.For example, the /api/system/v2/api-docs module.

Apr 2, 2024
CVE-2024-30621
9.8 CRITICAL

Tenda AX1803 v1.0.0.1 contains a stack overflow via the serverName parameter in the function fromAdvSetMacMtuWan.

Apr 2, 2024
CVE-2024-30620
9.8 CRITICAL

Tenda AX1803 v1.0.0.1 contains a stack overflow via the serviceName parameter in the function fromAdvSetMacMtuWan.

Apr 2, 2024
CVE-2024-2389
10.0 CRITICAL

In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the …

Apr 2, 2024
CVE-2024-31004
9.8 CRITICAL

An issue in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the Ap4StsdAtom.cpp,AP4_StsdAtom::AP4_StsdAtom,mp4fragment.

Apr 2, 2024
CVE-2024-31002
9.8 CRITICAL

Buffer Overflow vulnerability in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the AP4 BitReader::ReadCache() at Ap4Utils.cpp component.

Apr 2, 2024
CVE-2024-29276
9.8 CRITICAL

An issue was discovered in seeyonOA version 8, allows remote attackers to execute arbitrary code via the importProcess method in WorkFlowDesignerController.class component.

Apr 2, 2024
CVE-2024-1863
9.8 CRITICAL

Sante PACS Server Token Endpoint SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante …

Apr 1, 2024
CVE-2023-51573
9.8 CRITICAL

Voltronic Power ViewPower Pro updateManagerPassword Exposed Dangerous Function Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Voltronic Power …

Apr 1, 2024
CVE-2023-51572
9.8 CRITICAL

Voltronic Power ViewPower Pro getMacAddressByIp Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic …

Apr 1, 2024
CVE-2023-51570
9.8 CRITICAL

Voltronic Power ViewPower Pro Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of …

Apr 1, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.