CVE Database

9309+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-2227
10.0 CRITICAL

This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented …

Mar 22, 2024
CVE-2024-2724
9.8 CRITICAL

SQL injection vulnerability in the CIGESv2 system, through /ajaxServiciosAtencion.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve …

Mar 22, 2024
CVE-2024-2723
9.8 CRITICAL

SQL injection vulnerability in the CIGESv2 system, through /ajaxSubServicios.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve …

Mar 22, 2024
CVE-2024-2722
9.8 CRITICAL

SQL injection vulnerability in the CIGESv2 system, through /ajaxConfigTotem.php, in the 'id' parameter. The exploitation of this vulnerability could allow a remote user to retrieve …

Mar 22, 2024
CVE-2024-29943
9.8 CRITICAL

An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox …

Mar 22, 2024
CVE-2024-29275
9.8 CRITICAL

SQL injection vulnerability in SeaCMS version 12.9, allows remote unauthenticated attackers to execute arbitrary code and obtain sensitive information via the id parameter in class.php.

Mar 22, 2024
CVE-2024-28441
9.8 CRITICAL

File Upload vulnerability in magicflue v.7.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the messageid parameter of …

Mar 22, 2024
CVE-2024-27956
9.9 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through …

Mar 21, 2024
CVE-2024-29243
9.8 CRITICAL

Shenzhen Libituo Technology Co., Ltd LBT-T300-mini v1.2.9 was discovered to contain a buffer overflow via the vpn_client_ip parameter at /apply.cgi.

Mar 21, 2024
CVE-2024-29876
9.8 CRITICAL

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted …

Mar 21, 2024
CVE-2024-29875
9.8 CRITICAL

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted …

Mar 21, 2024
CVE-2024-29874
9.8 CRITICAL

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted …

Mar 21, 2024
CVE-2024-29873
9.8 CRITICAL

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted …

Mar 21, 2024
CVE-2024-29872
9.8 CRITICAL

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted …

Mar 21, 2024
CVE-2024-29871
9.8 CRITICAL

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted …

Mar 21, 2024
CVE-2024-29870
9.8 CRITICAL

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a …

Mar 21, 2024
CVE-2024-29866
9.1 CRITICAL

Datalust Seq before 2023.4.11151 and 2024 before 2024.1.11146 has Incorrect Access Control because a Project Owner or Organization Owner can escalate to System privileges.

Mar 21, 2024
CVE-2024-29732
9.8 CRITICAL

A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. This vulnerability allows an unauthenticated user to retrieve, update and delete …

Mar 21, 2024
CVE-2024-27438
9.8 CRITICAL

Download of Code Without Integrity Check vulnerability in Apache Doris. The jdbc driver files used for JDBC catalog is not checked and may resulting in …

Mar 21, 2024
CVE-2024-1148
9.8 CRITICAL

Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and uploading of files.

Mar 21, 2024
CVE-2024-1147
9.8 CRITICAL

Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and download of files.

Mar 21, 2024
CVE-2024-2161
9.8 CRITICAL

Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was …

Mar 21, 2024
CVE-2024-29864
9.8 CRITICAL

Distrobox before 1.7.0.1 allows attackers to execute arbitrary code via command injection into exported executables.

Mar 21, 2024
CVE-2024-29859
9.8 CRITICAL

In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.

Mar 21, 2024
CVE-2024-29858
9.8 CRITICAL

In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.

Mar 21, 2024
CVE-2023-48902
9.8 CRITICAL

An issue was discovered in tramyardg autoexpress version 1.3.0, allows unauthenticated remote attackers to escalate privileges, update car data, delete vehicles, and upload car images …

Mar 21, 2024
CVE-2023-48901
9.8 CRITICAL

A SQL injection vulnerability in tramyardg Autoexpress version 1.3.0, allows remote unauthenticated attackers to execute arbitrary SQL commands via the parameter "id" within the getPhotosByCarId …

Mar 21, 2024
CVE-2024-2054
9.8 CRITICAL

The Artica-Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user.

Mar 21, 2024
CVE-2024-27922
9.8 CRITICAL

TOMP Bare Server implements the TompHTTP bare server. A vulnerability in versions prior to 2.0.2 relates to insecure handling of HTTP requests by the @tomphttp/bare-server-node …

Mar 21, 2024
CVE-2024-25239
9.8 CRITICAL

SQL Injection vulnerability in Sourcecodester Employee Management System v1.0 allows attackers to run arbitrary SQL commands via crafted POST request to /emloyee_akpoly/Account/login.php.

Mar 21, 2024
CVE-2024-1202
9.8 CRITICAL

Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1. NOTE: The vendor was contacted and it was …

Mar 21, 2024
CVE-2020-26942
9.1 CRITICAL

An issue discovered in Axigen Mail Server 10.3.x before 10.3.1.27 and 10.3.2.x before 10.3.3.1 allows unauthenticated attackers to submit a setAdminPassword operation request, subsequently setting …

Mar 21, 2024
CVE-2024-2443
9.1 CRITICAL

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin …

Mar 20, 2024
CVE-2024-29037
9.1 CRITICAL

datahub-helm provides the Kubernetes Helm charts for deploying Datahub and its dependencies on a Kubernetes cluster. Starting in version 0.1.143 and prior to version 0.2.182, …

Mar 20, 2024
CVE-2024-25294
9.1 CRITICAL

An SSRF issue in REBUILD v.3.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the FileDownloader.java, proxyDownload,URL parameters.

Mar 20, 2024
CVE-2024-28231
9.6 CRITICAL

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, …

Mar 20, 2024
CVE-2024-28179
9.0 CRITICAL

Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and …

Mar 20, 2024
CVE-2024-28395
9.8 CRITICAL

SQL injection vulnerability in Best-Kit bestkit_popup v.1.7.2 and before allows a remote attacker to escalate privileges via the bestkit_popup.php component.

Mar 20, 2024
CVE-2024-28392
9.8 CRITICAL

SQL injection vulnerability in pscartabandonmentpro v.2.0.11 and before allows a remote attacker to escalate privileges via the pscartabandonmentproFrontCAPUnsubscribeJobModuleFrontController::setEmailVisualized() method.

Mar 20, 2024
CVE-2024-1811
9.8 CRITICAL

A potential vulnerability has been identified in OpenText ArcSight Platform. The vulnerability could be remotely exploited.

Mar 20, 2024
CVE-2024-1800
9.9 CRITICAL

In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.

Mar 20, 2024
CVE-2024-1711
9.8 CRITICAL

The Create by Mediavine plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.9.4 due …

Mar 20, 2024
CVE-2024-22081
9.8 CRITICAL

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Unauthenticated memory corruption can occur in the HTTP header parsing mechanism.

Mar 20, 2024
CVE-2024-22080
9.8 CRITICAL

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Unauthenticated memory corruption can occur during XML body parsing.

Mar 20, 2024
CVE-2024-28389
9.8 CRITICAL

SQL injection vulnerability in KnowBand spinwheel v.3.0.3 and before allows a remote attacker to gain escalated privileges and obtain sensitive information via the SpinWheelFrameSpinWheelModuleFrontController::sendEmail() method.

Mar 19, 2024
CVE-2024-28595
9.8 CRITICAL

SQL Injection vulnerability in Employee Management System v1.0 allows attackers to run arbitrary SQL commands via the admin_id parameter in update-admin.php.

Mar 19, 2024
CVE-2024-28394
9.8 CRITICAL

An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & …

Mar 19, 2024
CVE-2024-29027
9.0 CRITICAL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling …

Mar 19, 2024
CVE-2024-28303
9.8 CRITICAL

Open Source Medicine Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the date parameter at /admin/reports/index.php.

Mar 19, 2024
CVE-2024-29135
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic.This issue affects Tourfic: from n/a through <= 2.11.15.

Mar 19, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.