CVE Database

9309+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2023-51773
9.1 CRITICAL

BACnet Stack before 1.3.2 has a decode function APDU buffer over-read in bacapp_decode_application_data in bacapp.c.

Feb 29, 2024
CVE-2023-49931
9.8 CRITICAL

An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted.

Feb 29, 2024
CVE-2023-49930
9.8 CRITICAL

An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted.

Feb 29, 2024
CVE-2022-34270
9.8 CRITICAL

An issue was discovered in RWS WorldServer before 11.7.3. Regular users can create users with the Administrator role via UserWSUserManager.

Feb 29, 2024
CVE-2024-25422
9.8 CRITICAL

SQL Injection vulnerability in SEMCMS v.4.8 allows a remote attacker to execute arbitrary code and obtain sensitive information via the SEMCMS_Menu.php component.

Feb 28, 2024
CVE-2024-25867
9.1 CRITICAL

A SQL Injection vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary SQL commands via the membershipType and …

Feb 28, 2024
CVE-2024-25350
9.8 CRITICAL

SQL Injection vulnerability in /zms/admin/edit-ticket.php in PHPGurukul Zoo Management System 1.0 via tickettype and tprice parameters.

Feb 28, 2024
CVE-2024-25170
9.1 CRITICAL

An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header.

Feb 28, 2024
CVE-2024-25169
9.8 CRITICAL

An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request.

Feb 28, 2024
CVE-2024-25927
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Joel Starnes postMash – custom post order.This issue affects postMash – …

Feb 28, 2024
CVE-2024-25910
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Skymoonlabs MoveTo.This issue affects MoveTo: from n/a through 6.2.

Feb 28, 2024
CVE-2024-1514
9.8 CRITICAL

The WP eCommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'cart_contents' parameter in all versions up to, and including, 3.15.1 …

Feb 28, 2024
CVE-2023-50737
9.1 CRITICAL

The SE menu contains information used by Lexmark to diagnose device errors. A vulnerability in one of the SE menu routines can be leveraged by …

Feb 28, 2024
CVE-2023-50736
9.0 CRITICAL

A memory corruption vulnerability has been identified in PostScript interpreter in various Lexmark devices. The vulnerability can be leveraged by an attacker to execute arbitrary …

Feb 28, 2024
CVE-2023-50735
9.0 CRITICAL

A heap corruption vulnerability has been identified in PostScript interpreter in various Lexmark devices. The vulnerability can be leveraged by an attacker to execute arbitrary …

Feb 28, 2024
CVE-2023-50734
9.0 CRITICAL

A buffer overflow vulnerability has been identified in PostScript interpreter in various Lexmark devices. The vulnerability can be leveraged by an attacker to execute arbitrary …

Feb 28, 2024
CVE-2024-27099
9.8 CRITICAL

The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud Services. When processing an incorrect `AMQP_VALUE` failed state, may cause a double …

Feb 27, 2024
CVE-2024-25846
9.1 CRITICAL

In the module "Product Catalog (CSV, Excel) Import" (simpleimportproduct) <= 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php.

Feb 27, 2024
CVE-2024-25843
9.8 CRITICAL

In the module "Import/Update Bulk Product from any Csv/Excel File Pro" (ba_importer) up to version 1.1.28 from Buy Addons for PrestaShop, a guest can perform …

Feb 27, 2024
CVE-2024-25400
9.8 CRITICAL

Subrion CMS 4.2.1 is vulnerable to SQL Injection via ia.core.mysqli.php. NOTE: this is disputed by multiple third parties because it refers to an HTTP request …

Feb 27, 2024
CVE-2024-1403
10.0 CRITICAL

In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been …

Feb 27, 2024
CVE-2024-27905
9.1 CRITICAL

** UNSUPPORTED WHEN ASSIGNED ** Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora. An endpoint exposing internals to unauthenticated users can …

Feb 27, 2024
CVE-2023-51518
9.8 CRITICAL

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, …

Feb 27, 2024
CVE-2024-1698
9.8 CRITICAL

The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via …

Feb 27, 2024
CVE-2024-24095
9.8 CRITICAL

Code-projects Simple Stock System 1.0 is vulnerable to SQL Injection.

Feb 27, 2024
CVE-2023-41506
9.8 CRITICAL

An arbitrary file upload vulnerability in the Update/Edit Student's Profile Picture function of Student Enrollment In PHP v1.0 allows attackers to execute arbitrary code via …

Feb 27, 2024
CVE-2024-25247
9.8 CRITICAL

SQL Injection vulnerability in /app/api/controller/Store.php in Niushop B2B2C V5 allows attackers to run arbitrary SQL commands via latitude and longitude parameters.

Feb 26, 2024
CVE-2024-25751
9.8 CRITICAL

A Stack Based Buffer Overflow vulnerability in Tenda AC9 v.3.0 with firmware version v.15.03.06.42_multi allows a remote attacker to execute arbitrary code via the fromSetSysTime …

Feb 26, 2024
CVE-2024-25248
9.8 CRITICAL

SQL Injection vulnerability in the orderGoodsDelivery() function in Niushop B2B2C V5 allows attackers to run arbitrary SQL commands via the order_id parameter.

Feb 26, 2024
CVE-2024-24402
9.8 CRITICAL

An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component.

Feb 26, 2024
CVE-2024-24401
9.8 CRITICAL

SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.

Feb 26, 2024
CVE-2024-27456
9.1 CRITICAL

rack-cors (aka Rack CORS Middleware) 2.0.1 has 0666 permissions for the .rb files.

Feb 26, 2024
CVE-2024-27455
9.1 CRITICAL

In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user's ALIM session token when the user attempts to download files. …

Feb 26, 2024
CVE-2024-27447
9.8 CRITICAL

pretix before 2024.1.1 mishandles file validation.

Feb 26, 2024
CVE-2024-27444
9.8 CRITICAL

langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, …

Feb 26, 2024
CVE-2024-25925
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in SYSBASICS WooCommerce Easy Checkout Field Editor, Fees & Discounts.This issue affects WooCommerce Easy Checkout Field Editor, …

Feb 26, 2024
CVE-2024-25913
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Skymoonlabs MoveTo.This issue affects MoveTo: from n/a through 6.2.

Feb 26, 2024
CVE-2024-25909
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in JoomUnited WP Media folder.This issue affects WP Media folder: from n/a through 5.7.2.

Feb 26, 2024
CVE-2024-1735
9.1 CRITICAL

A vulnerability has been identified in armeria-saml versions less than 1.27.2, allowing the use of malicious SAML messages to bypass authentication. All users who rely …

Feb 26, 2024
CVE-2023-49959
9.8 CRITICAL

In Indo-Sol PROFINET-INspektor NT through 2.4.0, a command injection vulnerability in the gedtupdater service of the firmware allows remote attackers to execute arbitrary system commands …

Feb 26, 2024
CVE-2024-24681
9.8 CRITICAL

An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded …

Feb 23, 2024
CVE-2024-22988
9.8 CRITICAL

ZKteco ZKBio WDMS before 9.0.2 Build 20250526 allows an attacker to download a database backup via the /files/backup/ component because the filename is based on …

Feb 23, 2024
CVE-2024-25730
9.8 CRITICAL

Hitron CODA-4582 and CODA-4589 devices have default PSKs that are generated from 5-digit hex values concatenated with a "Hitron" substring, resulting in insufficient entropy (only …

Feb 23, 2024
CVE-2024-1783
9.8 CRITICAL

A vulnerability classified as critical has been found in Totolink LR1200GB 9.1.0u.6619_B20230130/9.3.5u.6698_B20230810. Affected is the function loginAuth of the file /cgi-bin/cstecgi.cgi of the component Web …

Feb 23, 2024
CVE-2024-25802
9.8 CRITICAL

SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content.

Feb 22, 2024
CVE-2023-51653
9.8 CRITICAL

Hertzbeat is a real-time monitoring system. In the implementation of `JmxCollectImpl.java`, `JMXConnectorFactory.connect` is vulnerable to JNDI injection. The corresponding interface is `/api/monitor/detect`. If there is …

Feb 22, 2024
CVE-2023-51389
9.8 CRITICAL

Hertzbeat is a real-time monitoring system. At the interface of `/define/yml`, SnakeYAML is used as a parser to parse yml content, but no security configuration …

Feb 22, 2024
CVE-2023-51388
9.8 CRITICAL

Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in …

Feb 22, 2024
CVE-2024-25850
9.8 CRITICAL

Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the wps_ap_ssid5g parameter

Feb 22, 2024
CVE-2024-22393
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files …

Feb 22, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.