CVE Database

9309+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-24321
9.8 CRITICAL

An issue in Dlink DIR-816A2 v.1.10CNB05 allows a remote attacker to execute arbitrary code via the wizardstep4_ssid_2 parameter in the sub_42DA54 function.

Feb 8, 2024
CVE-2024-24213
9.8 CRITICAL

Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pg_meta/default/query. NOTE: the vendor's position is that this is an intended …

Feb 8, 2024
CVE-2023-50061
9.8 CRITICAL

PrestaShop Op'art Easy Redirect >= 1.3.8 and <= 1.3.12 is vulnerable to SQL Injection via Oparteasyredirect::hookActionDispatcher().

Feb 8, 2024
CVE-2024-25191
9.8 CRITICAL

php-jwt 1.0.0 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.

Feb 8, 2024
CVE-2024-25190
9.8 CRITICAL

l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.

Feb 8, 2024
CVE-2024-25189
9.8 CRITICAL

libjwt 1.15.3 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.

Feb 8, 2024
CVE-2023-42282
9.8 CRITICAL

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Feb 8, 2024
CVE-2024-1207
9.8 CRITICAL

The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due …

Feb 8, 2024
CVE-2024-24216
9.8 CRITICAL

Zentao v18.0 to v18.10 was discovered to contain a remote code execution (RCE) vulnerability via the checkConnection method of /app/zentao/module/repo/model.php.

Feb 8, 2024
CVE-2024-24091
9.8 CRITICAL

Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface.

Feb 8, 2024
CVE-2024-24202
9.8 CRITICAL

An arbitrary file upload vulnerability in /upgrade/control.php of ZenTao Community Edition v18.10, ZenTao Biz v8.10, and ZenTao Max v4.10 allows attackers to execute arbitrary code …

Feb 8, 2024
CVE-2024-24021
9.8 CRITICAL

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection …

Feb 8, 2024
CVE-2024-24017
9.8 CRITICAL

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection …

Feb 8, 2024
CVE-2024-24014
9.8 CRITICAL

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection …

Feb 8, 2024
CVE-2024-24003
9.8 CRITICAL

jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutMaterialCount() function of jshERP does not filter `column` and `order` parameters well enough, and an …

Feb 8, 2024
CVE-2024-22394
9.8 CRITICAL

An improper authentication vulnerability has been identified in SonicWall SonicOS SSL-VPN feature, which in specific conditions could allow a remote attacker to bypass authentication. This …

Feb 8, 2024
CVE-2024-24026
9.8 CRITICAL

An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to …

Feb 8, 2024
CVE-2024-24025
9.8 CRITICAL

An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform …

Feb 8, 2024
CVE-2024-24024
9.8 CRITICAL

An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters …

Feb 8, 2024
CVE-2024-24023
9.8 CRITICAL

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection …

Feb 8, 2024
CVE-2024-24018
9.8 CRITICAL

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL …

Feb 8, 2024
CVE-2023-48974
9.6 CRITICAL

Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter.

Feb 8, 2024
CVE-2023-38995
9.8 CRITICAL

An issue in SCHUHFRIED v.8.22.00 allows remote attacker to obtain the database password via crafted curl command.

Feb 7, 2024
CVE-2024-24563
9.8 CRITICAL

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Arrays can be keyed by a signed integer, while they are defined for …

Feb 7, 2024
CVE-2024-20254
9.6 CRITICAL

Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) …

Feb 7, 2024
CVE-2024-20252
9.6 CRITICAL

Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) …

Feb 7, 2024
CVE-2024-25145
9.6 CRITICAL

Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay …

Feb 7, 2024
CVE-2024-24811
9.8 CRITICAL

SQLAlchemyDA is a generic database adapter for ZSQL methods. A vulnerability found in versions prior to 2.2 allows unauthenticated execution of arbitrary SQL statements on …

Feb 7, 2024
CVE-2024-24189
9.8 CRITICAL

Jsish v3.5.0 (commit 42c694c) was discovered to contain a use-after-free via the SplitChar at ./src/jsiUtils.c.

Feb 7, 2024
CVE-2024-24188
9.8 CRITICAL

Jsish v3.5.0 was discovered to contain a heap-buffer-overflow in ./src/jsiUtils.c.

Feb 7, 2024
CVE-2024-24186
9.8 CRITICAL

Jsish v3.5.0 (commit 42c694c) was discovered to contain a stack-overflow via the component IterGetKeysCallback at /jsish/src/jsiValue.c.

Feb 7, 2024
CVE-2024-24133
9.8 CRITICAL

Atmail v6.6.0 was discovered to contain a SQL injection vulnerability via the username parameter on the login page.

Feb 7, 2024
CVE-2024-24303
9.8 CRITICAL

SQL Injection vulnerability in HiPresta "Gift Wrapping Pro" (hiadvancedgiftwrapping) module for PrestaShop before version 1.4.1, allows remote attackers to escalate privileges and obtain sensitive information …

Feb 7, 2024
CVE-2023-46914
9.8 CRITICAL

SQL Injection vulnerability in RM bookingcalendar module for PrestaShop versions 2.7.9 and before, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive …

Feb 7, 2024
CVE-2024-24019
9.8 CRITICAL

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL …

Feb 7, 2024
CVE-2024-24004
9.8 CRITICAL

jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutDetail() function of jshERP does not filter `column` and `order` parameters well enough, and an …

Feb 7, 2024
CVE-2024-24002
9.8 CRITICAL

jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter `column` and `order` parameters well enough, and an …

Feb 7, 2024
CVE-2024-24001
9.8 CRITICAL

jshERP v3.3 is vulnerable to SQL Injection. via the com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findallocationDetail() function of jshERP which allows an attacker to construct malicious payload to bypass …

Feb 7, 2024
CVE-2024-1284
9.8 CRITICAL

Use after free in Mojo in Google Chrome prior to 121.0.6167.160 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. …

Feb 7, 2024
CVE-2024-1283
9.8 CRITICAL

Heap buffer overflow in Skia in Google Chrome prior to 121.0.6167.160 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. …

Feb 7, 2024
CVE-2024-24015
9.8 CRITICAL

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL …

Feb 6, 2024
CVE-2024-24013
9.8 CRITICAL

A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection …

Feb 6, 2024
CVE-2024-24000
9.8 CRITICAL

jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced …

Feb 6, 2024
CVE-2024-24594
9.9 CRITICAL

A cross-site scripting (XSS) vulnerability in all versions of the web server component of Allegro AI’s ClearML platform allows a remote attacker to execute a …

Feb 6, 2024
CVE-2024-24593
9.6 CRITICAL

A cross-site request forgery (CSRF) vulnerability in all versions up to 1.14.1 of the api server component of Allegro AI’s ClearML platform allows a remote …

Feb 6, 2024
CVE-2024-24592
9.8 CRITICAL

Lack of authentication in all versions of the fileserver component of Allegro AI’s ClearML platform allows a remote attacker to arbitrarily access, create, modify and …

Feb 6, 2024
CVE-2024-23917
9.8 CRITICAL

In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible

Feb 6, 2024
CVE-2024-25140
9.8 CRITICAL

A default installation of RustDesk 1.2.3 on Windows places a WDKTestCert certificate under Trusted Root Certification Authorities with Enhanced Key Usage of Code Signing (1.3.6.1.5.5.7.3.3), …

Feb 6, 2024
CVE-2023-33072
9.3 CRITICAL

Memory corruption in Core while processing control functions.

Feb 6, 2024
CVE-2024-22853
9.8 CRITICAL

D-LINK Go-RT-AC750 GORTAC750_A1_FW_v101b03 has a hardcoded password for the Alphanetworks account, which allows remote attackers to obtain root access via a telnet session.

Feb 6, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.