CVE Database

9309+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-23619
9.8 CRITICAL

A hardcoded credential vulnerability exists in IBM Merge Healthcare eFilm Workstation. A remote, unauthenticated attacker can exploit this vulnerability to achieve information disclosure or remote …

Jan 26, 2024
CVE-2024-23618
9.6 CRITICAL

An arbitrary code execution vulnerability exists in Arris SURFboard SGB6950AC2 devices. An unauthenticated attacker can exploit this vulnerability to achieve code execution as root.

Jan 26, 2024
CVE-2024-23617
9.6 CRITICAL

A buffer overflow vulnerability exists in Symantec Data Loss Prevention version 14.0.2 and before. A remote, unauthenticated attacker can exploit this vulnerability by enticing a …

Jan 26, 2024
CVE-2024-23616
10.0 CRITICAL

A buffer overflow vulnerability exists in Symantec Server Management Suite version 7.9 and before. A remote, anonymous attacker can exploit this vulnerability to achieve remote …

Jan 26, 2024
CVE-2024-23615
10.0 CRITICAL

A buffer overflow vulnerability exists in Symantec Messaging Gateway versions 10.5 and before. A remote, anonymous attacker can exploit this vulnerability to achieve remote code …

Jan 26, 2024
CVE-2024-23614
10.0 CRITICAL

A buffer overflow vulnerability exists in Symantec Messaging Gateway versions 9.5 and before. A remote, anonymous attacker can exploit this vulnerability to achieve remote code …

Jan 26, 2024
CVE-2024-23613
10.0 CRITICAL

A buffer overflow vulnerability exists in Symantec Deployment Solution version 7.9 when parsing UpdateComputer tokens. A remote, anonymous attacker can exploit this vulnerability to achieve …

Jan 26, 2024
CVE-2024-22922
9.8 CRITICAL

An issue in Projectworlds Vistor Management Systemin PHP v.1.0 allows a remtoe attacker to escalate privileges via a crafted script to the login page in …

Jan 25, 2024
CVE-2024-22638
9.8 CRITICAL

liveSite v2019.1 was discovered to contain a remote code execution (RCE) vulenrabiity via the component /livesite/edit_designer_region.php or /livesite/add_email_campaign.php.

Jan 25, 2024
CVE-2023-7227
9.8 CRITICAL

SystemK NVR 504/508/516 versions 2.3.5SK.30084998 and prior are vulnerable to a command injection vulnerability in the dynamic domain name system (DDNS) settings that could allow …

Jan 25, 2024
CVE-2024-22529
9.8 CRITICAL

TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa.

Jan 25, 2024
CVE-2024-22729
9.8 CRITICAL

NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.

Jan 25, 2024
CVE-2023-33759
9.8 CRITICAL

SpliceCom Maximiser Soft PBX v1.5 and before does not restrict excessive authentication attempts, allowing attackers to bypass authentication via a brute force attack.

Jan 25, 2024
CVE-2024-22751
9.8 CRITICAL

D-Link DIR-882 DIR882A1_FW130B06 was discovered to contain a stack overflow via the sub_477AA0 function.

Jan 24, 2024
CVE-2021-42147
9.1 CRITICAL

Buffer over-read vulnerability in the dtls_sha256_update function in Contiki-NG tinyDTLS through master branch 53a0d97 allows remote attackers to cause a denial of service via crafted …

Jan 24, 2024
CVE-2024-23897
9.8 CRITICAL KEV

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by …

Jan 24, 2024
CVE-2023-52040
9.8 CRITICAL

An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_41284C function.

Jan 24, 2024
CVE-2023-52039
9.8 CRITICAL

An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415AA4 function.

Jan 24, 2024
CVE-2023-52038
9.8 CRITICAL

An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415C80 function.

Jan 24, 2024
CVE-2023-51889
9.8 CRITICAL

Stack Overflow vulnerability in the validate() function in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via crafted string in the …

Jan 24, 2024
CVE-2021-42144
9.8 CRITICAL

Buffer over-read vulnerability in Contiki-NG tinyDTLS through master branch 53a0d97 allows attackers obtain sensitive information via crafted input to dtls_ccm_decrypt_message().

Jan 24, 2024
CVE-2021-42143
9.1 CRITICAL

An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. An infinite loop bug exists during the handling of a ClientHello handshake message. This …

Jan 24, 2024
CVE-2023-51887
9.8 CRITICAL

Command Injection vulnerability in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via crafted string in application URL.

Jan 24, 2024
CVE-2023-51885
9.8 CRITICAL

Buffer Overflow vulnerability in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via the length of the LaTeX string component.

Jan 24, 2024
CVE-2024-22651
9.8 CRITICAL

There is a command injection vulnerability in the ssdpcgi_main function of cgibin binary in D-Link DIR-815 router firmware v1.04.

Jan 24, 2024
CVE-2023-52221
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in UkrSolution Barcode Scanner and Inventory manager.This issue affects Barcode Scanner and Inventory manager: from n/a through …

Jan 24, 2024
CVE-2024-0808
9.8 CRITICAL

Integer underflow in WebUI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a malicious file. (Chromium security …

Jan 24, 2024
CVE-2023-35837
9.8 CRITICAL

An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. Authentication for web interface is completed via an unauthenticated WiFi AP. The administrative password …

Jan 23, 2024
CVE-2023-35835
9.8 CRITICAL

An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. The device provides a WiFi access point for initial configuration. The WiFi network provided …

Jan 23, 2024
CVE-2023-36177
9.8 CRITICAL

An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.

Jan 23, 2024
CVE-2023-31654
9.8 CRITICAL

Redis raft master-1b8bd86 to master-7b46079 was discovered to contain an ODR violation via the component hiredisAllocFns at /opt/fs/redisraft/deps/hiredis/alloc.c.

Jan 23, 2024
CVE-2021-42142
9.8 CRITICAL

An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. DTLS servers mishandle the early use of a large epoch number. This vulnerability allows …

Jan 23, 2024
CVE-2023-51210
9.8 CRITICAL

SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a remote attacker to execute arbitrary code via the id_product parameters in the UpdateProductQuantity function.

Jan 23, 2024
CVE-2024-23636
9.8 CRITICAL

SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a …

Jan 23, 2024
CVE-2024-22205
9.1 CRITICAL

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `window` endpoint does not sanitize user-supplied input from the `location` variable and …

Jan 23, 2024
CVE-2024-22203
9.1 CRITICAL

Whoogle Search is a self-hosted metasearch engine. In versions prior to 0.8.4, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` …

Jan 23, 2024
CVE-2024-22663
9.8 CRITICAL

TOTOLINK_A3700R_V9.1.2u.6165_20211012has a command Injection vulnerability via setOpModeCfg

Jan 23, 2024
CVE-2024-22662
9.8 CRITICAL

TOTOLINK A3700R_V9.1.2u.6165_20211012 has a stack overflow vulnerability via setParentalRules

Jan 23, 2024
CVE-2024-22660
9.8 CRITICAL

TOTOLINK_A3700R_V9.1.2u.6165_20211012has a stack overflow vulnerability via setLanguageCfg

Jan 23, 2024
CVE-2023-49657
9.6 CRITICAL

A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a …

Jan 23, 2024
CVE-2024-22076
9.8 CRITICAL

MyQ Print Server before 8.2 patch 43 allows remote authenticated administrators to execute arbitrary code via PHP scripts that are reached through the administrative interface.

Jan 23, 2024
CVE-2021-42141
9.8 CRITICAL

An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. One incorrect handshake could complete with different epoch numbers in the packets Client_Hello, Client_key_exchange, and Change_cipher_spec, …

Jan 22, 2024
CVE-2023-48118
9.8 CRITICAL

SQL Injection vulnerability in Quest Analytics LLC IQCRM v.2023.9.5 allows a remote attacker to execute arbitrary code via a crafted request to the Common.svc WSDL …

Jan 22, 2024
CVE-2024-0204
9.8 CRITICAL

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

Jan 22, 2024
CVE-2017-20189
9.8 CRITICAL

In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server …

Jan 22, 2024
CVE-2024-23771
9.8 CRITICAL

darkhttpd before 1.15 uses strcmp (which is not constant time) to verify authentication, which makes it easier for remote attackers to bypass authentication via a …

Jan 22, 2024
CVE-2024-23752
9.8 CRITICAL

GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An …

Jan 22, 2024
CVE-2024-23751
9.8 CRITICAL

LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be …

Jan 22, 2024
CVE-2024-23731
9.8 CRITICAL

The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.

Jan 21, 2024
CVE-2024-23730
9.8 CRITICAL

The OpenAPI and ChatGPT plugin loaders in LlamaHub (aka llama-hub) before 0.0.67 allow attackers to execute arbitrary code because safe_load is not used for YAML.

Jan 21, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.