CVE Database

9309+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2023-51925
9.8 CRITICAL

An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.

Jan 20, 2024
CVE-2023-51924
9.8 CRITICAL

An arbitrary file upload vulnerability in the uap.framework.rc.itf.IResourceManager interface of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.

Jan 20, 2024
CVE-2023-51906
9.8 CRITICAL

An issue in yonyou YonBIP v3_23.05 allows a remote attacker to execute arbitrary code via a crafted script to the ServiceDispatcherServlet uap.framework.rc.itf.IResourceManager component.

Jan 20, 2024
CVE-2023-51928
9.8 CRITICAL

An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.

Jan 20, 2024
CVE-2023-51927
9.8 CRITICAL

YonBIP v3_23.05 was discovered to contain a SQL injection vulnerability via the com.yonyou.hrcloud.attend.web.AttendScriptController.runScript() method.

Jan 20, 2024
CVE-2023-51892
9.8 CRITICAL

An issue in weaver e-cology v.10.0.2310.01 allows a remote attacker to execute arbitrary code via a crafted script to the FrameworkShellController component.

Jan 20, 2024
CVE-2021-31314
9.8 CRITICAL

File upload vulnerability in ejinshan v8+ terminal security system allows attackers to upload arbitrary files to arbitrary locations on the server.

Jan 20, 2024
CVE-2024-23687
9.1 CRITICAL

Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations …

Jan 19, 2024
CVE-2024-23679
9.8 CRITICAL

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the …

Jan 19, 2024
CVE-2023-50694
9.8 CRITICAL

An issue in dom96 HTTPbeast v.0.4.1 and before allows a remote attacker to send a malicious crafted request due to insufficient parsing in the parser.nim …

Jan 19, 2024
CVE-2023-50693
9.8 CRITICAL

An issue in Jester v.0.6.0 and before allows a remote attacker to send a malicious crafted request.

Jan 19, 2024
CVE-2023-51947
9.1 CRITICAL

Improper access control on nasSvr.php in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to read and modify different types of data without authentication.

Jan 19, 2024
CVE-2023-50030
9.8 CRITICAL

In the module "Jms Setting" (jmssetting) from Joommasters for PrestaShop, a guest can perform SQL injection in versions <= 1.1.0. The method `JmsSetting::getSecondImgs()` has a …

Jan 19, 2024
CVE-2023-50028
9.8 CRITICAL

In the module "Sliding cart block" (blockslidingcart) up to version 2.3.8 from PrestashopModules.eu for PrestaShop, a guest can perform SQL injection.

Jan 19, 2024
CVE-2023-46351
9.8 CRITICAL

In the module mib < 1.6.1 from MyPresta.eu for PrestaShop, a guest can perform SQL injection. The methods `mib::getManufacturersByCategory()` has sensitive SQL calls that can …

Jan 19, 2024
CVE-2023-43985
9.8 CRITICAL

SunnyToo stblogsearch up to v1.0.0 was discovered to contain a SQL injection vulnerability via the StBlogSearchClass::prepareSearch component.

Jan 19, 2024
CVE-2023-27168
9.8 CRITICAL

An arbitrary file upload vulnerability in Xpand IT Write-back Manager v2.3.1 allows attackers to execute arbitrary code via a crafted jsp file.

Jan 19, 2024
CVE-2024-0705
9.8 CRITICAL

The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, …

Jan 19, 2024
CVE-2023-5716
9.8 CRITICAL

ASUS Armoury Crate has a vulnerability in arbitrary file write and allows remote attackers to access or modify arbitrary files by sending specific HTTP requests …

Jan 19, 2024
CVE-2024-22212
9.6 CRITICAL

Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem …

Jan 18, 2024
CVE-2023-40051
9.1 CRITICAL

This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. …

Jan 18, 2024
CVE-2024-22317
9.1 CRITICAL

IBM App Connect Enterprise 11.0.0.1 through 11.0.0.24 and 12.0.1.0 through 12.0.11.0 could allow a remote attacker to obtain sensitive information or cause a denial of …

Jan 18, 2024
CVE-2023-5806
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mergen Software Quality Management System allows SQL Injection.This issue affects Quality …

Jan 18, 2024
CVE-2023-6816
9.8 CRITICAL

A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be …

Jan 18, 2024
CVE-2024-22416
9.6 CRITICAL

pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. …

Jan 18, 2024
CVE-2023-44077
9.8 CRITICAL

Studio Network Solutions ShareBrowser before 7.0 on macOS mishandles signature verification, aka PMP-2636.

Jan 17, 2024
CVE-2024-0643
10.0 CRITICAL

Unrestricted upload of dangerous file types in the C21 Live Encoder and Live Mosaic product, version 5.3. This vulnerability allows a remote attacker to upload …

Jan 17, 2024
CVE-2024-0642
9.8 CRITICAL

Inadequate access control in the C21 Live Encoder and Live Mosaic product, version 5.3. This vulnerability allows a remote attacker to access the application as …

Jan 17, 2024
CVE-2021-4434
10.0 CRITICAL

The Social Warfare plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.5.2 via the 'swp_url' parameter. This allows …

Jan 17, 2024
CVE-2024-22406
9.3 CRITICAL

Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their …

Jan 16, 2024
CVE-2024-22916
9.8 CRITICAL

In D-LINK Go-RT-AC750 v101b03, the sprintf function in the sub_40E700 function within the cgibin is susceptible to stack overflow.

Jan 16, 2024
CVE-2023-52042
9.8 CRITICAL

An issue discovered in sub_4117F8 function in TOTOLINK X6000R V9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the 'lang' parameter.

Jan 16, 2024
CVE-2023-39691
9.8 CRITICAL

An issue discovered in kodbox through 1.43 allows attackers to arbitrarily add Administrator accounts via crafted GET request.

Jan 16, 2024
CVE-2023-52041
9.8 CRITICAL

An issue discovered in TOTOLINK X6000R V9.4.0cu.852_B20230719 allows attackers to run arbitrary code via the sub_410118 function of the shttpd program.

Jan 16, 2024
CVE-2023-49351
9.8 CRITICAL

A stack-based buffer overflow vulnerability in /bin/webs binary in Edimax BR6478AC V2 firmware veraion v1.23 allows attackers to overwrite other values located on the stack …

Jan 16, 2024
CVE-2023-3211
9.8 CRITICAL

The WordPress Database Administrator WordPress plugin through 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an …

Jan 16, 2024
CVE-2023-0224
9.8 CRITICAL

The GiveWP WordPress plugin before 2.24.1 does not properly escape user input before it reaches SQL queries, which could let unauthenticated attackers perform SQL Injection …

Jan 16, 2024
CVE-2022-1609
9.8 CRITICAL

The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an …

Jan 16, 2024
CVE-2023-52103
9.8 CRITICAL

Buffer overflow vulnerability in the FLP module. Successful exploitation of this vulnerability may cause out-of-bounds read.

Jan 16, 2024
CVE-2023-52101
9.1 CRITICAL

Component exposure vulnerability in the Wi-Fi module. Successful exploitation of this vulnerability may affect service availability and integrity.

Jan 16, 2024
CVE-2023-34063
9.9 CRITICAL

Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows.

Jan 16, 2024
CVE-2023-22527
9.8 CRITICAL KEV

A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers …

Jan 16, 2024
CVE-2023-6623
9.8 CRITICAL

The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may …

Jan 15, 2024
CVE-2023-6049
9.8 CRITICAL

The Estatik Real Estate Plugin WordPress plugin before 4.1.1 unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP …

Jan 15, 2024
CVE-2023-46226
9.8 CRITICAL

Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes …

Jan 15, 2024
CVE-2020-36770
9.8 CRITICAL

pkg_postinst in the Gentoo ebuild for Slurm through 22.05.3 unnecessarily calls chown to assign root's ownership on files in the live root filesystem. This could …

Jan 15, 2024
CVE-2024-0552
9.8 CRITICAL

Intumit inc. SmartRobot's web framwork has a remote code execution vulnerability. An unauthorized remote attacker can exploit this vulnerability to execute arbitrary commands on the …

Jan 15, 2024
CVE-2023-46943
9.1 CRITICAL

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC …

Jan 13, 2024
CVE-2023-51698
9.6 CRITICAL

Atril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the …

Jan 12, 2024
CVE-2024-22206
9.0 CRITICAL

Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in …

Jan 12, 2024

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.