37604+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.
A vulnerability was found in H3C GR-3000AX V100R007L50. It has been classified as critical. Affected is the function UpdateWanParamsMulti/UpdateIpv6Params of the file /routing/goform/aspForm. The manipulation …
A vulnerability was found in H3C GR-5400AX V100R009L50 and classified as critical. This issue affects the function UpdateWanparamsMulti/UpdateIpv6params of the file /routing/goform/aspForm. The manipulation of …
IBM Security Verify Directory Container 10.0.0.0 through 10.0.3.1 could allow a local user to execute commands as root due to execution with unnecessary privileges.
The Zagg - Electronics & Accessories WooCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, …
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the …
The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up …
IBM Backup, Recovery and Media Services for i 7.4 and 7.5 could allow a user with the capability to compile or restore a program to …
An arbitrary free vulnerability exists in the cv_close functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted …
A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially …
An out-of-bounds write vulnerability exists in the cv_upgrade_sensor_firmware functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault 3 Plus prior to 6.2.26.36. A specially …
A stack-based buffer overflow vulnerability exists in the securebio_identify functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially …
An out-of-bounds read vulnerability exists in the cv_send_blockdata functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted …
XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits …
XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all …
XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right …
XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose …
XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer …
XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) …
XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal etracker allows Cross-Site Scripting (XSS).This issue affects etracker: from 0.0.0 before 3.1.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: …
In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could arbitrarily delete local system files with …
In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could overwrite arbitrary local system files with …
An issue in the openc3-api/tables endpoint of OpenC3 COSMOS before 6.1.0 allows attackers to execute a directory traversal.
A credential leak in OpenC3 COSMOS before v6.0.2 allows attackers to access service credentials as environment variables stored in all containers.
Some Hikvision Wireless Access Point are vulnerable to authenticated remote command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw …
Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event …
Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job …
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a …
Acer ControlCenter contains Remote Code Execution vulnerability. The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this …
Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network.
Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network.
An improper neutralization of wildcards vulnerability in the log collection feature of Palo Alto Networks GlobalProtect™ app on macOS allows a non administrative user to …
A command injection vulnerability in Palo Alto Networks PAN-OS® enables an authenticated administrative user to perform actions as the root user. The attacker must have …
Dell iDRAC Tools, version(s) prior to 11.3.0.0, contain(s) an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, …
Amazon Cloud Cam is a home security camera that was deprecated on December 2, 2022, is end of life, and is no longer actively supported. …
User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. …
A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on …
AVEVA PI Data Archive products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI …
vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The …
There is a memory management vulnerability in Absolute Secure Access server versions 9.0 to 13.54. Attackers with network access to the server can cause a …
Improper input validation was discovered in UsbCoreDxe in Insyde InsydeH2O kernel 5.4 before 05.47.01, 5.5 before 05.55.01, 5.6 before 05.62.01, and 5.7 before 05.71.01. The …
Buffer Overflow vulnerability in Tenda AC6 v.15.03.05.16 allows a remote attacker to cause a denial of service via the oversized schedStartTime and schedEndTime parameters in …
Dell Smart Dock Firmware, versions prior to 01.00.08.01, contain an Insertion of Sensitive Information into Log File vulnerability. A user with local access could potentially …
The backup ZIPs are not signed by the application, leading to the possibility that an attacker can download a backup ZIP, modify and re-upload it. …
The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to intercept traffic between a client …
A remote unauthorized attacker may gather sensitive information of the application, due to missing authorization of configuration settings of the product.
All communication with the REST API is unencrypted (HTTP), allowing an attacker to intercept traffic between an actor and the webserver. This leads to the …
Free website and port scanning — find vulnerabilities before attackers do.