37700+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetWooBuilder jet-woo-builder allows PHP Local File Inclusion.This issue …
Missing Authorization vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ads by WPQuads: from …
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bastien Ho Accounting for WooCommerce accounting-for-woocommerce allows PHP Local …
Untrusted data deserialization vulnerability exists in a-blog cms. Processing a specially crafted request may store arbitrary files on the server where the product is running. …
Use of client-side authentication issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a remote attacker may obtain the …
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient …
The So-Called Air Quotes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.1. This is due to …
The SoJ SoundSlides plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the soj_soundslides_options_subpanel() function in all versions …
The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the file uploading …
In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.
A vulnerability was found in ESAFENET CDG 5.6.3.154.205. It has been classified as critical. Affected is an unknown function of the file /parameter/getFileTypeList.jsp. The manipulation …
A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted …
Google gVisor's runsc component exhibited a local privilege escalation vulnerability due to incorrect handling of file access permissions, which allowed unprivileged users to access restricted …
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can …
authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Reflected XSS.This issue affects GlobalPayments WooCommerce: from …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in extendyourweb SUPER RESPONSIVE SLIDER super-slider allows Reflected XSS.This issue affects SUPER RESPONSIVE SLIDER: …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in extendyourweb ULTIMATE VIDEO GALLERY ultimate-gallery allows Reflected XSS.This issue affects ULTIMATE VIDEO GALLERY: …
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Improve My City Improve My City improve-my-city allows Reflected XSS.This issue …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in promact WP Azure offload wp-azure-offload allows Reflected XSS.This issue affects WP Azure offload: …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stencies Stencies stencies allows Reflected XSS.This issue affects Stencies: from n/a through <= …
Path Traversal: '.../...//' vulnerability in boggibill GetShop ecommerce getshop-ecommerce allows Path Traversal.This issue affects GetShop ecommerce: from n/a through <= 1.3.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in labs64 PluginPass pluginpass-pro-plugintheme-licensing allows Manipulating Web Input to File System Calls.This issue …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jajapagamentos Já-Já Pagamentos for WooCommerce wc-ja-ja-pagamentos-multicaixa-express allows Reflected XSS.This issue affects Já-Já Pagamentos …
Null Pointer Dereference vulnerability in libarchive 3.7.6 and earlier when running program bsdtar in function header_pax_extension at rchive_read_support_format_tar.c:1844:8.
Cross-site request forgery (CSRF) vulnerability in the web application of saTECH BCU firmware version 2.1.3, which could allow an unauthenticated local attacker to exploit active …
SaTECH BCU, in its firmware version 2.1.3, performs weak password encryption. This allows an attacker with access to the device's system or website to obtain …
SaTECH BCU in its firmware version 2.1.3 uses the HTTP protocol. The use of the HTTP protocol for web browsing has the problem that information …
Privilege escalation vulnerability in the saTECH BCU firmware version 2.1.3. An attacker with access to the CLI of the device could make use of the …
Tenda W6_S v1.0.0.4_510 has a Buffer Overflow vulnerability in the set_local_time function, which allows remote attackers to cause web server crash via parameter time passed …
Tenda W6_S v1.0.0.4_510 has a Buffer Overflow vulnerability in the setcfm function, which allows remote attackers to cause web server crash via parameter funcpara1 passed …
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Falcon Solutions Duplicate Page and Post duplicate-post-and-page allows Blind SQL Injection.This …
Cross-Site Request Forgery (CSRF) vulnerability in danielmuldernl OmniLeads Scripts and Tags Manager omnileads-scripts-and-tags-manager allows Stored XSS.This issue affects OmniLeads Scripts and Tags Manager: from n/a …
Cross-Site Request Forgery (CSRF) vulnerability in PasqualePuzio Login Alert login-alert allows Stored XSS.This issue affects Login Alert: from n/a through <= 0.2.1.
Cross-Site Request Forgery (CSRF) vulnerability in forsgren Video Embedder video-embedder allows Stored XSS.This issue affects Video Embedder: from n/a through <= 1.7.1.
Cross-Site Request Forgery (CSRF) vulnerability in EricH The Visitor Counter the-visitor-counter allows Stored XSS.This issue affects The Visitor Counter: from n/a through <= 1.4.3.
Cross-Site Request Forgery (CSRF) vulnerability in youtag ShowTime Slideshow showtime-slideshow allows Stored XSS.This issue affects ShowTime Slideshow: from n/a through <= 1.6.
Cross-Site Request Forgery (CSRF) vulnerability in Krzysztof Furtak KK I Like It kk-i-like-it allows Stored XSS.This issue affects KK I Like It: from n/a through …
Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Team Terms of Use terms-of-use-2 allows Stored XSS.This issue affects Terms of Use: from n/a through <= 2.0.
Cross-Site Request Forgery (CSRF) vulnerability in Efficient Scripts Microblog Poster microblog-poster allows Stored XSS.This issue affects Microblog Poster: from n/a through <= 2.1.6.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Chop Chop Pop-Up Chop Chop pop-up allows PHP Local …
The Administrator Z plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= …
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bestweblayout Slider by BestWebSoft slider-bws allows SQL Injection.This issue affects Slider …
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file deletion process of the USB storage file-sharing function of …
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file upload process of the USB storage file-sharing function of …
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, …
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path …
Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged …
Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged …
Free website and port scanning — find vulnerabilities before attackers do.