111255+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.
The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in …
The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due …
The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failure_message' parameter in versions up to, …
The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Slider widget in all versions up to, and including, 1.5.5 …
The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This …
The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function …
The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up …
The LT Unleashed plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.1 via the 'template' parameter in …
The LJUsers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the 'ljuser' shortcode in all versions up to, and …
The High Level Synthesis Compiler i++ command for Windows is vulnerable to a DLL planting vulnerability
Uncontrolled Search Path Element vulnerability in Altera High Level Synthesis Compiler on Windows allows Search Order Hijacking.This issue affects High Level Synthesis Compiler: from 19.1 …
The System Console Utility for Windows is vulnerable to a DLL planting vulnerability
When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to …
When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who …
Unchecked output buffer may allowed arbitrary code execution in SMM and potentially result in SMM memory corruption.
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a …
SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. The cross-origin policy can …
LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json() includes …
LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating prompts, JSON requests are sent to define and modify the …
LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST …
MaxKB is an open-source AI assistant for enterprise. Versions 2.3.1 and below have improper file permissions which allow attackers to overwrite the built-in dynamic linker …
MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and …
Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4Crypt …
WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially …
KodExplorer 4.52 contains an open redirect vulnerability in the user login page that allows attackers to manipulate the 'link' parameter. Attackers can craft malicious URLs …
AnyDesk 7.0.15 and 9.0.1 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated SYSTEM privileges. Attackers can …
A potential security vulnerability in Quartus® Prime Pro Edition Design Software may allow escalation of privilege.
xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting …
xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal …
APC Network Management Card 4 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can …
xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. …
Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL …
CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious …
minaliC 2.0.0 contains a denial of service vulnerability that allows remote attackers to crash the web server by sending oversized GET requests. Attackers can send …
SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit …
FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system …
FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit …
Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit …
Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. …
Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in …
PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload …
CE Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts. Attackers can insert XSS …
ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process. Attackers can …
FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers …
Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template …
XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can …
Flatboard 3.2 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts in forum information fields. Attackers can insert JavaScript payloads …
Xhibiter NFT Marketplace 1.10.2 contains a SQL injection vulnerability in the collections endpoint that allows attackers to manipulate database queries through the 'id' parameter. Attackers …
Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads …
Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. Attackers can exploit the unquoted binary path to execute …
Free website and port scanning — find vulnerabilities before attackers do.