47191+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.
Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during …
A vulnerability was found in code-projects Online Appointment Booking System 1.0. Impacted is an unknown function of the file /admin/deletemanager.php. The manipulation of the argument …
The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the …
A Directory Traversal vulnerability in the Static Asset Proxy Endpoint in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML …
The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It …
The Static Asset API in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via the subdomain parameter because any …
A vulnerability was detected in Edimax BR-6208AC 1.02. This impacts the function handle_retr of the component FTP Daemon Service. The manipulation results in path traversal. …
A weakness has been identified in JeecgBoot up to 3.9.0. The impacted element is the function SysUserOnlineController of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserOnlineController.java. Executing manipulation can lead …
A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java of the component …
A security vulnerability has been detected in CodeAstro Real Estate Management System 1.0. Affected is an unknown function of the file /admin/userdelete.php of the component …
A weakness has been identified in CodeAstro Real Estate Management System 1.0. This impacts an unknown function of the file /admin/stateadd.php of the component Administrator …
A security flaw has been discovered in CodeAstro Real Estate Management System 1.0. This affects an unknown function of the file /admin/userbuilderdelete.php of the component …
A vulnerability was identified in CodeAstro Real Estate Management System 1.0. The impacted element is an unknown function of the file /admin/useragentdelete.php of the component …
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP …
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of …
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and …
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be …
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even …
Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration …
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial …
Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to …
Out-of-bounds read (CWE-125) allows an unauthenticated remote attacker to perform a buffer overflow (CAPEC-100) via the NFS protocol dissector, leading to a denial-of-service (DoS) through …
Improper Bounds Check (CWE-787) in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow (CAPEC-100) and reliably crash the application or cause …
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName …
Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to determine the existence of arbitrary files.
A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' …
A SQL Injection vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary SQL commands via the dbname parameter, potentially …
A Reflected Cross-Site Scripting (XSS) vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary web script or HTML via …
BullWall Ransomware Containment considers the number of files modified to trigger detection. An authenticated attacker could encrypt a single (possibly large) file without triggering detection …
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the …
Advantech WebAccess/SCADA is vulnerable to SQL injection, which may allow an attacker to execute arbitrary SQL commands.
Advantech WebAccess/SCADA is vulnerable to absolute directory traversal, which may allow an attacker to determine the existence of arbitrary files.
The vulnerability affects Ignition SCADA applications where Python scripting is utilized for automation purposes. The vulnerability arises from the absence of proper security controls that …
A stored cross-site scripting (XSS) vulnerability in Simple Machines Forum v2.1.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload …
Control Panel provides an API for pre-registering into an enrollment and organization prior to a user's first login. The API for creating users checks that …
A security flaw has been discovered in Campcodes Advanced Voting Management System 1.0. The impacted element is an unknown function of the file /admin/voters_edit.php of …
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form component. This allows malicious scripts to execute …
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead to potential theft of …
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form validation rule configuration. Attackers can exploit this vulnerability to …
An information disclosure vulnerability in Kentico Xperience allows public users to access sensitive administration interface hostname details during authentication. Attackers can retrieve confidential hostname configuration …
A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard widget configuration dialog. Attackers can exploit this …
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the rich text editor component for page and form builders. …
A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework …
EasyPHP Webserver 14.1 contains a path traversal vulnerability that allows remote users with low privileges to access files outside the document root by bypassing SecurityManager …
GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email …
TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album …
RockMongo 1.1.7 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple unencoded input parameters. Attackers can exploit the vulnerability …
Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with …
WBiz Desk 1.2 contains a SQL injection vulnerability that allows non-admin users to manipulate database queries through the 'tk' parameter in ticket.php. Attackers can inject …
A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via page preview URLs. Attackers can exploit this vulnerability to …
Free website and port scanning — find vulnerabilities before attackers do.