Lucene search
K

3533 matches found

Nuclei
Nuclei
added yesterday103 views

Zoho ManageEngine - Internal Hostname Disclosure

Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses. id: CVE-2022-23779 info: name: Zoho ManageEngine - Internal Hostname Disclosure author: cckuailong severity: medium...

5.3CVSS6.2AI score0.1514EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday181 views

ManageEngine OpManager - Directory Traversal

A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. id: CVE-2023-47211 info: name: ManageEngine...

9.1CVSS7.1AI score0.47024EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday27 views

Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration

Zoho ManageEngine ADSelfService Plus 6121 is vulnerable to username enumeration CVE-2022-28987. The Forgot Password functionality responds differently for existing and non-existing users, allowing attackers to enumerate valid usernames. id: CVE-2022-28987 info: name: Zoho ManageEngine ADSelfServi...

5.3CVSS6.2AI score0.0991EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday62 views

Zoho ManageEngine ADSelfService Plus <=6103 - Cross-Site Scripting

Zoho ManageEngine ADSelfService Plus 6103 and prior contains a reflected cross-site scripting vulnerability on the loadframe page. id: CVE-2021-37416 info: name: Zoho ManageEngine ADSelfService Plus 6103 to mitigate this vulnerability. reference: -...

6.1CVSS6.4AI score0.02934EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday76 views

Zoho ManageEngine OpManager - SQL Injection

Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL...

7.5CVSS7AI score0.66347EPSS
Exploits1References2
Nuclei
Nuclei
added 2 days ago37 views

Zoho ManageEngine - Access Control Bypass

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize via the ../RestAPI...

9.8CVSS7.1AI score0.83321EPSS
Exploits1References3
NVD
NVD
added 4 days ago9 views

CVE-2025-5017

The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...

4.9CVSS0.00258EPSS
Exploits0References3
EUVD
EUVD
added 4 days ago8 views

EUVD-2025-210456

The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...

4.9CVSS6.1AI score0.00258EPSS
Exploits0References3
CVE
CVE
added 4 days ago17 views

CVE-2025-5017

Summary: The Catalyst Connect Zoho CRM Client Portal WordPress plugin (≤ 2.2.0) is vulnerable to time-based SQL Injection via the uid parameter. The root cause is insufficient escaping of user input and lack of proper query parameterization, enabling authenticated attackers with Administrator-lev...

4.9CVSS6.1AI score0.00258EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago41 views

CVE-2025-5017 Catalyst Connect Zoho CRM Client Portal <= 2.2.0 - Authenticated (Administrator+) SQL Injection via uid Parameter

The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...

4.9CVSS0.00258EPSS
Exploits0References3
Nuclei
Nuclei
added 4 days ago99 views

ZOHO WebNMS Framework <5.2 SP1 - Local File Inclusion

ZOHO WebNMS Framework before version 5.2 SP1 is vulnerable local file inclusion which allows an attacker to read arbitrary files via a .. dot dot in the fileName parameter to servlets/FetchFile. id: CVE-2016-6601 info: name: ZOHO WebNMS Framework 5.2 SP1 - Local File Inclusion author: 0xAkoko...

7.5CVSS7AI score0.97415EPSS
Exploits11References5
Nuclei
Nuclei
added 2026/07/07 4:50 p.m.37 views

Zoho manageengine - Cross-Site Scripting

Zoho manageengine is vulnerable to reflected cross-site scripting. This impacts Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 via the...

6.1CVSS6.1AI score0.98463EPSS
Exploits3References4
Nuclei
Nuclei
added 2026/07/07 3:1 a.m.37 views

Zoho ManageEngine ServiceDesk Plus - Authentication Bypass

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. id: CVE-2021-37415 info: name: Zoho ManageEngine ServiceDesk Plus - Authentication Bypass author: daffainfo,jjcho severity: critical description: | Zoho...

9.8CVSS7.2AI score0.99854EPSS
Exploits0References2
The Hacker News
The Hacker News
added 2026/06/29 3:3 p.m.20 views

Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks

The China-aligned espionage group Mustang Panda is running two campaigns against the Indian government and hydropower targets, deploying new malware and turning a legitimate cloud service into its command channel. Acronis Threat Research Unit found active compromises inside Indian government...

5.9AI score
Exploits0
Nuclei
Nuclei
added 2026/06/28 3:8 p.m.63 views

Zoho ManageEngine OpManger - Arbitrary File Read

Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a specially crafted request. id: CVE-2020-12116 info: name: Zoho ManageEngine OpManger - Arbitrary File Read author:...

7.5CVSS7.2AI score0.97418EPSS
Exploits1References5
Nuclei
Nuclei
added 2026/06/26 6:13 p.m.80 views

Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution

Zoho ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass vulnerability that can lead to remote code execution. id: CVE-2021-40539 info: name: Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution author:...

9.8CVSS7.9AI score0.9896EPSS
Exploits8References5
Nuclei
Nuclei
added 2026/06/25 1:31 a.m.61 views

Zoho ManageEngine Desktop Central - Remote Code Execution

Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server. id: CVE-2021-44515 info: name: Zoho ManageEngine Desktop Central - Remote Code Execution author: Adam Crosser severity:...

10CVSS7.9AI score0.99867EPSS
Exploits2References5
Nuclei
Nuclei
added 2026/06/23 5:8 a.m.70 views

Zoho ManageEngine ADAudit Plus <7600 - XML Entity Injection/Remote Code Execution

Zoho ManageEngine ADAudit Plus before version 7060 is vulnerable to an unauthenticated XML entity injection attack that can lead to remote code execution. id: CVE-2022-28219 info: name: Zoho ManageEngine ADAudit Plus 7600 - XML Entity Injection/Remote Code Execution author: dwisiswant0 severity:...

9.8CVSS7.6AI score0.97011EPSS
Exploits6References5
The Hacker News
The Hacker News
added 2026/06/20 9:56 a.m.17 views

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 CVSS score: 5.3, is a medium-severity information disclosure flaw that can allow unauthenticated attackers ...

7.5CVSS5.9AI score0.39704EPSS
Exploits2
Nuclei
Nuclei
added 2026/06/19 11:10 a.m.130 views

Zoho ManageEngine - Remote Code Execution

Zoho ManageEngine Password Manager Pro, PAM 360, and Access Manager Plus are susceptible to unauthenticated remote code execution via XML-RPC. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary...

9.8CVSS8.1AI score0.9994EPSS
Exploits5References5
Rows per page
Query Builder