Lucene search
K

278370 matches found

Nuclei
Nuclei
added 13 hours ago80 views

WordPress Easy Digital Downloads <= 3.2.12 - SQL Injection

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Easy Digital Downloads allows SQL Injection.This issue affects Easy Digital Downloads: from n/a through 3.2.12. id: CVE-2024-5057 info: name: WordPress Easy Digital Downloads = 3.2.12 - SQL Injecti...

9.8CVSS6.1AI score0.02588EPSS
Exploits0References3
Nuclei
Nuclei
added 13 hours ago13 views

IBM BigFix Platform - Information Disclosure

IBM BigFix Platform 9.2 and 9.5 contains an information disclosure vulnerability caused by not enabling authenticated access in relay, letting remote attackers query and gather update and fixlet information, exploit requires no authentication. id: CVE-2019-4061 info: name: IBM BigFix Platform -...

5.3CVSS6.2AI score0.22547EPSS
Exploits2References3
Nuclei
Nuclei
added 13 hours ago33 views

osCommerce 2.3.4.1 - Remote Code Execution

osCommerce Online Merchant 2.3.4.1 contains a remote code execution caused by insecure default configuration and missing authentication in the installer workflow, letting unauthenticated attackers execute arbitrary PHP code via install4.php, exploit requires accessible /install/ directory after...

9.3CVSS6.6AI score0.0282EPSS
Exploits0References4
Nuclei
Nuclei
added 13 hours ago11 views

OpenCATS - Command Injection

OpenCATS prior to commit 3002a29 contains a command injection caused by injection of PHP statements into the installer AJAX endpoint's databaseConnectivity action parameter, letting unauthenticated attackers execute arbitrary code, exploit requires incomplete installation wizard. id: CVE-2026-277...

9.2CVSS6.3AI score0.22189EPSS
Exploits0References4
Nuclei
Nuclei
added 13 hours ago11 views

RClone RC - Command Injection

Rclone = 1.48.0 and = 1.48.0 and 1.73.5 contains an unauthenticated local command execution caused by unauthenticated access to the RC endpoint operations/fsinfo with attacker-controlled fs input, letting unauthenticated attackers execute local commands, exploit requires reachable RC deployment...

9.8CVSS6.2AI score0.09199EPSS
Exploits2References2
Nuclei
Nuclei
added 13 hours ago112 views

OpenCode < 1.0.216 - Unauthenticated Remote Code Execution

OpenCode versions prior to 1.0.216 contain an unauthenticated remote code execution vulnerability. The application exposes session and shell execution endpoints without proper authentication, allowing remote attackers to create sessions and execute arbitrary shell commands on the underlying serve...

8.8CVSS7.5AI score0.16955EPSS
Exploits7References2
Nuclei
Nuclei
added 13 hours ago14 views

CRM Perks Forms <= 1.1.4 - SQL Injection

CRM Perks CRM Perks Forms affected versions 1.1.4 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL commands, exploit requires user interaction. id: CVE-2024-30498 info: name: CRM Perks Forms ...

10CVSS7.2AI score0.02267EPSS
Exploits0References3
Nuclei
Nuclei
added 13 hours ago63 views

MCPJam Inspector - Remote Code Execution

MCPJam inspector is the local-first development platform for MCP servers. The Latest version 1.4.2 and earlier are vulnerable to a remote code execution RCE vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. id:...

9.8CVSS6.6AI score0.43671EPSS
Exploits34References3
Nuclei
Nuclei
added 13 hours ago33 views

ICTBroadcast - Command Injection

The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are know...

9.3CVSS7.3AI score0.0604EPSS
Exploits3References2
Nuclei
Nuclei
added 13 hours ago25 views

Grandstream UCM6200 - SQL Injection

Grandstream UCM6200 series contains an unauthenticated remote SQL injection caused by crafted HTTP requests, letting attackers execute shell commands as root on versions before 1.0.19.20 or inject HTML in emails before 1.0.20.17. id: CVE-2020-5722 info: name: Grandstream UCM6200 - SQL Injection...

10CVSS7.1AI score0.83926EPSS
Exploits8References2
Nuclei
Nuclei
added 13 hours ago12 views

MajorDoMo - Cross-Site Scripting

MajorDoMo contains a reflected XSS caused by unsanitized $qry parameter in command.php, letting attackers inject arbitrary JavaScript via crafted URLs, exploit requires victim to visit malicious URL. id: CVE-2026-27176 info: name: MajorDoMo - Cross-Site Scripting author: DhiyaneshDk severity:...

6.1CVSS6.2AI score0.00449EPSS
Exploits1References1
Nuclei
Nuclei
added 13 hours ago33 views

MLflow Job API - Authentication Bypass

MLflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/ when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions. id:...

9.8CVSS7.1AI score0.04392EPSS
Exploits1References3
Nuclei
Nuclei
added 13 hours ago11 views

Starlette - Improper Validation of Unsafe Equivalence in Input

A flaw was found in Starlette, a lightweight ASGI Asynchronous Server Gateway Interface framework. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP Host request header. This malformed header could cause the request.url to be incorrectly reconstructed, leading...

6.5CVSS6.6AI score0.01438EPSS
Exploits2References2
Nuclei
Nuclei
added 13 hours ago19 views

Gotenberg - Command Injection

Gotenberg 8.31.0 contains a command injection caused by lack of validation on JSON metadata keys in /forms/pdfengines/metadata/write endpoint, letting unauthenticated attackers execute OS commands, exploit requires crafted HTTP request. id: CVE-2026-42589 info: name: Gotenberg - Command Injection...

9.8CVSS6.1AI score0.0295EPSS
Exploits2References3
Nuclei
Nuclei
added 13 hours ago21 views

OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserialization

Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...

10CVSS7.2AI score0.99999EPSS
Exploits10References2
Nuclei
Nuclei
added 13 hours ago15 views

AstrBot <= 4.22.1 - Command Injection

AstrBot versions up to and including 4.22.1 contain a command injection vulnerability in the MCP server configuration endpoint. The /api/tools/mcp/add endpoint accepts arbitrary command and args fields that are passed directly to subprocess execution during the connection test, without any...

6.5CVSS6.9AI score0.02304EPSS
Exploits0References2
Nuclei
Nuclei
added 13 hours ago9 views

Lodash Template - Server-Side Template Injection (RCE)

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. id: CVE-2021-23337 info: name: Lodash Template - Server-Side Template Injection RCE author: DhiyaneshDk severity: high description: | Lodash versions prior to 4.17.21 are vulnerable to Command Injectio...

7.2CVSS6.8AI score0.2241EPSS
Exploits3References4
Nuclei
Nuclei
added 13 hours ago7 views

WP Travel Engine <= 5.7.9 - SQL Injection

WP Travel Engine 5.7.9 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL queries, exploit requires user interaction. id: CVE-2024-30502 info: name: WP Travel Engine = 5.7.9 - SQL Injection...

9.8CVSS7.2AI score0.02267EPSS
Exploits0References4
Nuclei
Nuclei
added 13 hours ago14 views

Group-Office < 26.0.5 - Remote Code Execution

Group-Office before versions 6.8.150, 25.0.82, and 26.0.5 is vulnerable to remote code execution via OS command injection. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmpfile into an exec call. By injecting shell metacharacters into...

9.4CVSS6.7AI score0.18536EPSS
Exploits2References4
Nuclei
Nuclei
added 13 hours ago21 views

FlipperCode Custom CSS, JS & PHP <= 2.0.7 - Remote Code Execution

Custom css-js-php WordPress plugin through 2.0.7 contains a command injection caused by unsanitized user input used in SQL query and passed to eval, letting unauthenticated attackers execute arbitrary PHP code on the server. id: CVE-2026-6433 info: name: FlipperCode Custom CSS, JS & PHP = 2.0.7 -...

7.3CVSS6.4AI score0.00753EPSS
Exploits2References4
Rows per page
Query Builder