CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

87967 matches found

Gitea < 1.4.3 - Open Redirect

Gitea before version 1.4.3 is affected by URL Redirection to Untrusted Site 'Open Redirect' via internal URLs. The vulnerability exists in the redirectto parameter used on the login page /user/login. Due to improper validation of the redirect URL, an attacker can craft a malicious link that...

6.1CVSS6.5AI score0.00973EPSS

Exploits0References2

Nuclei•added 17 hours ago•6 views

Lodash Template - Server-Side Template Injection (RCE)

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. id: CVE-2021-23337 info: name: Lodash Template - Server-Side Template Injection RCE author: DhiyaneshDk severity: high description: | Lodash versions prior to 4.17.21 are vulnerable to Command Injectio...

7.2CVSS6.8AI score0.2241EPSS

Exploits2References4

Nuclei•added 17 hours ago•26 views

Home Assistant HACS - Local File Inclusion

Home Assistant before 2021.1.3 lacks a protection layer against directory-traversal attacks in custom integrations, letting attackers access arbitrary files, exploit requires attacker to deploy malicious custom integration. id: CVE-2021-3152 info: name: Home Assistant HACS - Local File Inclusion...

5.3CVSS6.2AI score0.02231EPSS

Exploits0References4

Nuclei•added 17 hours ago•11 views

Registrations for The Events Calendar < 2.7.5 - Authenticated Reflected Cross-Site Scripting

The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting id: CVE-2021-24876 info: name: Registrations for The Events Calendar 2.7.5 - Authenticated Reflected...

6.1CVSS6.3AI score0.01165EPSS

Exploits2References2

Nuclei•added 17 hours ago•12 views

IPeakCMS 3.5 - SQL Injection

ipeak Infosystems ibexwebCMS 3.5 contains an unauthenticated Boolean-based SQL injection caused by unsanitized 'id' parameter in /cms/print.php, letting attackers execute arbitrary SQL commands, exploit requires no authentication. id: CVE-2021-3018 info: name: IPeakCMS 3.5 - SQL Injection author:...

9.8CVSS7.6AI score0.19506EPSS

Exploits3References3

Nuclei•added 17 hours ago•20 views

The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass

The Plus Addons for Elementor plugin before version 4.1.7 allowed attackers to bypass authentication, gain admin access, and create accounts with elevated roles, even when registration was disabled and the Login widget was inactive. id: CVE-2021-24175 info: name: The Plus Addons for Elementor Pag...

9.8CVSS7.3AI score0.14462EPSS

Exploits3References2

Nuclei•added 17 hours ago•17 views

ImpressCMS < 1.4.3 - SQL Injection

ImpressCMS before 1.4.3 is vulnerable to SQL injection via the groups parameter in include/findusers.php, allowing unauthenticated attackers to execute arbitrary SQL queries. id: CVE-2021-26599 info: name: ImpressCMS 1.4.3 - SQL Injection author: ritikchaddha severity: high description: |...

9.8CVSS7.6AI score0.19419EPSS

Exploits6References3

Nuclei•added 17 hours ago•17 views

Chamilo model.ajax.php - SQL Injection

main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter. id: CVE-2021-34187 info: name: Chamilo model.ajax.php - SQL Injection author: DhiyaneshDK severity: critical description: | main/inc/ajax/model.ajax.php in Chamilo...

9.8CVSS7.4AI score0.15576EPSS

Exploits1References2

Nuclei•added 17 hours ago•15 views

KodExplorer - Cross-Site Scripting

KodExplorer is susceptible to a reflected cross-site scripting XSS vulnerability in the file view functionality.The vulnerability exists in app/template/api/view.html where user-supplied input in the 'path' parameter is directly echoed without proper sanitization.This allows attackers to inject...

6.1CVSS6.3AI score0.00705EPSS

Exploits0References2

Nuclei•added 17 hours ago•9 views

Hospital Management System 1.0 - Cross-Site Scripting

Hospital Management System 1.0 contains a cross-site scripting vulnerability via the searchdata parameter in doctor/search.php and patient-search.php. id: CVE-2021-39411 info: name: Hospital Management System 1.0 - Cross-Site Scripting author: arafatansari severity: high description: | Hospital...

6.1CVSS6.2AI score0.0089EPSS

Exploits0References2

Nuclei•added 17 hours ago•8 views

Gnuboard 5 - Cross-Site Scripting

Gnuboard 5 contains a cross-site scripting vulnerability via the $GET'LGDOID' parameter. id: CVE-2021-3831 info: name: Gnuboard 5 - Cross-Site Scripting author: arafatansari severity: medium description: | Gnuboard 5 contains a cross-site scripting vulnerability via the $GET'LGDOID' parameter...

7.1CVSS6.6AI score0.01812EPSS

Exploits1References3

Nuclei•added 17 hours ago•9 views

KevinLAB BEMS 1.0 - SQL Injection

KevinLAB BEMS 1.0 contains a SQL injection vulnerability. Input passed through inputid POST parameter in /http/index.php is not properly sanitized before being returned to the user or used in SQL queries. An attacker can possibly obtain sensitive information from a database, modify data, and...

9.8CVSS7.4AI score0.07707EPSS

Exploits2References4

Nuclei•added 17 hours ago•16 views

Moodle 3.8-3.10.3 - Reflected XSS & Open Redirect

Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 contain a reflected XSS and open redirect caused by insufficient sanitization of the redirect URI in the LTI authorization endpoint, letting attackers execute scripts or redirect users maliciously, exploit requires crafted URL with...

6.1CVSS6.8AI score0.01157EPSS

Exploits0References3

Nuclei•added 17 hours ago•17 views

SupportCandy < 2.2.7 - Reflected Cross-Site Scripting

The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the wpsccreateticket shortcode embed, leading to a Reflected Cross-Site Scripting issue id: CVE-2021-24878 info: name: SupportCandy 2.2.7 - Reflected Cross-Site...

6.1CVSS6.3AI score0.01195EPSS

Exploits2References3

Nuclei•added 17 hours ago•9 views

WordPress Popup Builder < 4.0.7 - Remote Code Execution

Popup Builder WordPress plugin before 4.0.7 contains a local file inclusion caused by unsanitized 'sgpbtype' parameter in require statement, letting attackers include arbitrary local files or execute code via wrappers like PHAR, exploit requires attacker to control 'sgpbtype' parameter. id:...

8.8CVSS7.5AI score0.05365EPSS

Exploits2References2

Nuclei•added 17 hours ago•20 views

ZoomSounds Plugin - Unauthenticated Arbitrary File Upload

ZoomSounds plugin for WordPress contains a file upload vulnerability in savepng.php id: CVE-2021-4449 info: name: ZoomSounds Plugin - Unauthenticated Arbitrary File Upload author: 0xnemian severity: critical description: | ZoomSounds plugin for WordPress contains a file upload vulnerability in...

9.8CVSS7.3AI score0.05288EPSS

Exploits2References5

Nuclei•added 17 hours ago•24 views

Jenzabar 9.2x-9.2.2 - Cross-Site Scripting

Jenzabar 9.2.x through 9.2.2 contains a cross-site scripting vulnerability. It allows /ics?tool=search&query. id: CVE-2021-26723 info: name: Jenzabar 9.2x-9.2.2 - Cross-Site Scripting author: pikpikcu severity: medium description: Jenzabar 9.2.x through 9.2.2 contains a cross-site scripting...

6.1CVSS6.7AI score0.10949EPSS

Exploits3References5

Nuclei•added 17 hours ago•18 views

Redwood Report2Web 4.3.4.5 & 4.5.3 - Cross-Site Scripting

Redwood Report2Web 4.3.4.5 and 4.5.3 contains a cross-site scripting vulnerability in the login panel which allows remote attackers to inject JavaScript via the signIn.do urll parameter. id: CVE-2021-26710 info: name: Redwood Report2Web 4.3.4.5 & 4.5.3 - Cross-Site Scripting author: pikpikcu...

6.1CVSS6.3AI score0.06513EPSS

Exploits1References5

Nuclei•added 17 hours ago•34 views

Knowage Suite 7.3 - Cross-Site Scripting

Knowage Suite 7.3 contains an unauthenticated reflected cross-site scripting vulnerability. An attacker can inject arbitrary web script in '/servlet/AdapterHTTP' via the 'targetService' parameter. id: CVE-2021-30213 info: name: Knowage Suite 7.3 - Cross-Site Scripting author: alph4byt3 severity:...

6.1CVSS6.4AI score0.02721EPSS

Exploits1References5

Nuclei•added 17 hours ago•19 views

Opensis-Classic 8.0 - Cross-Site Scripting

Opensis-Classic Version 8.0 is affected by cross-site scripting. An unauthenticated user can inject and execute JavaScript code through the linkurl parameter in Ajaxurlencode.php. id: CVE-2021-40542 info: name: Opensis-Classic 8.0 - Cross-Site Scripting author: alph4byt3 severity: medium...

6.1CVSS6AI score0.02998EPSS

Exploits1References4

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by