Lucene search
K

2466879 matches found

Nuclei
Nuclei
added 3 days ago25 views

PHP-Fusion 9.03.50 - Remote Code Execution

PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user not admin to send a crafted request to the server and perform remote command execution. id: CVE-2020-24949 info: name: PHP-Fusion 9.03.50 - Remote Code Execution author: geeknik severity: high description: PHP-Fusion 9.03.50...

9CVSS7.4AI score0.67289EPSS
Exploits4References5
Nuclei
Nuclei
added 3 days ago33 views

Citrix ADC and Citrix NetScaler Gateway - Remote Code Injection

Citrix ADC and NetScaler Gateway are susceptible to remote code injection. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Affected versions are before 13.0-58.30,...

6.5CVSS7AI score0.10695EPSS
Exploits0References5
Nuclei
Nuclei
added 3 days ago16 views

Fortinet FortiWeb - SQL Injection

An improper neutralization of special elements used in an SQL command 'SQL Injection' vulnerability CWE-89 in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests. id: CVE-2025-25257 info: name: Fortinet FortiWeb - SQL...

9.8CVSS7.8AI score0.9671EPSS
Exploits18References2
Nuclei
Nuclei
added 3 days ago48 views

XStream <1.4.15 - Server-Side Request Forgery

XStream before 1.4.15 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorize...

7.7CVSS6.9AI score0.82238EPSS
Exploits4References5
Nuclei
Nuclei
added 3 days ago44 views

Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal

A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit...

5.3CVSS6.2AI score0.45241EPSS
Exploits3References5
Nuclei
Nuclei
added 3 days ago16 views

Dell UnityVSA < 5.5 - Remote Command Injection

Dell Unity, versions 5.5 and prior, contains an Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability. id: CVE-2025-36604 info: name: Dell UnityVSA 5.5 - Remote Command Injection author: DhiyaneshDK,watchtowr severity: critical description: | Dell...

9.8CVSS6.1AI score0.61923EPSS
Exploits1References3
Nuclei
Nuclei
added 3 days ago20 views

Ingress-Nginx Controller - Configuration Injection via Unsanitized `auth-tls-match-cn` Annotation

A security issue was discovered in ingress-nginx https-//github.com/kubernetes/ingress-nginx where the auth-tls-match-cn Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of...

8.8CVSS7.2AI score0.34677EPSS
Exploits7References3
Nuclei
Nuclei
added 3 days ago1406 views

Pterodactyl Panel - Remote Code Execution

Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. id: CVE-2025-49132 info: name: Pterodactyl Panel - Remote Code Execution...

10CVSS7.6AI score0.13105EPSS
Exploits28References3
Nuclei
Nuclei
added 3 days ago18 views

SysAid On-Prem <= 23.3.40 - XML External Entity

SysAid On-Prem versions = 23.3.40 are vulnerable to an unauthenticated XML External Entity XXE vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives. id: CVE-2025-2775 info: name: SysAid On-Prem = 23.3.40 - XML External Entity...

9.3CVSS7.6AI score0.55177EPSS
Exploits1References2
Nuclei
Nuclei
added 3 days ago6 views

WordPress Madara Theme < 2.2.2.1 - Local File Inclusion

Madara WordPress theme = 2.2.2 contains a local file inclusion vulnerability caused by improper sanitization of the 'template' parameter, letting unauthenticated attackers execute arbitrary files on the server, exploit requires crafted request. id: CVE-2025-4524 info: name: WordPress Madara Theme...

9.8CVSS7.5AI score0.09094EPSS
Exploits5References4
Nuclei
Nuclei
added 3 days ago46 views

Vipshop Saturn Console <= 3.5.1 - SQL Injection via ClusterKey Component

SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component. id: CVE-2025-29085 info: name: Vipshop Saturn Console = 3.5.1 - SQL Injection via ClusterKey Component author:...

9.8CVSS6.2AI score0.29125EPSS
Exploits0References2
Nuclei
Nuclei
added 3 days ago19 views

CLink Office 2.0 - Cross-Site Scripting

CLink Office 2.0 is vulnerable to cross-site scripting in the index page of the management console and allows remote attackers to inject arbitrary web script or HTML via the lang parameter. id: CVE-2020-6171 info: name: CLink Office 2.0 - Cross-Site Scripting author: pikpikcu severity: medium...

6.1CVSS6.4AI score0.04798EPSS
Exploits1References4
Nuclei
Nuclei
added 3 days ago12 views

RosarioSIS 6.7.2 - Cross-Site Scripting

RosarioSIS version 6.7.2 and earlier contains a reflected cross-site scripting XSS vulnerability in the Preferences module. The 'tab' parameter in Modules.php is not properly sanitized, allowing an attacker to inject arbitrary JavaScript code via a crafted URL. id: CVE-2020-15718 info: name:...

6.1CVSS6.4AI score0.06325EPSS
Exploits2
Nuclei
Nuclei
added 3 days ago49 views

74cms - ajax_street.php 'key' SQL Injection

SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajaxstreet.php. id: CVE-2020-22211 info: name: 74cms - ajaxstreet.php 'key' SQL Injection author: ritikchaddha severity: critical description: | SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajaxstreet.php. impact: | Successf...

9.8CVSS7AI score0.0794EPSS
Exploits1References3
Nuclei
Nuclei
added 3 days ago33 views

Apache Spark - Authentication Bypass

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication spark.authenticate via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even...

9.8CVSS6.9AI score0.29157EPSS
Exploits0References2
Nuclei
Nuclei
added 3 days ago28 views

PRTG Network Monitor <20.1.57.1745 - Information Disclosure

PRTG Network Monitor before 20.1.57.1745 is susceptible to information disclosure. An attacker can obtain information about probes running or the server itself via an HTTP request, thus potentially being able to modify data and/or execute unauthorized administrative operations in the context of t...

5.3CVSS6.1AI score0.52059EPSS
Exploits0References5
Nuclei
Nuclei
added 3 days ago7 views

WhoDB < 0.45.0 - Path Traversal

WhoDB contains a path traversal caused by lack of validation when opening database files, letting unauthenticated attackers access arbitrary Sqlite3 databases on the host system, exploit requires attacker to manipulate database filename input. id: CVE-2025-24786 info: name: WhoDB 0.45.0 - Path...

10CVSS7.2AI score0.0268EPSS
Exploits1References3
Nuclei
Nuclei
added 3 days ago23 views

WP Hotel Booking < 1.10.4 - PHP Object Injection

The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpresshotelbooking1 cookie in load in includes/class-wphb-sessions.php. id: CVE-2020-29047 info: name: WP Hotel Booking 1.10.4 - PHP Object...

9.8CVSS7.7AI score0.14269EPSS
Exploits2References3
Nuclei
Nuclei
added 3 days ago55 views

HashiCorp Consul/Consul Enterprise <=1.9.4 - Cross-Site Scripting

HashiCorp Consul and Consul Enterprise up to version 1.9.4 are vulnerable to cross-site scripting via the key-value KV raw mode. id: CVE-2020-25864 info: name: HashiCorp Consul/Consul Enterprise =1.9.4 - Cross-Site Scripting author: c-sh0 severity: medium description: | HashiCorp Consul and Consu...

6.1CVSS6.4AI score0.06095EPSS
Exploits0References5
Nuclei
Nuclei
added 3 days ago79 views

Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting

PAN-OS management web interface is vulnerable to reflected cross-site scripting. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute...

8.8CVSS7.2AI score0.2389EPSS
Exploits0References5
Rows per page
Query Builder