Lucene search
K

459656 matches found

Nuclei
Nuclei
added 10 hours ago53 views

FormLift for Infusionsoft Web Forms <= 7.5.17 - SQL Injection

The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to SQL Injection via the 'formid' parameter in versions up to, and including, 7.5.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

9.8CVSS6AI score0.02004EPSS
Exploits0References4
Nuclei
Nuclei
added 10 hours ago48 views

Download Monitor < 4.4.5 - SQL Injection

The Download Monitor plugin for WordPress is vulnerable to SQL injection via the 'orderby' parameter in versions before 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attacker...

7.2CVSS7.1AI score0.17484EPSS
Exploits5References3
Nuclei
Nuclei
added 10 hours ago144 views

MasterStudy LMS WordPress Plugin <= 3.2.5 - SQL Injection

The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied...

9.8CVSS7.2AI score0.77729EPSS
Exploits1References4
Nuclei
Nuclei
added 10 hours ago136 views

Buffalo WSR-2533DHPL2 - Configuration File Injection

The web interfaces of Buffalo WSR-2533DHPL2 firmware version = 1.02 and WSR-2533DHP3 firmware version = 1.24 does not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially leading to remote code execution. id:...

9.8CVSS7.5AI score0.99983EPSS
Exploits5References5
Nuclei
Nuclei
added 10 hours ago146 views

Lexmark Printers - Command Injection

Certain Lexmark devices through 2023-02-19 mishandle Input Validation issue 1 of 4. id: CVE-2023-26067 info: name: Lexmark Printers - Command Injection author: DhiyaneshDK severity: high description: | Certain Lexmark devices through 2023-02-19 mishandle Input Validation issue 1 of 4. impact: |...

8.1CVSS7.1AI score0.37835EPSS
Exploits4References5
Nuclei
Nuclei
added 10 hours ago25 views

Django RasterField - SQL Injection

Django 6.0.2, 5.2.11, and 4.2.28 contains a SQL injection caused by improper sanitization of the band index parameter in RasterField on PostGIS, letting remote attackers inject SQL, exploit requires crafted input. id: CVE-2026-1207 info: name: Django RasterField - SQL Injection author: omarkurt...

8.3CVSS7AI score0.09436EPSS
Exploits1References3
Nuclei
Nuclei
added 10 hours ago156 views

Jms Blog - SQL Injection

The module Jms Blog jmsblog from Joommasters contains a Time Based SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joommasters PrestaShop themes id: CVE-2023-27034 info: name: Jms Blog - SQL Injection author: MaStErChO severity: critical...

9.8CVSS7.2AI score0.58743EPSS
Exploits0References5
Nuclei
Nuclei
added 10 hours ago77 views

IPeakCMS 3.5 - SQL Injection

ipeak Infosystems ibexwebCMS 3.5 contains an unauthenticated Boolean-based SQL injection caused by unsanitized 'id' parameter in /cms/print.php, letting attackers execute arbitrary SQL commands, exploit requires no authentication. id: CVE-2021-3018 info: name: IPeakCMS 3.5 - SQL Injection author:...

9.8CVSS7.4AI score0.19506EPSS
Exploits3References3
Nuclei
Nuclei
added 10 hours ago121 views

TOTOLink - Unauthenticated Command Injection

TOTOLINK X5000R V9.1.0u.6118B20201102 and V9.1.0u.6369B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter. id: CVE-2023-30013 info: name: TOTOLink - Unauthenticated...

9.8CVSS7.4AI score0.25889EPSS
Exploits4References4
Nuclei
Nuclei
added 10 hours ago86 views

ASIS - SQL Injection Authentication Bypass

ASIS aka Aplikasi Sistem Sekolah using CodeIgniter 3 3.0.0 through 3.2.0 allows index.php username SQL injection for Authentication Bypass. id: CVE-2024-45622 info: name: ASIS - SQL Injection Authentication Bypass author: s4e-io severity: critical description: | ASIS aka Aplikasi Sistem Sekolah...

9.8CVSS7.2AI score0.36297EPSS
Exploits3References3
Nuclei
Nuclei
added 10 hours ago79 views

WordPress Easy Digital Downloads <= 3.2.12 - SQL Injection

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Easy Digital Downloads allows SQL Injection.This issue affects Easy Digital Downloads: from n/a through 3.2.12. id: CVE-2024-5057 info: name: WordPress Easy Digital Downloads = 3.2.12 - SQL Injecti...

9.8CVSS6AI score0.02588EPSS
Exploits0References3
Nuclei
Nuclei
added 10 hours ago167 views

Zyxel Firewall - OS Command Injection

An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100W firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1...

10CVSS7.5AI score0.99938EPSS
Exploits27References5
Nuclei
Nuclei
added 10 hours ago61 views

Thinfinity Iframe Injection

A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default could allow IFRAME injection via the "vpath" parameter. id: CVE-2021-45092 info: name: Thinfinity Iframe Injection author: danielmofer severity: critical description: A vulnerability exist...

9.8CVSS6.8AI score0.39973EPSS
Exploits7References5
Nuclei
Nuclei
added 10 hours ago25 views

CentOS Web Panel - OS Command Injection

The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution. id: CVE-2021-31324 info: name: CentOS Web Panel - OS Command Injection author: ritikchaddha severity: critical description: | The unprivileged user portal...

10CVSS7.3AI score0.34062EPSS
Exploits1References2
Nuclei
Nuclei
added 10 hours ago19 views

KodExplorer - Cross-Site Scripting

KodExplorer is susceptible to a reflected cross-site scripting XSS vulnerability in the file view functionality.The vulnerability exists in app/template/api/view.html where user-supplied input in the 'path' parameter is directly echoed without proper sanitization.This allows attackers to inject...

6.1CVSS6.3AI score0.00705EPSS
Exploits0References2
Nuclei
Nuclei
added 10 hours ago140 views

Cachet <=2.3.18 - SQL Injection

Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the SearchableTraitscopeSearch. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and...

8.1CVSS6.9AI score0.09752EPSS
Exploits2References5
Nuclei
Nuclei
added 10 hours ago28 views

Control Web Panel (CWP) - File Inclusion

In CWP Control Web Panel, previously CentOS Web Panel before version 0.9.8.1107, an unauthenticated attacker can abuse null byte %00 injection with the "scripts" parameter in the /user/loader.php or /user/login.php endpoints to register arbitrary API keys or access sensitive files. This can be...

9.8CVSS7.7AI score0.70947EPSS
Exploits1References2
Nuclei
Nuclei
added 10 hours ago67 views

PuneethReddyHC Online Shopping System homeaction.php SQL Injection

An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping System through the /homeaction.php catid parameter. Using a post request does not sanitize the user input. id: CVE-2021-41649 info: name: PuneethReddyHC Online Shopping System homeaction.php SQL Injection...

9.8CVSS7.3AI score0.5177EPSS
Exploits2References5
Nuclei
Nuclei
added 10 hours ago51 views

Pie Register < 3.7.1.6 - SQL Injection

The Registration Forms User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection. id:...

9.8CVSS7.2AI score0.07542EPSS
Exploits2References3
Nuclei
Nuclei
added 10 hours ago82 views

Doctor Appointment System 1.0 - SQL Injection

Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter. id: CVE-2021-27320 info: name: Doctor Appointment System 1.0 - SQL Injection author: theamanrawat severity: high description: | Blind S...

7.5CVSS7.1AI score0.09299EPSS
Exploits3References3
Rows per page
Query Builder