Lucene search
K
CveMost viewed

368431 matches found

CVE
CVE
added 2024/12/27 2:11 p.m.2528 views

CVE-2024-56531

CVE-2024-56531 : In the Linux kernel, ALSA: caiaq had a vulnerability where the USB disconnect callback could block USB ioctls due to using snd_card_free() (waiting for all fds to close). The fix replaces snd_card_free() with snd_card_free_when_closed(), enabling asynchronous resource release and...

5.5CVSS6.8AI score0.0021EPSS
Exploits0References11Affected Software1
CVE
CVE
added 2023/09/15 7:15 p.m.2528 views

CVE-2023-38507

CVE-2023-38507 affects Strapi up to version 4.12.0 (prior to 4.12.1) and describes an improper rate-limiting mechanism on the admin login that could be circumvented, enabling brute-force login attempts. Multiple connected documents corroborate that the vulnerability stems from a login-rate-limit ...

9.8CVSS8.3AI score0.00761EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2023/09/07 7:18 a.m.2528 views

CVE-2023-39239

The CVE-2023-39239 entry concerns an authenticated/remote (sources vary on privilege) format string vulnerability in the General function API (apply.cgi) of ASUS RT-AX56U V2. The flaw arises from lack of input validation for a specific value in apply.cgi, enabling remote code execution or disrupt...

7.2CVSS7.3AI score0.01158EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/07/06 10:8 p.m.2528 views

CVE-2023-36829

Sentry CORS misconfiguration (CVE-2023-36829): in versions 23.6.0 through

6.8CVSS5.8AI score0.00543EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2023/07/17 8:57 p.m.2527 views

CVE-2023-37266

CasaOS suffers an authentication bypass via crafted JWTs in versions before 0.4.4. Unauthenticated attackers can exploit weak/random JWT handling to access features that require authentication and potentially execute commands as root on affected instances. The underlying issue is tied to inadequa...

9.8CVSS9.8AI score0.05871EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2023/09/20 1:12 a.m.2526 views

CVE-2023-31015

CVE-2023-31015 affects NVIDIA DGX H100 BMC REST service. The root cause is an improper authentication flaw in the REST interface, which may allow a host user to escalate privileges, disclose information, execute code, or cause a denial of service. Affected products/versions are the DGX H100 BMC f...

7.8CVSS8.3AI score0.0018EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/08/24 9:23 p.m.2526 views

CVE-2023-32077

Netmaker Vulnerability: Hardcoded DNS secret key allows unauthenticated users to interact with DNS API endpoints. Affects Netmaker builds prior to 0.17.1 and 0.18.6. Remediation per sources: upgrade to v0.17.1 (patched) or v0.18.6+ (fixed). If on 0.17.1, run docker pull gravitl/netmaker:v0.17.1 a...

7.5CVSS7.3AI score0.03147EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2023/08/02 2:40 p.m.2526 views

CVE-2023-23476

CVE-2023-23476 affects IBM Robotic Process Automation versions 21.0.0–21.0.7.latest. The vulnerability stems from insufficient authorization validation on certain API routes, enabling unauthorized data access. Public details confirm impact as data disclosure and outline that upgraded versions 23....

6.5CVSS4.9AI score0.00417EPSS
Exploits0References2Affected Software2
CVE
CVE
added 2023/07/10 12:40 p.m.2526 views

CVE-2023-3077

CVE-2023-3077 affects the MStore API WordPress plugin prior to version 3.9.8. The vulnerability is a Blind SQL injection in which the product_id parameter is not sanitized/escaped before being used in a SQL statement, and it is exploitable by unauthenticated users. Public details indicate exploit...

9.8CVSS9.8AI score0.05304EPSS
Exploits2References1Affected Software1
CVE
CVE
added 2024/05/03 2:13 a.m.2525 views

CVE-2023-42118

CVE-2023-42118 affects Exim libspf2. The vulnerability arises in the SPF macro parser, where unvalidated user-supplied data can trigger an integer underflow before memory write, enabling remote code execution with the service account context. Exploitation appears feasible by network-adjacent atta...

8.8CVSS8AI score0.51474EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/09/26 9:16 p.m.2524 views

CVE-2023-41321

GLPI (Gestionnaire Libre de Parc Informatique) prior to version 10.0.10 contains an API issue where an API user with read access can enumerate sensitive field values on resources. The vulnerability affects confidentiality (C) but has no impact on integrity/availability according to the provided d...

6.5CVSS5.6AI score0.00738EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/08/18 4:0 p.m.2524 views

CVE-2023-4415

Summary: CVE-2023-4415 affects Ruijie RG-EW1200G (version 07161417 r483). The issue resides in the /api/sys/login endpoint, causing improper authentication with remote access risk. Multiple connected sources confirm a login bypass/RCE scenario and public disclosure of the exploit (VDB-237518). Ex...

8.8CVSS7.9AI score0.56147EPSS
Exploits5References3Affected Software1
CVE
CVE
added 2023/08/16 9:39 p.m.2524 views

CVE-2023-20232

Cisco Unified Contact Center Express (Unified CCX) is affected by CVE-2023-20232 due to improper input validation in the Tomcat-based web proxy component exposed via the Finesse Portal. The issue allows an unauthenticated, remote attacker to perform a web cache poisoning attack by sending crafted...

5.3CVSS5.3AI score0.00423EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/07/27 3:30 p.m.2524 views

CVE-2023-38491

Summary: CVE-2023-38491 affects Kirby CMS prior to versions 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. The vulnerability arises from Kirby\u2019s MIME type handling in Response::file(), which could fail to determine the correct MIME for uploaded files, causing the browser to treat a file as t...

5.7CVSS5.4AI score0.00552EPSS
Exploits0References7Affected Software1
CVE
CVE
added 2023/07/19 7:45 p.m.2524 views

CVE-2023-37899

CVE-2023-37899 concerns Feathersjs: the socket handler fails to catch invalid string conversion errors (e.g., a crafted toString object), causing Node.js to crash on unexpected Socket.io messages. A fix is available in Feathers versions 5.0.8 and 4.5.18; users should upgrade. There is no known wo...

7.5CVSS7.5AI score0.00963EPSS
Exploits1References5Affected Software1
CVE
CVE
added 2024/07/10 6:39 p.m.2523 views

CVE-2024-5910

CVE-2024-5910 affects Palo Alto Networks Expedition (versions prior to 1.2.92). The issue is missing authentication for a critical function, enabling an attacker with network access to potentially takeover an Expedition admin account and exfiltrate configuration secrets and credentials. Public so...

9.8CVSS6.8AI score0.91783EPSS
In wildExploits9References3Affected Software1
CVE
CVE
added 2022/03/14 10:15 a.m.2522 views

CVE-2022-22721

CVE-2022-22721 concerns the Apache HTTP Server. On 32-bit systems, if LimitXMLRequestBody is set to allow request bodies larger than 350 MB (default 1 MB), an integer overflow can occur, leading to out-of-bounds writes. Affected product: Apache HTTP Server 2.4.52 and earlier. Impact per sources: ...

9.1CVSS9.4AI score0.41861EPSS
Exploits0References16Affected Software1
CVE
CVE
added 2025/01/20 1:48 p.m.2521 views

CVE-2025-21655

CVE-2025-21655 affects the Linux kernel io_uring/eventfd path. The root cause is that io_eventfd_do_signal() frees an io_ev_fd immediately when the refcount drops to zero, instead of deferring to a subsequent RCU grace period. The fix defers freeing by calling io_eventfd_put() (replacing the inli...

4.7CVSS6.6AI score0.00219EPSS
Exploits2References6Affected Software1
CVE
CVE
added 2023/09/26 10:37 p.m.2521 views

CVE-2023-41324

GLPI (Gestionnaire Libre de Parc Informatique) vulnerability CVE-2023-41324 is evidenced in connected records as a SQL injection flaw in GLPI’s search functionality. Affected are GLPI versions prior to 10.0.13 (per PT Security entries); authenticated users can exploit the flaw to access or extrac...

8.8CVSS8.2AI score0.00737EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/09/19 9:32 a.m.2521 views

CVE-2023-32186

CVE-2023-32186 affects SUSE RKE2. A resource allocation without limits/throttling vulnerability allows an unauthenticated attacker with network access to the RKE2 supervisor/ API port to cause a DoS on the cluster. Affected RKE2 versions include 1.24.0–1.24.16, 1.25.0–1.25.12, 1.26.0–1.26.7, 1.27...

7.5CVSS7.4AI score0.00578EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/07/07 8:17 p.m.2521 views

CVE-2023-37261

OpenComputers is affected by CVE-2023-37261. The issue affects OpenComputers versions 1.2.0 through 1.8.3 in default configurations where the Internet Card is enabled. The root cause is that metadata-service endpoints used by cloud providers (e.g., AWS, GCP, Azure) are not properly blocked, enabl...

9.6CVSS9.1AI score0.00641EPSS
Exploits0References7Affected Software1
CVE
CVE
added 2023/08/03 12:0 a.m.2520 views

CVE-2023-33371

CVE-2023-33371 affects Control ID IDSecure 4.7.26.0 and earlier. The vulnerability arises from a hardcoded cryptographic key used to sign and verify JWT session tokens, enabling an attacker to forge tokens and bypass authentication. Exploitation details are not provided in these documents, but th...

9.8CVSS9.3AI score0.0085EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/07/25 12:0 a.m.2520 views

CVE-2022-46898

CVE-2022-46898 concerns Vocera Report Server/Voice Server v5.x–5.8. A path-traversal flaw in the “restore SQL data” ZIP import workflow lets an attacker craft a ZIP with a SQL file that escapes the restoration directory. The Vocera Report Console’s websocket interface for restoration can process ...

9.8CVSS9.4AI score0.00683EPSS
Exploits0References2Affected Software2
CVE
CVE
added 2023/09/20 9:9 a.m.2519 views

CVE-2023-34047

CVE-2023-34047 affects Spring GraphQL: vulnerable batches occur when registering batch loader functions with a DataLoaderOptions instance in versions 1.1.0–1.1.5 and 1.2.0–1.2.2. Root cause: a batch loader may be exposed to the GraphQL context with values from a different session, including secur...

4.3CVSS4.2AI score0.0036EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/09/07 7:31 p.m.2519 views

CVE-2023-20194

Cisco ISE ERS API vulnerability (CVE-2023-20194) allows an authenticated Administrator to read arbitrary OS files due to improper privilege management in the ERS API. Exploitation requires valid admin privileges and a crafted ERS API request; impact is information disclosure and potential privile...

4.9CVSS5AI score0.00535EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/08/15 4:23 p.m.2519 views

CVE-2023-39438

CLA-assistant’s API suffers from a missing authorization check that allows any authenticated user to perform certain operations, including reading CLA data (and signer details) and updating or deleting CLA configurations for repositories or organizations. Stored GitHub tokens are not exposed in A...

8.1CVSS8AI score0.00392EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/08/10 5:46 p.m.2519 views

CVE-2023-39966

1Panel CVE-2023-39966 affects v1.4.3; the api/v1/file.go SaveContentthat function accepts user POST JSON without proper parameter filtering, enabling arbitrary file writes and potential full server control. 1.5.0 patches this issue. Related advisories cite an arbitrary file write vulnerability wi...

9.8CVSS8.6AI score0.00698EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2023/07/14 12:0 a.m.2519 views

CVE-2023-38337

CVE-2023-38337 concerns rswag (Ruby gem) before 2.10.1. The issue arises because rswag-api can expose a file that is not the project’s OpenAPI/Swagger specification, enabling directory traversal and allowing remote attackers to read arbitrary JSON and YAML files. Affected software is rswag

7.5CVSS7.4AI score0.00958EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/01/17 7:12 p.m.2519 views

CVE-2022-37436

CVE-2022-37436 affects Apache HTTP Server in versions prior to 2.4.55. The issue allows a malicious backend to truncate response headers early, causing some headers to be incorporated into the response body and preventing the later headers from being interpreted by the client. Affected products i...

5.3CVSS7.3AI score0.57941EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/09/01 7:59 p.m.2518 views

CVE-2023-41046

CVE-2023-41046 describes a velocity code execution flaw in XWiki Platform where VelocityCode/VelocityWiki properties can run Velocity without script rights. The code executes with the correct context author, but cannot access privileged APIs; however, it may access data/APIs that enable further p...

6.3CVSS6.4AI score0.00445EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2023/08/25 12:18 a.m.2518 views

CVE-2023-40570

Summary: CVE-2023-40570 affects Datasette 1.0 alpha to 1.0a3 with authentication enabled. The /-/api API explorer endpoint could disclose the names of databases and tables to unauthenticated users, without exposing contents. The issue is mitigated in Datasette 1.0a4, which blocks the API explorer...

5.3CVSS5.2AI score0.00464EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/09/27 6:31 p.m.2517 views

CVE-2023-43652

CVE-2023-43652 affects JumpServer (open source bastion host). An unauthenticated user can authenticate to the core API using a username and an SSH public key without a password or private key, enabling access to the current user’s information and authorized actions. The vulnerability stems from a...

9.1CVSS9AI score0.00675EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2023/09/20 3:32 p.m.2517 views

CVE-2023-5074

CVE-2023-5074 affects D-Link D-View 8, specifically version 2.0.1.28, where a static key protects the JWT used for user authentication. This design enables an authentication bypass risk by forging or manipulating tokens, effectively allowing unauthorized access to D-View 8 systems. The relevant c...

9.8CVSS9.7AI score0.67914EPSS
In wildExploits1References1Affected Software1
CVE
CVE
added 2023/09/20 12:0 a.m.2517 views

CVE-2023-38888

CVE-2023-38888 is a Cross Site Scripting vulnerability affecting Dolibarr ERP/CRM (v17.0.1 and earlier) exposed via the REST API module. The issue is tied to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject, enabling a remote attacker to obtain sensitive information and execute arb...

9.6CVSS9AI score0.01174EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2023/09/04 10:42 a.m.2517 views

CVE-2023-4616

CVE-2023-4616 concerns a path traversal in LG LED Assistant’s /api/thumbnail endpoint. The vulnerability stems from insufficient validation of a user-supplied path before performing file operations, enabling an unauthenticated attacker to read sensitive information in the context of the current u...

7.5CVSS7.3AI score0.01251EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2022/03/28 6:53 p.m.2517 views

CVE-2021-4191

The CVE-2021-4191 issue in GitLab CE/EE (affected versions: 13.0–14.6.5, 14.7–14.7.4, 14.8–14.8.2) enables user enumeration via the GraphQL API for unauthenticated users on privately signed-up instances. Root cause: missing authentication checks in specific GraphQL queries, allowing an attacker t...

5.3CVSS5.2AI score0.80004EPSS
In wildExploits4References3Affected Software1
CVE
CVE
added 2023/09/27 5:20 p.m.2516 views

CVE-2023-20223

CVE-2023-20223 affects Cisco DNA Center. Affected component: Cisco DNA Center API with insufficient access control, enabling an unauthenticated remote attacker to read/modify data in an internal service repository via crafted API requests. Impact: data exposure and modification on the device; no ...

8.6CVSS8AI score0.00483EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/09/06 12:53 p.m.2515 views

CVE-2023-36388

CVE-2023-36388 concerns Apache Superset. The issue is an improper REST API permission configuration that allows an authenticated, low-privilege user to initiate network connections, enabling possible SSRF. The vulnerability affects Superset up to version 2.1.0 (and older per disclosures), with th...

5.4CVSS5.2AI score0.00806EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/08/15 5:45 p.m.2515 views

CVE-2023-40027

Keystone (Node.js) vulnerability CVE-2023-40027: When ui.isAccessAllowed is undefined, the adminMeta GraphQL query is publicly accessible without a session, potentially exposing admin metadata. Affected users are those relying on a session strategy to restrict access; developers using @keystone-6...

5.3CVSS4.7AI score0.00469EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2023/07/19 11:35 p.m.2515 views

CVE-2023-3300

HashiCorp Nomad and Nomad Enterprise expose a vulnerability (CVE-2023-3300) where the HTTP search API can reveal names of available CSI plugins to unauthenticated users or those without the plugin:read policy. Affected versions are Nomad/Nomad Enterprise 0.11.0 through 1.5.6 and 1.4.1. The issue ...

5.3CVSS5.2AI score0.0047EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2024/12/28 9:46 a.m.2514 views

CVE-2024-56690

CVE-2024-56690 : Linux kernel crypto: pcrypt fix for -EBUSY/-EAGAIN. After commit 8f4f68e7, padata_do_parallel() may return -EAGAIN for pcrypt encrypt/decrypt when CPUs go online/offline, triggering a WARN/panic under panic_on_warn. The remediation is to call the crypto layer directly (no paralle...

5.5CVSS6.6AI score0.00185EPSS
Exploits0References11Affected Software1
CVE
CVE
added 2023/08/09 3:36 a.m.2514 views

CVE-2023-4243

CVE-2023-4243 affects the FULL – Customer WordPress plugin. Root cause: improper authorization in the /install-plugin REST route allows authenticated users with subscriber-level or higher to install plugins from arbitrary remote locations, enabling potential code execution. Affected: FULL – Custo...

8.8CVSS8.7AI score0.00765EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2023/08/04 3:12 p.m.2514 views

CVE-2023-37470

Metabase versions prior to 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 are affected by a remote code execution vulnerability stemming from the embedded H2 database. The issue allows a user-supplied connection string to contain code that is subsequently execu...

10CVSS9.8AI score0.01124EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/07/21 8:15 p.m.2514 views

CVE-2023-37916

CVE-2023-37916: KubePi (github.com/KubeOperator/kubepi) had a leak in /kubepi/api/v1/users/search?pageNum=1&&pageSize=10 that exposed password hashes for any user (including admin). The root cause is a leaking endpoint returning password hashes; no workaround is documented. The issue has been fix...

7.5CVSS6.8AI score0.00681EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2023/09/25 12:8 p.m.2513 views

CVE-2023-41301

CVE-2023-41301 describes a vulnerability in the PMS module enabling unauthorized API access, with exploitation potentially causing features to behave abnormally. The NVD entry lists a CVSS v3.1 base score of 7.5 (HIGH), with network attack vector, no privileges required, no user interaction, and ...

7.5CVSS7.4AI score0.0035EPSS
Exploits0References2Affected Software2
CVE
CVE
added 2023/09/20 1:5 a.m.2513 views

CVE-2023-31012

CVE-2023-31012 affects NVIDIA DGX H100 BMC: the REST service suffers from improper input validation in the BMC REST interface, enabling potential privilege escalation and information disclosure. CVSSv3.1 base score 8.8 (HIGH) per NVD; Red Hat, NVD and NVIDIA bulletins corroborate issues tied to t...

8.8CVSS8.8AI score0.00522EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/09/20 1:3 a.m.2513 views

CVE-2023-31011

CVE-2023-31011 affects NVIDIA DGX H100 BMC REST service due to improper input validation in the REST interface. The Red Hat advisory and NVIDIA security bulletin confirm the root cause is input validation weaknesses, enabling an attacker to escalate privileges and disclose information. The issue ...

8.8CVSS8.8AI score0.00464EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/09/14 11:36 a.m.2513 views

CVE-2023-2848

Movim prior to version 0.22 is affected by a Cross‑Site WebSocket Hijacking vulnerability due to missing header validation. This is documented across multiple sources (NVD entry confirms the issue and impact; connected references point to Movim commits related to the vulnerability). Affected comp...

8.8CVSS8.6AI score0.00309EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2023/08/14 4:5 a.m.2513 views

CVE-2023-3264

CVE-2023-3264 affects CyberPower PowerPanel Enterprise DCIM (and is listed with a CVSS 3.1 vector of 6.7). The vulnerability is described as Use of Hard-coded Credentials, enabling authentication bypass in the CyberPower PowerPanel Enterprise component. The Trellix/TRELLIX blog and related Red Ha...

9.8CVSS9.6AI score0.00469EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/07/27 6:57 p.m.2513 views

CVE-2023-38510

Tolgee CVE-2023-38510 affects Tolgee versions 3.14.0 through 3.23.1. The issue is that API-key requests bypass permission scope checks, effectively bypassing authorization for some endpoints. This vulnerability can enable unauthorized access if API keys are exposed on the internet; cases where ke...

8.1CVSS7.8AI score0.00486EPSS
Exploits0References4Affected Software1
Total number of security vulnerabilities5000