Lucene search
K
CveMost viewed

367607 matches found

CVE
CVE
added 2019/08/15 9:2 p.m.1866 views

CVE-2019-10081

CVE-2019-10081 affects Apache httpd's HTTP/2 implementation (mod_http2) where very early pushes can overwrite memory in the pushing request’s pool, causing crashes. The vulnerable facet is the handling of push headers (not client data) and memory being copied from the configured push link header ...

7.5CVSS8.1AI score0.14563EPSS
Exploits1References21Affected Software1
CVE
CVE
added 2022/05/04 12:8 a.m.1865 views

CVE-2021-43162

The CVE-2021-43162 entry concerns Ruijie Networks RG-EW Series Routers (ReyeeOS up to 1.55.1915 / EW_3.0(1)B11P55) and a flaw in the runPackDiagnose function exposed via /cgi-bin/luci/api/diagnose. The issue enables Remote Code Execution (RCE). Affected component/file: runPackDiagnose in the LUCI...

8.8CVSS8.8AI score0.01814EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2017/06/30 1:0 p.m.1865 views

CVE-2015-9103

Synology Note Station 1.1-0212 and earlier are affected by cross-site scripting (XSS) via (1) note title or (2) attachment file name. Remote authenticated attackers can inject script; impact is browser-execution of arbitrary HTML/code. A patch exists: update to Note Station 1.1-0214 or later per ...

5.4CVSS5.1AI score0.0082EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2021/03/02 11:55 p.m.1863 views

CVE-2021-26858

CVE-2021-26858 (Microsoft Exchange Server) is discussed in connected material as a post-authentication issue enabling manipulation of voicemail header files. The AVLEONOV writeup explains a crafted header can be parsed to deserialize a malicious ContactInfo object, using a TypedBinaryFormatter wi...

7.8CVSS9.3AI score0.89509EPSS
In wildExploits3References2Affected Software1
CVE
CVE
added 2023/06/23 12:0 a.m.1857 views

CVE-2023-32373

CVE-2023-32373 is a use-after-free in WebKitGTK/WebKit related to processing malicious web content. Connected advisories confirm this vulnerability affects WebKitGTK/WebKit components and note exploitation activity. The issue is fixed in WebKitGTK/WebKit updates (e.g., webkitgtk4 packages) across...

8.8CVSS8.6AI score0.1227EPSS
In wildExploits0References8Affected Software6
CVE
CVE
added 2024/07/09 2:25 p.m.1853 views

CVE-2024-6604

CVE-2024-6604 : Memory safety bugs in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 could lead to memory corruption and potential arbitrary code execution. Affected: Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, Thunderbird

7.5CVSS8.8AI score0.0054EPSS
Exploits0References5Affected Software2
CVE
CVE
added 2024/12/27 2:50 p.m.1849 views

CVE-2024-56583

CVE-2024-56583 maps to a Linux kernel issue in the SCSI/HISI SAS path. The Tencent advisory TSSA-2025:0215 lists this CVE with a fix described as adding cond_resched() for the no-forced-preemption model, to prevent watchdog-like stalls under heavy migrate/paging scenarios. The connected doc confi...

5.5CVSS6.5AI score0.00225EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/02/11 11:33 a.m.1846 views

CVE-2026-1080

GitLab EE multiple versions affected (16.7 before 18.6.6, 18.7 before 18.7.4, 18.8 before 18.8.4). Under certain conditions, an authenticated user could access iteration data for private descendant groups by querying the iterations API endpoint. The issue has been remediated in a patch release: 1...

4.3CVSS5.5AI score0.00195EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2025/04/01 7:53 a.m.1840 views

CVE-2025-30065

CVE-2025-30065 : In Apache Parquet, the parquet-avro module (affecting Parquet 1.15.0 and earlier) allows arbitrary code execution due to schema parsing issues. Upgrading to Parquet 1.15.1 fixes the issue. The vulnerability arises from deserialization of untrusted data during schema translation f...

10CVSS7.8AI score0.3884EPSS
Exploits9References8Affected Software1
CVE
CVE
added 2022/04/18 12:0 a.m.1836 views

CVE-2022-29464

CVE-2022-29464 is an unauthenticated, pre-auth arbitrary file upload in WSO2 products that enables remote code execution via a crafted POST to /fileupload. The vulnerability arises from directory traversal during upload, allowing JSPs to be placed under the webroot (e.g., repository/deployment/se...

10CVSS9.6AI score0.99999EPSS
In wildExploits22References5Affected Software8
CVE
CVE
added 2023/09/14 7:40 a.m.1829 views

CVE-2023-38205

CVE-2023-38205 affects Adobe ColdFusion: versions 2018u18 and earlier, 2021u8 and earlier, and 2023u2 and earlier are vulnerable to an Improper Access Control flaw that enables an unauthenticated attacker to bypass security and access the administration CFM/CFC endpoints without user interaction....

7.5CVSS7.5AI score0.99732EPSS
In wildExploits0References2Affected Software1
CVE
CVE
added 2022/06/08 10:0 a.m.1829 views

CVE-2022-26377

CVE-2022-26377 is a real HTTP Request Smuggling vulnerability in the mod_proxy_ajp module of Apache HTTP Server. Affected: Apache httpd 2.4.53 and earlier. Description across sources confirms that an attacker can smuggle requests to the AJP server to which httpd forwards traffic. Patches/updates ...

7.5CVSS8.9AI score0.19008EPSS
Exploits1References6Affected Software1
CVE
CVE
added 2022/05/06 12:50 a.m.1829 views

CVE-2021-25745

The connected records confirm CVE-2021-25745 affects ingress-nginx in Kubernetes. A user who can create/update Ingress objects can abuse spec.rules[].http.paths[].path (in networking.k8s.io or extensions) to obtain the credentials of the ingress-nginx controller. In the default configuration, tha...

8.1CVSS7.6AI score0.01109EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2019/06/05 12:0 a.m.1825 views

CVE-2019-10149

CVE-2019-10149 affects Exim 4.87–4.91 (MTA). A0: Improper validation in deliver_message() can permit unauthenticated remote command execution. Public reports and advisories document exploitation in the wild (Sandworm) and prompt patching to newer Exim versions (4.92+) or applying fixes. Connected...

10CVSS9.6AI score0.99961EPSS
In wildExploits27References21Affected Software1
CVE
CVE
added 2024/07/01 6:15 p.m.1821 views

CVE-2024-38475

CVE-2024-38475 affects Apache HTTP Server 2.4.59 and earlier, where improper escaping of output in mod_rewrite can map URLs to filesystem locations that are served but not directly reachable, enabling remote code execution or source code disclosure. The issue also involves substitutions in server...

9.1CVSS9.7AI score0.99957EPSS
In wildExploits1References7Affected Software1
CVE
CVE
added 2023/06/23 12:0 a.m.1819 views

CVE-2023-28204

CVE-2023-28204 is an out-of-bounds read in WebKit caused by improper input handling while processing web content. It affects WebKit-based components and was fixed in multiple vendor advisories: Apple updates (watchOS/macOS/iOS/iPadOS/Safari) and WebKitGTK/WPE WebKit packages (e.g., webkitgtk4 2.3...

6.5CVSS6.6AI score0.14406EPSS
In wildExploits0References8Affected Software6
CVE
CVE
added 2019/12/10 6:45 p.m.1819 views

CVE-2012-1577

CVE-2012-1577 affects the OpenBSD C library (lib/libc/stdlib/random.c). The issue is that the RNG returns 0 when seeded with 0, indicating a flawed seed handling/root-of-failure in random() implementation. The available records identify the affected component and the seeding behavior as the vulne...

9.8CVSS9.4AI score0.0155EPSS
Exploits0References4Affected Software2
CVE
CVE
added 2018/11/30 8:0 p.m.1818 views

CVE-2018-15715

CVE-2018-15715 affects Zoom Client for Meetings on Windows, macOS, and Linux (before specific builds). The vulnerability stems from Zoom’s internal messaging pump sending both UDP (untrusted) and TCP (trusted) messages to the same handler, enabling a remote, unauthenticated attacker to craft UDP ...

9.8CVSS9.1AI score0.03487EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2019/07/19 10:56 p.m.1812 views

CVE-2019-12815

Summary: CVE-2019-12815 is a vulnerability in ProFTPD’s mod_copy that allowed unauthenticated remote access to copy arbitrary files due to incomplete CPFR/CPTO permission checks, enabling remote code execution and information disclosure. Affected software: ProFTPD up to 1.3.5b (and related 1.3.5 ...

9.8CVSS9.5AI score0.57606EPSS
Exploits1References15Affected Software1
CVE
CVE
added 2021/04/01 6:0 p.m.1811 views

CVE-2021-26718

CVE-2021-26718 concerns Kaspersky Internet Security (KIS) for macOS where AV bypass could occur via an XPC service. Public details describe an improper client verification in the system extension’s XPC communication (IPCService) that allowed a normal user to interact with the XPC service, inject ...

5.5CVSS5.3AI score0.00217EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2018/04/18 5:0 p.m.1808 views

CVE-2018-8831

Kodi 17.6 and earlier web interface are vulnerable to a persistent XSS via playlists, allowing arbitrary HTML/script execution in the victim’s browser. Affected: Kodi/XBMC playlist handling in the web interface. Root cause: Persistent XSS in playlist processing. Impact: arbitrary script execution...

6.1CVSS6AI score0.53883EPSS
Exploits5References3Affected Software1
CVE
CVE
added 2021/02/02 8:54 p.m.1806 views

CVE-2020-29662

CVE-2020-29662 affects Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2, where the catalog’s registry API is exposed on an unauthenticated path (e.g., GET /v2/_catalog). This can allow information disclosure via an unauthenticated call. Patches are available: upgrade to Harbor v2.0.5 or v2.1.2. If ...

5.3CVSS5.3AI score0.00722EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2022/08/23 12:53 a.m.1805 views

CVE-2019-25075

Gravitee API Management contains a path traversal + HTML injection vulnerability (CVE-2019-25075). Before version 1.25.3, anonymous users could read arbitrary files via /management/users/register due to the HTML injection path traversal flaw in the Email service. CVSS:3.1 base 6.1 (NETWORK, LOW a...

6.1CVSS6.4AI score0.00616EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2024/12/27 2:11 p.m.1804 views

CVE-2024-56532

CVE-2024-56532 affects the Linux kernel’s ALSA us122l code path. The USB disconnect callback previously waited for all fds to close due to snd_card_free(), which could block upper-layer USB ioctls and trigger a soft lockup. The cited fixes switch to snd_card_free_when_closed(), enabling asynchron...

5.5CVSS6.7AI score0.0021EPSS
Exploits0References11Affected Software1
CVE
CVE
added 2025/12/23 12:0 a.m.1802 views

CVE-2025-67435

CVE-2025-67435 is a Zip Slip RCE vulnerability in PluckCMS (Module Management) that allows an authenticated admin to upload a ZIP archive which, if crafted with path traversal, leads to arbitrary file writes and remote code execution. The exploit report documents the vulnerability in PluckCMS 4.7...

Exploits2
CVE
CVE
added 2021/04/08 10:6 p.m.1802 views

CVE-2021-3448

CVE-2021-3448 concerns dnsmasq versions prior to 2.85. When configured to use a specific upstream server for an interface, dnsmasq forwards queries from a fixed port, enabling an attacker on the same network to observe the outgoing port and forge a reply by guessing the transmission ID, thereby f...

4.3CVSS4.1AI score0.01988EPSS
Exploits1References6Affected Software1
CVE
CVE
added 2022/05/31 11:27 p.m.1801 views

CVE-2021-43512

The CVE-2021-43512 entry concerns FlightRadar24 for Android versions 8.9.0, 8.10.0, 8.10.2, 8.10.3, and 8.10.4. The underlying issue is that an attacker could decompile a local application and extract its API keys, leading to unspecified consequences. The linked sources confirm the affected produ...

5.5CVSS5.4AI score0.00243EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2017/03/27 1:55 a.m.1801 views

CVE-2017-7269

CVE-2017-7269 is a remote-code-execution vulnerability in the IIS 6.0 WebDAV service (ScStoragePathFromUrl) on Windows Server 2003 R2. It can be triggered by a crafted long header in a PROPFIND request beginning with "If:

10CVSS8.9AI score0.99823EPSS
In wildExploits39References11Affected Software1
CVE
CVE
added 2022/04/04 12:0 a.m.1800 views

CVE-2022-24785

CVE-2022-24785 concerns Moment.js where a path traversal vulnerability could be triggered in npm/server contexts when a user-supplied locale string is directly used to switch locales. Affected versions are Moment.js up to 2.29.1 (inclusive); the issue is patched in 2.29.2. The fixed version shoul...

7.5CVSS8AI score0.05664EPSS
In wildExploits0References8Affected Software1
CVE
CVE
added 2017/07/27 9:0 p.m.1797 views

CVE-2016-0736

CVE-2016-0736 affects Apache HTTP Server’s mod_session_crypto (2.4.0–2.4.23). It used CBC/ECB modes (AES256-CBC by default) without authenticated encryption, enabling padding oracle-style attacks. The fix is to upgrade to Apache HTTPD 2.4.25 (or later) where mod_session_crypto is updated to authe...

7.5CVSS7.5AI score0.49024EPSS
Exploits4References27Affected Software1
CVE
CVE
added 2022/05/04 12:8 a.m.1795 views

CVE-2021-43163

CVE-2021-43163 concerns a Remote Code Execution in Ruijie RG-EW Series Routers running ReyeeOS up to 1.55.1915 / EW_3.0(1)B11P55. The vulnerability originates from the checkNet function in /cgi-bin/luci/api/auth, allowing an attacker to execute arbitrary code on affected devices. Connected source...

9.8CVSS9.5AI score0.02169EPSS
In wildExploits0References2Affected Software1
CVE
CVE
added 2022/07/06 9:15 a.m.1793 views

CVE-2021-45721

CVE-2021-45721 affects JFrog Artifactory. Vulnerable through Reflected XSS in a Users REST API XHR parameter due to insufficient input validation. Affected versions: before 7.29.8 and before 6.23.38. Impact: potential client-side JavaScript execution. Remediation (as documented): upgrade to 7.29....

6.1CVSS5.9AI score0.00488EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2021/06/10 7:10 a.m.1791 views

CVE-2019-17567

CVE-2019-17567 affects Apache HTTP Server 2.4.x where mod_proxy_wstunnel on a URL not guaranteed to be upgraded by the origin server tunnels the entire connection, allowing subsequent requests on the same TCP connection to bypass HTTP validation, authentication, or authorization. Public reference...

5.3CVSS7AI score0.60266EPSS
Exploits0References11Affected Software1
CVE
CVE
added 2020/02/11 9:22 p.m.1791 views

CVE-2020-0618

CVE-2020-0618 affects Microsoft SQL Server Reporting Services (SSRS) and is a remote code execution vulnerability caused by improper handling of page requests, with deserialization of viewstate cited in some sources. The vulnerability can allow code execution on the Report Server service account,...

9.8CVSS8.5AI score0.99046EPSS
In wildExploits14References4Affected Software1
CVE
CVE
added 2018/08/29 1:0 p.m.1788 views

CVE-2018-12829

Adobe Creative Cloud Desktop Application prior to version 4.6.1 contains an improper certificate validation vulnerability that could lead to privilege escalation. Affected product: Adobe Creative Cloud Desktop Application (Windows/macOS) with 4.6.0 and earlier. Root cause: improper certificate va...

9.8CVSS9.3AI score0.0507EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2020/12/09 12:0 a.m.1787 views

CVE-2020-27614

AnyDesk for macOS (versions 6.0.2 and older) is affected by a local privilege escalation in the XPC interface where client requests are not properly validated. Root cause is improper validation within the XPC communication path, allowing a local user to escalate privileges. The CVE entry cites th...

7.8CVSS7.3AI score0.00349EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2018/08/22 1:0 p.m.1781 views

CVE-2018-11776

The CVE-2018-11776 issue affects Apache Struts 2.x versions 2.3–2.3.34 and 2.5–2.5.16. The underlying condition is when alwaysSelectFullNamespace is true and a result or url tag lacks a namespace/value, and the upper namespace/action configuration also has no or a wildcard namespace, allowing rem...

9.3CVSS8.4AI score0.99993EPSS
In wildExploits41References20Affected Software1
CVE
CVE
added 2021/11/10 12:47 a.m.1776 views

CVE-2021-42321

CVE-2021-42321 (Microsoft Exchange Server RCE) is a post-authentication deserialization vulnerability in Exchange that can lead to RCE via a crafted SOAP request. Public writeups describe exploiting the chained binder deserialization path: TypedBinaryFormatter.DeserializeObject → ExchangeBinaryFo...

8.8CVSS9AI score0.90388EPSS
In wildExploits9References4Affected Software1
CVE
CVE
added 2014/03/18 1:0 a.m.1774 views

CVE-2013-6438

The vulnerability CVE-2013-6438 affects the Apache HTTP Server mod_dav component. The flaw is in dav_xml_get_cdata (main/util.c) where whitespace is not correctly removed from CDATA sections, enabling a remote attacker to trigger a denial of service (daemon crash) with a crafted DAV WRITE request...

5CVSS8AI score0.26831EPSS
Exploits2References48Affected Software1
CVE
CVE
added 2022/09/26 12:35 p.m.1773 views

CVE-2022-3119

The CVE-2022-3119 issue affects the WordPress plugin “OAuth client Single Sign On” prior to version 3.0.4. The vulnerability arises from lack of authorization checks and CSRF protection when updating plugin settings, enabling unauthenticated attackers to modify OAuth endpoints under their control...

7.5CVSS7.5AI score0.00364EPSS
Exploits2References1Affected Software1
CVE
CVE
added 2017/03/11 2:11 a.m.1770 views

CVE-2017-5638

The CVE-2017-5638 issue affects Apache Struts 2, specifically 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1. The Jakarta Multipart parser mishandles file uploads, leading to remote code execution via crafted Content-Type, Content-Disposition, or Content-Length headers (notably with a #cmd= payloa...

10CVSS9.2AI score0.99999EPSS
In wildExploits44References34Affected Software1
CVE
CVE
added 2025/01/15 1:5 p.m.1769 views

CVE-2024-57897

CVE-2024-57897 affects the Linux kernel’s DRM/AMDGPU/KFD path. The migration DMA map direction for the SVM DMA device map is set to BIDIRECTIONAL to match the DMA unmap setting, addressing a warning from the DMA core. The Tencent/Tenable entry includes a kernel log snippet showing a WARNING in ke...

5.5CVSS6.7AI score0.00244EPSS
Exploits0References6Affected Software1
CVE
CVE
added 2022/10/13 12:0 a.m.1769 views

CVE-2022-2828

CVE-2022-2828 describes an Insecure Direct Object Reference (IDOR) vulnerability in Octopus Server that can reveal information about teams via the API. The available documents confirm the issue and its root cause but do not specify affected versions, exploitable conditions, or a remediation. The ...

6.5CVSS6.3AI score0.00528EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2021/08/16 12:0 a.m.1769 views

CVE-2021-33193

CVE-2021-33193 describes a vulnerability in Apache HTTP Server where a crafted HTTP/2 method can bypass validation and be forwarded by mod_proxy, potentially enabling request splitting or cache poisoning. The issue affects Apache httpd versions 2.4.17 through 2.4.48. Connected advisories and noti...

7.5CVSS7.8AI score0.46179EPSS
Exploits1References13Affected Software1
CVE
CVE
added 2010/07/09 5:0 p.m.1769 views

CVE-2009-4935

The CVE-2009-4935 entry concerns a SQL injection in Online Guestbook Pro, specifically ogp_show.php via the display parameter. The root cause is improper handling of user input in that parameter, enabling attackers to craft arbitrary SQL commands. Impact per CVSS indicates partial disclosure, mod...

7.5CVSS8.7AI score0.00915EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2025/03/18 6:40 p.m.1766 views

CVE-2025-29907

CVE-2025-29907 — jsPDF DoS via addImage argument : In jsPDF, prior to 3.0.1, user control of the first argument to addImage can trigger high CPU utilization and denial of service when unsanitised image URLs/data-urls are passed. The vulnerability also affects html and addSvgAsImage in relevant co...

8.7CVSS6.5AI score0.00646EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/05/19 10:28 p.m.1765 views

CVE-2026-6367

Drupal core vulnerable component: CKEditor 5 entity suggestions. Versions 11.3.0–11.3.6 expose an XSS due to insufficient sanitization of the suggestions; fixed in 11.3.7. Applies to Drupal core 11.3.x (11.3.0–11.3.6). Remediation: update to 11.3.7 per PT-2026-33242 / SA-CORE-2026-003. Exploitati...

6.1CVSS5.8AI score0.00201EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2011/03/02 7:0 p.m.1764 views

CVE-2010-4755

CVE-2010-4755 : OpenSSH 5.8 and earlier is affected. The vulnerability resides in the remote_glob function (sftp-glob.c) and the process_put function (sftp.c), used by OpenSSH’s SFTP daemon. Remote authenticated users can trigger CPU and memory exhaustion by sending crafted glob expressions that ...

4CVSS5AI score0.07792EPSS
Exploits2References7Affected Software4
CVE
CVE
added 2022/05/31 12:0 a.m.1763 views

CVE-2020-28246

CVE-2020-28246 describes a Server-Side Template Injection (SSTI) in Form.io 2.0.0 that leads to Remote Code Execution during the deletion of the default Email template URL. The vulnerability stems from the SSTI in the templating flow; the email templating service was removed after 2020, and Form....

9.8CVSS9.8AI score0.02177EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2021/07/14 5:54 p.m.1761 views

CVE-2021-34523

Microsoft Exchange Server on-premises is affected by ProxyShell chain implying CVE-2021-34523 as a local/elevation of privilege issue in the Exchange PowerShell backend. The exploit chain begins with pre-auth access via Autodiscover and MAPI to leak DN/SID, enabling impersonation and remote Power...

9.8CVSS9.6AI score0.99987EPSS
In wildExploits10References4Affected Software1
Total number of security vulnerabilities5000