Lucene search
K
NucleiMost viewed

4139 matches found

Nuclei
Nuclei
•added 17 hours ago•53 views

Hospital Management System 1.0 - SQL Injection

Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/user-login.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id:...

9.8CVSS7.3AI score0.04552EPSS
Exploits1References5
Nuclei
Nuclei
•added 17 hours ago•53 views

WordPress The Plus Addons for Elementor <4.1.12 - Cross-Site Scripting

WordPress The Plus Addons for Elementor plugin before 4.1.12 is susceptible to cross-site scripting. The plugin does not properly sanitize some of its fields in the heplusmorepost AJAX action, which is exploitable by both unauthenticated and authenticated users. An attacker can inject arbitrary...

6.1CVSS6AI score0.02483EPSS
Exploits2References5
Nuclei
Nuclei
•added 17 hours ago•53 views

Cyberoam NetGenie Cross-Site Scripting

Cyberoam NetGenie C0101B1-20141120-NG11VO devices through 2021-08-14 are susceptible to reflected cross-site scripting via the 'u' parameter of ft.php. id: CVE-2021-38702 info: name: Cyberoam NetGenie Cross-Site Scripting author: geeknik severity: medium description: Cyberoam NetGenie...

6.1CVSS6.3AI score0.06929EPSS
Exploits2References5
Nuclei
Nuclei
•added yesterday•53 views

WordPress Domain Check <1.0.17 - Cross-Site Scripting

WordPress Domain Check plugin before 1.0.17 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the domain parameter before outputting it back in the page. id: CVE-2021-24926 info: name: WordPress Domain Check 1.0.17 - Cross-Site Scripting author: cckuailong...

6.1CVSS6.3AI score0.12857EPSS
Exploits5References4
Nuclei
Nuclei
•added yesterday•53 views

Cyber Cafe Management System 1.0 - SQL Injection

Cyber Cafe Management System 1.0 contains multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of th...

9.8CVSS7.3AI score0.22593EPSS
Exploits1References5
Nuclei
Nuclei
•added yesterday•53 views

Microstrategy Web 7 - Local File Inclusion

Microstrategy Web 7 is vulnerable to local file inclusion via "/WebMstr7/servlet/mstrWeb" in the parameter subpage. Remote authenticated users can bypass intended SecurityManager restrictions and list a parent directory via a /.. slash dot dot in a pathname used by a web application. NOTE: this i...

4.3CVSS6AI score0.19551EPSS
Exploits5References5
Nuclei
Nuclei
•added yesterday•53 views

Pascom CPS - Local File Inclusion

Pascom packaged with Cloud Phone System CPS versions before 7.20 contain a known local file inclusion vulnerability. id: CVE-2021-45968 info: name: Pascom CPS - Local File Inclusion author: dwisiswant0 severity: high description: | Pascom packaged with Cloud Phone System CPS versions before 7.20...

7.5CVSS7.1AI score0.10666EPSS
Exploits1References5
Nuclei
Nuclei
•added yesterday•53 views

Fortinet FortiOS < 5.6.0 - Cross-Site Scripting

A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthorized code or commands via the Replacement Message HTML for SSL-VPN. id: CVE-2017-3133 info: name: Fortinet FortiOS 5.6.0 - Cross-Site Scripting author: ritikchaddha severity:...

6.1CVSS6.6AI score0.10677EPSS
Exploits5References2
Nuclei
Nuclei
•added yesterday•53 views

Kaseya Virtual System Administrator - Open Redirect

Kaseya Virtual System Administrator 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 are susceptible to an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. id: CVE-2015-286...

4.3CVSS6.1AI score0.10317EPSS
Exploits2References5
Nuclei
Nuclei
•added 2 days ago•53 views

Spring Cloud Config Server - Local File Inclusion

Spring Cloud Config Server versions 2.1.x prior to 2.1.2, 2.0.x prior to 2.0.4, 1.4.x prior to 1.4.6, and older unsupported versions are vulnerable to local file inclusion because they allow applications to serve arbitrary configuration files. An attacker can send a request using a specially...

6.5CVSS6.7AI score0.85295EPSS
Exploits6References5
Nuclei
Nuclei
•added 2 days ago•53 views

Appspace 6.2.4 - Server-Side Request Forgery

Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter. id: CVE-2021-27670 info: name: Appspace 6.2.4 - Server-Side Request Forgery author: ritikchaddha severity: critical description: Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter. impact...

9.8CVSS7.2AI score0.61274EPSS
Exploits1References5
Nuclei
Nuclei
•added 2 days ago•53 views

Cisco RV132W/RV134W Router - Information Disclosure

Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device via the web interface, which could lead to the disclosure of confidential information. id: CVE-2018-012...

9.8CVSS7.2AI score0.77755EPSS
Exploits1References5
Nuclei
Nuclei
•added 2026/02/04 7:0 a.m.•53 views

Puppeteer Renderer - Directory Traversal

puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Traversal. Attackers can exploit the URL parameter using the file protocol to read sensitive information from the server. id: CVE-2024-36527 info: name: Puppeteer Renderer - Directory Traversal author: Stux severity: medium...

6.5CVSS9.1AI score0.02559EPSS
Exploits1References2
Nuclei
Nuclei
•added 17 hours ago•52 views

User Meta WP Plugin < 3.1 - Sensitive Information Exposure

The User Meta is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0 via the /views/debug.php file. This makes it possible for unauthenticated attackers, with to extract sensitive configuration data. id: CVE-2024-33575 info: name: User Meta WP Plugin 3.1 -...

5.3CVSS5.9AI score0.01121EPSS
Exploits0References3
Nuclei
Nuclei
•added 17 hours ago•52 views

WordPress Core - Post Author Email Disclosure

WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the 'listusers' capability, the search is applied to the useremail column. id:...

5.3CVSS6.5AI score0.03862EPSS
Exploits4References3
Nuclei
Nuclei
•added 17 hours ago•52 views

Phpmyfaq v3.1.11 - Cross-Site Scripting

Phpmyfaq v3.1.11 is vulnerable to reflected XSS in send2friend because the 'artlang' parameter is not sanitized. id: CVE-2023-1880 info: name: Phpmyfaq v3.1.11 - Cross-Site Scripting author: r3Y3r53 severity: medium description: | Phpmyfaq v3.1.11 is vulnerable to reflected XSS in send2friend...

8.3CVSS6.8AI score0.01644EPSS
Exploits1References3
Nuclei
Nuclei
•added 17 hours ago•52 views

MLflow Absolute Path Traversal

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. id: CVE-2023-3765 info: name: MLflow Absolute Path Traversal author: DhiyaneshDK severity: critical description: | Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. impact: | This vulnerability can...

10CVSS7.2AI score0.70736EPSS
Exploits1References4
Nuclei
Nuclei
•added 17 hours ago•52 views

WordPress Tutor LMS <2.0.10 - Cross Site Scripting

WordPress Tutor LMS plugin before 2.0.10 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the resetkey and userid parameters before outputting then back in attributes. An attacker can inject arbitrary script in the browser of an unsuspecting user in the conte...

6.1CVSS6.4AI score0.01347EPSS
Exploits2References3
Nuclei
Nuclei
•added 17 hours ago•52 views

Rukovoditel <= 3.2.1 - Cross-Site Scripting

A stored cross-site scripting XSS vulnerability in the Global Lists feature /index.php?module=globallists/lists of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add". id:...

5.4CVSS6.8AI score0.00961EPSS
Exploits1References3
Nuclei
Nuclei
•added 17 hours ago•52 views

bloofoxCMS v0.5.2.1 - SQL Injection

bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the lid parameter at admin/index.php?mode=settings&page=lang&action=edit. id: CVE-2023-34752 info: name: bloofoxCMS v0.5.2.1 - SQL Injection author: theamanrawat severity: critical description: | bloofox v0.5.2.1 was...

9.8CVSS7.2AI score0.05459EPSS
Exploits1References5
Nuclei
Nuclei
•added 17 hours ago•52 views

FortiOS 5.4.0 to 5.6.0 - Cross-Site Scripting

A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 and 5.6.0 allows attackers to execute unauthorized code or commands via the filter input in "Applications" under FortiView. id: CVE-2017-3131 info: name: FortiOS 5.4.0 to 5.6.0 - Cross-Site Scripting author:...

5.4CVSS6.3AI score0.07681EPSS
Exploits4References2
Nuclei
Nuclei
•added 17 hours ago•52 views

Gradio - Open Redirect

An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting XSS, Server-Side Request Forgery SSRF, amongst others. This...

6.1CVSS6.2AI score0.01021EPSS
Exploits1References1
Nuclei
Nuclei
•added 17 hours ago•52 views

Eclipse Jetty - Information Disclosure

Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224 is susceptible to improper authorization. The default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can access sensitive information regarding...

5.3CVSS6.7AI score0.82371EPSS
Exploits7References5
Nuclei
Nuclei
•added 17 hours ago•52 views

Noptin < 1.6.5 - Open Redirect

Noptin 1.6.5 is susceptible to an open redirect vulnerability. The plugin does not validate the "to" parameter before redirecting the user to its given value, leading to an open redirect issue. id: CVE-2021-25033 info: name: Noptin 1.6.5 - Open Redirect author: dhiyaneshDk severity: medium...

6.1CVSS6.4AI score0.02682EPSS
Exploits2References4
Nuclei
Nuclei
•added 17 hours ago•52 views

Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin User Creation

Dynamicweb contains a vulnerability which allows an unauthenticated attacker to create a new administrative user. id: CVE-2022-25369 info: name: Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin User Creation author: pdteam severity: critical description: Dynamicweb contains a vulnerability which...

9.8CVSS5.9AI score0.40739EPSS
Exploits0References2
Nuclei
Nuclei
•added 17 hours ago•52 views

Jeecg P3 Biz Chat - Local File Inclusion

Jeecg P3 Biz Chat 1.0.5 allows remote attackers to read arbitrary files through specific parameters. id: CVE-2023-33510 info: name: Jeecg P3 Biz Chat - Local File Inclusion author: DhiyaneshDK severity: high description: | Jeecg P3 Biz Chat 1.0.5 allows remote attackers to read arbitrary files...

7.5CVSS7.2AI score0.04042EPSS
Exploits1References4
Nuclei
Nuclei
•added 17 hours ago•52 views

mooDating 1.2 - Cross-site scripting

A vulnerability, which was classified as problematic, was found in mooSocial mooDating 1.2. Affected is an unknown function of the file /find-a-match of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. id: CVE-2023-3849 info:...

6.1CVSS4.1AI score0.03678EPSS
Exploits4References5
Nuclei
Nuclei
•added 17 hours ago•52 views

Cuppa CMS v1.0 - SQL injection

CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php. id: CVE-2022-27985 info: name: Cuppa CMS v1.0 - SQL injection author: theamanrawat severity: critical description: | CuppaCMS v1.0 was discovered to contain a SQL injection...

9.8CVSS7.2AI score0.06922EPSS
Exploits1References4
Nuclei
Nuclei
•added 17 hours ago•52 views

WordPress AnyComment <0.3.5 - Open Redirect

WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wpredirect function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information...

6.1CVSS6.3AI score0.02208EPSS
Exploits2References4
Nuclei
Nuclei
•added 17 hours ago•52 views

Jira Subversion ALM for Enterprise <8.8.2 - Cross-Site Scripting

Jira Subversion ALM for Enterprise before 8.8.2 contains a cross-site scripting vulnerability at multiple locations. id: CVE-2020-9344 info: name: Jira Subversion ALM for Enterprise 8.8.2 - Cross-Site Scripting author: madrobot severity: medium description: Jira Subversion ALM for Enterprise befo...

6.1CVSS6.3AI score0.05198EPSS
Exploits2References5
Nuclei
Nuclei
•added 17 hours ago•52 views

Cisco Adaptive Security Appliance Software/Cisco Firepower Threat Defense - Directory Traversal

Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software are susceptible to directory traversal vulnerabilities that could allow an unauthenticated, remote attacker to obtain read and delete access to sensitive files on a targeted system. id: CVE-2020-3187...

9.1CVSS7.2AI score0.96595EPSS
Exploits4References5
Nuclei
Nuclei
•added 17 hours ago•52 views

Rubedo CMS <=3.4.0 - Directory Traversal

Rubedo CMS through 3.4.0 contains a directory traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI. id: CVE-2018-16836 info: name:...

9.8CVSS7.4AI score0.61437EPSS
Exploits5References5
Nuclei
Nuclei
•added 17 hours ago•52 views

WordPress DB Backup <=4.5 - Local File Inclusion

WordPress Plugin DB Backup 4.5 and possibly prior versions are prone to a local file inclusion vulnerability because they fail to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks. id:...

5CVSS7.2AI score0.16117EPSS
Exploits1References5
Nuclei
Nuclei
•added 17 hours ago•52 views

FortiGate FortiOS SSL VPN Web Portal - Cross-Site Scripting

FortiGate FortiOS through SSL VPN Web Portal contains a cross-site scripting vulnerability. The login redir parameter is not sanitized, so an attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal...

5.4CVSS6.1AI score0.03718EPSS
Exploits2References5
Nuclei
Nuclei
•added 17 hours ago•52 views

Bloofox v0.5.2.1 - SQL Injection

Bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings&page=charset&action=edit. id: CVE-2023-34756 info: name: Bloofox v0.5.2.1 - SQL Injection author: theamanrawat severity: critical description: | Bloofox v0.5.2.1 was...

9.8CVSS7.2AI score0.04228EPSS
Exploits1References3
Nuclei
Nuclei
•added 17 hours ago•52 views

JobMonster < 4.5.2.9 - Cross-Site Scripting

In the theme JobMonster 4.5.2.9 there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests. id: CVE-2022-1170 info: name: JobMonster 4.5.2.9 - Cross-Site Scripting author: Akincibor,ritikchaddha severity: medium description: | In the theme JobMonste...

6.1CVSS6.4AI score0.01836EPSS
Exploits1References3
Nuclei
Nuclei
•added 17 hours ago•52 views

PilusCart <=1.4.1 - Local File Inclusion

PilusCart versions 1.4.1 and prior suffer from a file disclosure vulnerability via local file inclusion. id: CVE-2019-16123 info: name: PilusCart =1.4.2 or apply the vendor-supplied patch to mitigate the LFI vulnerability. reference: -...

7.5CVSS6.9AI score0.99876EPSS
Exploits20References5
Nuclei
Nuclei
•added 17 hours ago•52 views

Limit Login Attempts WordPress - Stored Cross-site Scripting

Limit Login Attempts WordPress plugin 4.0.50 contains a stored cross-site scripting caused by not escaping IP addresses controlled via headers like X-Forwarded-For before outputting them in reports, letting unauthenticated attackers execute scripts in admin context. id: CVE-2021-24657 info: name:...

6.1CVSS6.3AI score0.0157EPSS
Exploits2References2
Nuclei
Nuclei
•added 17 hours ago•52 views

WordPress GDPR & CCPA <1.9.27 - Cross-Site Scripting

WordPress GDPR & CCPA plugin before 1.9.27 contains a cross-site scripting vulnerability. The checkprivacysettings AJAX action, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type, and JavaScript code may be executed on a...

6.1CVSS6.3AI score0.0231EPSS
Exploits2References4
Nuclei
Nuclei
•added 17 hours ago•52 views

WordPress Shareaholic <9.7.6 - Information Disclosure

WordPress Shareaholic plugin prior to 9.7.6 is susceptible to information disclosure. The plugin does not have proper authorization check in one of the AJAX actions, available to both unauthenticated before 9.7.5 and authenticated in 9.7.5 users, allowing them to possibly obtain sensitive...

5.3CVSS6.2AI score0.01633EPSS
Exploits2References5
Nuclei
Nuclei
•added 17 hours ago•52 views

Online Fire Reporting System v1.0 - SQL injection

Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=deleteteam. id: CVE-2022-31977 info: name: Online Fire Reporting System v1.0 - SQL injection author: theamanrawat severity: critical description: | Online Fire Reporting System v1.0 is vulnerable to SQ...

9.8CVSS7.3AI score0.0716EPSS
Exploits1References3
Nuclei
Nuclei
•added 17 hours ago•52 views

Stock Ticker <= 3.23.2 - Cross-Site-Scripting

The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajaxstocktickersymbolsearchtest function in versions up to, and including, 3.23.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.1CVSS7AI score0.49315EPSS
Exploits0References5
Nuclei
Nuclei
•added 17 hours ago•52 views

SysAid Technologies 20.3.64 b14 - Cross-Site Scripting

SysAid 20.3.64 b14 contains a cross-site scripting vulnerability via the /KeepAlive.jsp?stamp= URI. id: CVE-2021-30049 info: name: SysAid Technologies 20.3.64 b14 - Cross-Site Scripting author: daffainfo severity: medium description: SysAid 20.3.64 b14 contains a cross-site scripting vulnerabilit...

6.1CVSS6.3AI score0.0247EPSS
Exploits1References4
Nuclei
Nuclei
•added 17 hours ago•52 views

Atmail 6.5.0 - Cross-Site Scripting

Atmail 6.5.0 contains a cross-site scripting vulnerability via the index.php/admin/index/ 'error' parameter. id: CVE-2022-30776 info: name: Atmail 6.5.0 - Cross-Site Scripting author: 3th1cyuk1 severity: medium description: | Atmail 6.5.0 contains a cross-site scripting vulnerability via the...

6.1CVSS6.3AI score0.0395EPSS
Exploits0References5
Nuclei
Nuclei
•added 17 hours ago•52 views

NETGEAR - Authentication Bypass

NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers are vulnerable to authentication bypass vulnerabilities which could allow network-adjacent attackers to bypass authentication on affected installations. id:...

8.8CVSS7.2AI score0.08656EPSS
Exploits0References5
Nuclei
Nuclei
•added 17 hours ago•52 views

Akamai CloudTest < 60 2025.06.02 - XML External Entity (XXE)

Akamai CloudTest before 60 2025.06.02 12988 allows file inclusion via XML External Entity XXE injection. id: CVE-2025-49493 info: name: Akamai CloudTest 60 2025.06.02 - XML External Entity XXE author: xbow,3th1cyuk1 severity: critical description: | Akamai CloudTest before 60 2025.06.02 12988...

5.8CVSS6.2AI score0.03395EPSS
Exploits2References3
Nuclei
Nuclei
•added 2 days ago•52 views

Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Remote File Inclusion/Server-Side Request Forgery

Onair2 3.9.9.2 and KenthaRadio 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery. id: CVE-2021-24472 info...

9.8CVSS7.3AI score0.56614EPSS
Exploits2References4
Nuclei
Nuclei
•added 2 days ago•52 views

WordPress GraceMedia Media Player 1.0 - Local File Inclusion

WordPress GraceMedia Media Player plugin 1.0 is susceptible to local file inclusion via the cfg parameter. id: CVE-2019-9618 info: name: WordPress GraceMedia Media Player 1.0 - Local File Inclusion author: daffainfo severity: critical description: WordPress GraceMedia Media Player plugin 1.0 is...

9.8CVSS7.2AI score0.40771EPSS
Exploits5References5
Nuclei
Nuclei
•added 2 days ago•52 views

FiberHome Routers - Local File Inclusion

FiberHome routers are susceptible to local file inclusion in /cgi-bin/webproc via the getpage parameter in conjunction with a crafted var:page value. id: CVE-2017-15647 info: name: FiberHome Routers - Local File Inclusion author: daffainfo severity: high description: FiberHome routers are...

7.5CVSS6.9AI score0.26619EPSS
Exploits2References3
Nuclei
Nuclei
•added 2 days ago•52 views

TP-Link TL-WR840N - Command Injection

The TP-Link TL-WR840NESV6.20180709 router contains a command injection vulnerability in the oalsetIp6DefaultRoute component. This vulnerability allows authenticated attackers to execute arbitrary system commands, leading to complete device compromise. id: CVE-2022-25061 info: name: TP-Link...

9.8CVSS7.1AI score0.72495EPSS
Exploits1References5
Total number of security vulnerabilities4139