Lucene search
K
NucleiMost viewed

4136 matches found

Nuclei
Nuclei
added 3 days ago42 views

Lucee Admin - Remote Code Execution

Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 contains an unauthenticated remote code execution vulnerability. id: CVE-2021-21307 info: name: Lucee Admin - Remote Code Execution author: dhiyaneshDk severity: critical description: Lucee Admin before versions 5.3.7.47, 5.3.6.68 or...

9.8CVSS7.8AI score0.89189EPSS
Exploits5References5
Nuclei
Nuclei
added 3 days ago42 views

PHP-Fusion 9.03.50 - Remote Code Execution

PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user not admin to send a crafted request to the server and perform remote command execution. id: CVE-2020-24949 info: name: PHP-Fusion 9.03.50 - Remote Code Execution author: geeknik severity: high description: PHP-Fusion 9.03.50...

9CVSS7.2AI score0.67289EPSS
Exploits4References5
Nuclei
Nuclei
added 3 days ago42 views

Telesquare TLR-2855KS6 - Arbitrary File Deletion

An unauthorized file deletion vulnerability in Telesquare TLR-2855KS6 via DELETE method can allow deletion of system files and scripts. id: CVE-2021-46419 info: name: Telesquare TLR-2855KS6 - Arbitrary File Deletion author: DhiyaneshDK severity: critical description: | An unauthorized file deleti...

9.1CVSS7.2AI score0.71384EPSS
Exploits4References3
Nuclei
Nuclei
added 4 days ago42 views

PRTG Network Monitor <20.1.57.1745 - Information Disclosure

PRTG Network Monitor before 20.1.57.1745 is susceptible to information disclosure. An attacker can obtain information about probes running or the server itself via an HTTP request, thus potentially being able to modify data and/or execute unauthorized administrative operations in the context of t...

5.3CVSS6.2AI score0.52059EPSS
Exploits0References5
Nuclei
Nuclei
added 4 days ago42 views

AVEVA InTouch Access Anywhere Secure Gateway - Local File Inclusion

AVEVA InTouch Access Anywhere Secure Gateway is vulnerable to local file inclusion. id: CVE-2022-23854 info: name: AVEVA InTouch Access Anywhere Secure Gateway - Local File Inclusion author: For3stCo1d severity: high description: | AVEVA InTouch Access Anywhere Secure Gateway is vulnerable to loc...

7.5CVSS7.1AI score0.45957EPSS
Exploits5References5
Nuclei
Nuclei
added 5 days ago42 views

Eclipse Jetty - Information Disclosure

Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224 is susceptible to improper authorization. The default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can access sensitive information regarding...

5.3CVSS6.7AI score0.82371EPSS
Exploits7References5
Nuclei
Nuclei
added 2026/06/28 3:8 p.m.42 views

OctoberCMS - Account Takeover

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. id:...

9.1CVSS7.5AI score0.90418EPSS
Exploits1References3
Nuclei
Nuclei
added 2026/06/26 6:13 p.m.42 views

HTTP File Server <2.3c - Remote Command Execution

HTTP File Server before 2.3c is susceptible to remote command execution. The findMacroMarker function in parserLib.pas allows an attacker to execute arbitrary programs via a %00 sequence in a search action. Therefore, an attacker can obtain sensitive information, modify data, and/or gain full...

10CVSS7.7AI score0.99323EPSS
Exploits23References5
Nuclei
Nuclei
added 2023/06/05 7:3 a.m.42 views

Online Fire Reporting System v1.0 - SQL injection

Online Fire Reporting System 1.0 is vulnerable to SQL Injection via the date parameter. id: CVE-2022-31879 info: name: Online Fire Reporting System v1.0 - SQL injection author: theamanrawat,j4vaovo severity: high description: | Online Fire Reporting System 1.0 is vulnerable to SQL Injection via t...

8.8CVSS9.1AI score0.01195EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday41 views

SquirrelMail 1.4.x - Folder Name Cross-Site Scripting

Multiple cross-site scripting XSS vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. id: CVE-2004-0519 info: name: SquirrelMail 1.4.x -...

6.8CVSS6.1AI score0.22528EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday41 views

Contao <4.13.3 - Cross-Site Scripting

Contao prior to 4.13.3 contains a cross-site scripting vulnerability. It is possible to inject arbitrary JavaScript code into the canonical tag. id: CVE-2022-24899 info: name: Contao 4.13.3 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Contao prior to 4.13.3 contains...

7.2CVSS6.8AI score0.03795EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday41 views

Advantech R-SeeNet - Cross-Site Scripting

Advantech R-SeeNet is vulnerable to cross-site scripting via the devicegraphpage.php script via the is2sim parameter. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution. id: CVE-2021-21803 info: name: Advantech R-SeeNet - Cross-Site...

9.6CVSS7AI score0.07902EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday41 views

CirCarLife <4.3 - Improper Authentication

CirCarLife before 4.3 is susceptible to improper authentication. A system software information disclosure exists due to lack of authentication for /html/device-id. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2018-16671 info: name:...

5.3CVSS6.5AI score0.08923EPSS
Exploits5References5
Nuclei
Nuclei
added yesterday41 views

Cuppa CMS v1.0 - SQL injection

CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php. id: CVE-2022-27985 info: name: Cuppa CMS v1.0 - SQL injection author: theamanrawat severity: critical description: | CuppaCMS v1.0 was discovered to contain a SQL injection...

9.8CVSS7.2AI score0.06922EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday41 views

Popup Builder < 4.0.7 - SQL Injection

The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection. id: CVE-2022-0228 info: name: Popup Builder 4.0.7 -...

7.2CVSS7.1AI score0.05839EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday41 views

WordPress Tidio-form <=1.0 - Cross-Site Scripting

WordPress tidio-form1.0 contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and...

6.1CVSS6.6AI score0.04173EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday41 views

WordPress WP Clone <= 2.4.2 - Database Backup Exposure

Clone WordPress plugin 2.4.3 contains a buffer overflow caused by storing in-progress backup information in publicly accessible buffer files at a static file path, letting attackers access sensitive backup data, exploit requires no special privileges id: CVE-2023-6750 info: name: WordPress WP Clo...

7.5CVSS7.3AI score0.01961EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday41 views

Budibase - Authentication Bypass

Budibase = 3.31.4 contains an authentication bypass caused by unanchored regex in authorized middleware matching webhook path patterns in query strings, letting unauthenticated remote attackers access any server-side API endpoint, exploit requires crafted request with webhook pattern in URL. id:...

9.1CVSS6AI score0.15339EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday41 views

Xsuite <=2.4.4.5 - Open Redirect

Xsuite 2.4.4.5 and prior contains an open redirect vulnerability, which can allow a remote attacker to redirect users to arbitrary web sites and conduct phishing attacks via a malicious URL in the redirurl parameter. id: CVE-2015-4668 info: name: Xsuite =2.4.4.5 - Open Redirect author: 0xAkoko...

6.1CVSS6.9AI score0.06719EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday41 views

Ninja Forms File Uploads <= 3.3.26 - Arbitrary File Upload

Ninja Forms File Uploads plugin for WordPress versions up to and including 3.3.26 is vulnerable to unauthenticated arbitrary file upload which could lead to remote code execution. id: CVE-2026-0740 info: name: Ninja Forms File Uploads = 3.3.26 - Arbitrary File Upload author: whattheslime severity...

9.8CVSS7.6AI score0.54254EPSS
Exploits6References2
Nuclei
Nuclei
added yesterday41 views

SillyTavern - Server-Side Request Forgery

SillyTavern versions up to and including 1.17.0 expose the /api/search/searxng endpoint, which accepts an attacker-controlled baseUrl parameter and uses it directly to build outbound server-side fetch requests. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP...

8.5CVSS5.9AI score0.00866EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday41 views

NeDi 1.9C - Cross-Site Scripting

NeDi 1.9C is vulnerable to cross-site scripting because of an incorrect implementation of sanitize in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a...

6.1CVSS6.2AI score0.03442EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday41 views

Inspur ClusterEngine 4.0 - Remote Code Execution

Inspur ClusterEngine V4.0 is suscptible to a remote code execution vulnerability. A remote attacker can send a malicious login packet to the control server. id: CVE-2020-21224 info: name: Inspur ClusterEngine 4.0 - Remote Code Execution author: pikpikcu severity: critical description: Inspur...

10CVSS7.8AI score0.38745EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday41 views

Zend Server <9.13 - Cross-Site Scripting

Zend Server before version 9.13 is vulnerable to cross-site scripting via the debughost parameter. id: CVE-2018-10230 info: name: Zend Server 9.13 - Cross-Site Scripting author: marcosiaf severity: medium description: | Zend Server before version 9.13 is vulnerable to cross-site scripting via the...

6.1CVSS6.3AI score0.02705EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday41 views

Htaccess by BestWebSoft < 1.7.6 - Cross-Site Scripting

The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues. id: CVE-2017-18496 info: name: Htaccess by BestWebSoft 1.7.6 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues. impact: |...

6.1CVSS6.4AI score0.014EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday41 views

Sensei LMS < 4.24.2 - Email Template Leak

The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates. id: CVE-2024-7786 info: name: Sensei LMS 4.24.2 - Email Template Leak author: s4e-io severity: high description: | The Sensei LMS WordPress...

7.5CVSS5.9AI score0.01635EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday41 views

Netis Wifi Router - Information Disclosure

An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a...

2.7CVSS6.5AI score0.06249EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday41 views

WordPress Realteo <=1.2.3 - Cross-Site Scripting

WordPress Realteo plugin 1.2.3 and prior contains an unauthenticated reflected cross-site scripting vulnerability due to improper sanitization of keywordsearch, searchradius. bedrooms and bathrooms GET parameters before outputting them in its properties page. id: CVE-2021-24237 info: name:...

6.1CVSS6.3AI score0.06298EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday41 views

MooDating 1.2 - Cross-Site scripting

A vulnerability classified as problematic was found in mooSocial mooDating 1.2. This vulnerability affects unknown code of the file /users of the component URL Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. id: CVE-2023-3847 info: name: MooDating 1....

6.1CVSS4AI score0.03648EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday41 views

Cuppa CMS v1.0 - SQL injection

Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/tablemanager/ via the searchword parameter. id: CVE-2022-24264 info: name: Cuppa CMS v1.0 - SQL injection author: theamanrawat severity: high description: | Cuppa CMS v1.0 was discovered to contain...

7.8CVSS7.1AI score0.06711EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday41 views

Rukovoditel <= 2.7.2 - Cross Site Scripting

A stored cross site scripting XSS vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. id: CVE-2020-35986 info: name: Rukovoditel = 2.7.2 - Cross Sit...

5.4CVSS5.9AI score0.01339EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday41 views

WordPress iQ Block Country <=1.2.11 - Cross-Site Scripting

WordPress iQ Block Country plugin 1.2.11 and prior contains a cross-site scripting vulnerability. An attacker can execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and...

5.5CVSS6.2AI score0.01193EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday41 views

Open Redirect in Login Redirect - MobSF

Mobile Security Framework MobSF is a security research platform for mobile applications in Android, iOS and Windows Mobile. An open redirect vulnerability exist in MobSF authentication view. id: CVE-2024-41955 info: name: Open Redirect in Login Redirect - MobSF author: Farish severity: medium...

5.4CVSS6.2AI score0.00924EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday41 views

Joomla! Component MT Fire Eagle 1.2 - Local File Inclusion

A directory traversal vulnerability in the MT Fire Eagle commtfireeagle component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. dot dot in the controller parameter to index.php. id: CVE-2010-1719 info: name: Joomla! Component ...

6.8CVSS6.1AI score0.09371EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday41 views

POS Codekop v2.0 - Cross Site Scripting

POS Codekop v2.0 was discovered to contain a reflected cross-site scripting XSS vulnerability via the nmmember parameter at print.php. id: CVE-2023-36346 info: name: POS Codekop v2.0 - Cross Site Scripting author: r3Y3r53 severity: medium description: | POS Codekop v2.0 was discovered to contain ...

6.1CVSS6.3AI score0.05295EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday41 views

Rukovoditel <= 3.2.1 - Cross Site Scripting

A stored cross-site scripting XSS vulnerability in the Users Alerts feature /index.php?module=usersalerts/usersalerts of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add". id:...

5.4CVSS6.2AI score0.00929EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday41 views

DVDFab 12 Player/PlayerFab - Local File Inclusion

DVDFab 12 Player/PlayerFab is susceptible to local file inclusion which allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player recently renamed PlayerFab has read-access. id: CVE-2022-25216 info: name: DVDFab 12 Player/PlayerFa...

7.8CVSS7.1AI score0.13835EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday41 views

WordPress Transposh <=1.0.8.1 - Information Disclosure

WordPress Transposh plugin through is susceptible to information disclosure via the AJAX action tphistory, which is intended to return data about who has translated a text given by the token parameter. However, the plugin also returns the user's login name as part of the userlogin attribute. If a...

5.3CVSS6.8AI score0.02936EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday41 views

AI Assistant with ChatGPT by AYS <= 2.0.9 - Unauthenticated AJAX Calls

The plugin lacks sufficient access controls allowing an unauthenticated user to disconnect the plugin from OpenAI, thereby disabling the plugin. Multiple actions are accessible: ayschatgptdisconnect, ayschatgptconnect, and ayschatgptsavefeedback id: CVE-2024-7714 info: name: AI Assistant with...

7.5CVSS5.9AI score0.00848EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday41 views

Artica Pandora FMS <=7.42 - Arbitrary File Read

Artica Pandora FMS through 7.42 is susceptible to arbitrary file read. An attacker can read the chat history, which is in JSON format and contains user names, user IDs, private messages, and timestamps. This can potentially lead to unauthorized data modification and other operations. id:...

5.3CVSS6.3AI score0.05275EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday41 views

MagnusBilling Login Logs - Cross-Site Scripting

Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is...

8.2CVSS5.8AI score0.01098EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday41 views

Rukovoditel <= 3.2.1 - Cross Site Scripting

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting XSS vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking...

5.4CVSS6.2AI score0.00906EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday41 views

Microstrategy Web 7 - Local File Inclusion

Microstrategy Web 7 is vulnerable to local file inclusion via "/WebMstr7/servlet/mstrWeb" in the parameter subpage. Remote authenticated users can bypass intended SecurityManager restrictions and list a parent directory via a /.. slash dot dot in a pathname used by a web application. NOTE: this i...

4.3CVSS6AI score0.19551EPSS
Exploits5References5
Nuclei
Nuclei
added yesterday41 views

OpenCATS 0.9.6 - Cross-Site Scripting

OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the indexFile component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch oth...

6.1CVSS6.4AI score0.01333EPSS
Exploits1References2
Nuclei
Nuclei
added 2 days ago41 views

XStream 1.4.18 - Arbitrary Code Execution

XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the...

8.5CVSS7.3AI score0.143EPSS
Exploits0References5
Nuclei
Nuclei
added 2 days ago41 views

Cuppa CMS v1.0 - Authenticated Local File Inclusion

The component "cuppa/api/index.php" of CuppaCMS v1.0 is Vulnerable to LFI. An authenticated user can read system files via crafted POST request using function parameter value as LFI payload. id: CVE-2022-37191 info: name: Cuppa CMS v1.0 - Authenticated Local File Inclusion author: theamanrawat...

6.5CVSS6.7AI score0.02497EPSS
Exploits1References3
Nuclei
Nuclei
added 2 days ago41 views

Joomla! Component Cookex Agency CKForms - Local File Inclusion

A directory traversal vulnerability in the Cookex Agency CKForms comckforms component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via a .. dot dot in the controller parameter to index.php. id: CVE-2010-1345 info: name: Joomla! Component Cookex Agency CKForms - Local File...

5CVSS6.1AI score0.16872EPSS
Exploits1References4
Nuclei
Nuclei
added 2 days ago41 views

MicroStrategy Web 10.4 - Information Disclosure

MicroStrategy Web 10.4 is susceptible to information disclosure. The JVM configuration, CPU architecture, installation folder, and other information are exposed through /MicroStrategyWS/happyaxis.jsp. An attacker can use this vulnerability to learn more about the application environment and there...

7.5CVSS7.1AI score0.17841EPSS
Exploits3References5
Nuclei
Nuclei
added 2 days ago41 views

Güralp MAN-EAM-0003 3.2.4 - XML External Entity (XXE)

cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity XXE issue via XML file upload, which leads to local file disclosure. id: CVE-2022-38840 info: name: Güralp MAN-EAM-0003 3.2.4 - XML External Entity XXE author: daffainfo severity: high description: |...

7.5CVSS7AI score0.09803EPSS
Exploits4References2
Nuclei
Nuclei
added 2 days ago41 views

Joomla! Component DW Graph - Local File Inclusion

A directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs comdwgraphs component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. id: CVE-2010-1302 info: name: Joomla! Component DW Grap...

5CVSS6.1AI score0.08483EPSS
Exploits1References3
Total number of security vulnerabilities4136