Lucene search
K
NucleiMost viewed

4137 matches found

Nuclei
Nuclei
added yesterday41 views

VvvebJs < 1.7.5 - Arbitrary File Upload

Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php. id: CVE-2024-29272 info: name: VvvebJs 1.7.5 - Arbitrary File Upload author: s4e-...

6.5CVSS6.3AI score0.09366EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday41 views

Sidekiq < 7.0.8 - Cross-Site Scripting

An XSS vulnerability on a Sidekiq admin panel can pose serious risks to the security and functionality of the system. id: CVE-2023-1892 info: name: Sidekiq 7.0.8 - Cross-Site Scripting author: ritikchaddha,princechaddha severity: critical description: | An XSS vulnerability on a Sidekiq admin pan...

9.6CVSS7.2AI score0.02742EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday41 views

D-Link DIR-615 - Unauthorized Access

D-Link DIR-615 devices with firmware 20.06 are susceptible to unauthorized access. An attacker can access the WAN configuration page wan.htm without authentication, which can lead to disclosure of WAN settings, data modification, and/or other unauthorized operations. id: CVE-2021-42627 info: name...

9.8CVSS7.2AI score0.67949EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday41 views

Popup Builder < 4.0.7 - SQL Injection

The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection. id: CVE-2022-0228 info: name: Popup Builder 4.0.7 -...

7.2CVSS7.1AI score0.05839EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday41 views

Geoserver - Server-Side Request Forgery

GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows server-side request forgery via the option for setting a proxy host. id: CVE-2021-40822 info: name: Geoserver - Server-Side Request Forgery author: For3stCo1d,aringo-bf severity: high description: GeoServer through 2.18.5 and 2.19.x throug...

7.5CVSS7.1AI score0.18925EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday41 views

Cisco CUCM, UCCX, and Unified IP-IVR- Directory Traversal

A directory traversal vulnerability in Cisco Unified Communications Manager CUCM 5.x and 6.x before 6.15SU2, 7.x before 7.15bSU2, and 8.x before 8.03, and Cisco Unified Contact Center Express aka Unified CCX or UCCX and Cisco Unified IP Interactive Voice Response Unified IP-IVR before 6.01SR1ES8,...

7.8CVSS6.1AI score0.26393EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday41 views

SquirrelMail 1.4.x - Folder Name Cross-Site Scripting

Multiple cross-site scripting XSS vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. id: CVE-2004-0519 info: name: SquirrelMail 1.4.x -...

6.8CVSS6.1AI score0.22528EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday41 views

Joomla! Component DW Graph - Local File Inclusion

A directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs comdwgraphs component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. id: CVE-2010-1302 info: name: Joomla! Component DW Grap...

5CVSS6.1AI score0.08483EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday41 views

Joomla! Component Online Exam 1.5.0 - Local File Inclusion

A directory traversal vulnerability in the Online Examination aka Online Exam or comonlineexam component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. dot dot in the controller parameter to index.php. id: CVE-2010-1715 info: name: Joomla! Component Online Exam 1.5.0 -...

6.8CVSS6.1AI score0.08177EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday41 views

WordPress Plugin WP Content Source Control - Directory Traversal

A directory traversal vulnerability in the filegetcontents function in downloadfiles/download.php in the WP Content Source Control wp-source-control plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. dot dot in the path parameter. id: CVE-2014-5368 inf...

5CVSS7.4AI score0.18817EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday41 views

Joomla! Component Percha Image Attach 1.1 - Directory Traversal

A directory traversal vulnerability in the Percha Image Attach comperchaimageattach component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. dot dot in the controller parameter to index.php. id: CVE-2010-2034 info: name: Joomla...

7.5CVSS6.1AI score0.11077EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday41 views

Canvas LMS v2020-07-29 - Blind Server-Side Request Forgery

Canvas version 2020-07-29 is susceptible to blind server-side request forgery. An attacker can cause Canvas to perform HTTP GET requests to arbitrary domains and thus potentially access sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2020-5775 info: name: Canva...

5.8CVSS6.4AI score0.06531EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday41 views

Zend Server <9.13 - Cross-Site Scripting

Zend Server before version 9.13 is vulnerable to cross-site scripting via the debughost parameter. id: CVE-2018-10230 info: name: Zend Server 9.13 - Cross-Site Scripting author: marcosiaf severity: medium description: | Zend Server before version 9.13 is vulnerable to cross-site scripting via the...

6.1CVSS6.3AI score0.02705EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday41 views

WordPress Tidio-form <=1.0 - Cross-Site Scripting

WordPress tidio-form1.0 contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and...

6.1CVSS6.6AI score0.04173EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday41 views

Xsuite <=2.4.4.5 - Open Redirect

Xsuite 2.4.4.5 and prior contains an open redirect vulnerability, which can allow a remote attacker to redirect users to arbitrary web sites and conduct phishing attacks via a malicious URL in the redirurl parameter. id: CVE-2015-4668 info: name: Xsuite =2.4.4.5 - Open Redirect author: 0xAkoko...

6.1CVSS6.9AI score0.06719EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday41 views

Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting XSS vulnerability via the Page content. id: CVE-2022-42095 info: name: Backdrop CMS version 1.23.0 - Cross Site Scripting Stored author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was...

4.8CVSS5.8AI score0.01947EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday41 views

Cuppa CMS v1.0 - Authenticated Local File Inclusion

The component "cuppa/api/index.php" of CuppaCMS v1.0 is Vulnerable to LFI. An authenticated user can read system files via crafted POST request using function parameter value as LFI payload. id: CVE-2022-37191 info: name: Cuppa CMS v1.0 - Authenticated Local File Inclusion author: theamanrawat...

6.5CVSS6.7AI score0.02497EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday41 views

Contao <4.13.3 - Cross-Site Scripting

Contao prior to 4.13.3 contains a cross-site scripting vulnerability. It is possible to inject arbitrary JavaScript code into the canonical tag. id: CVE-2022-24899 info: name: Contao 4.13.3 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Contao prior to 4.13.3 contains...

7.2CVSS6.8AI score0.03795EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday41 views

Chamilo Command Injection

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11. up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name. id: CVE-2023-34960 info: name: Chamilo Command Injection author: DhiyaneshDK severity: critical...

9.8CVSS7.5AI score0.99397EPSS
Exploits9References5
Nuclei
Nuclei
added yesterday41 views

ILIAS eLearning <7.16 - Open Redirect

ILIAS eLearning before 7.16 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2022-45917 info: name: ILIAS eLearning 7.16 - Open Redirect author:...

6.1CVSS6.3AI score0.0199EPSS
Exploits3References5
Nuclei
Nuclei
added yesterday41 views

WordPress Watu Quiz <3.3.9.1 - Cross-Site Scripting

WordPress Watu Quiz plugin before 3.3.9.1 is susceptible to cross-site scripting. The plugin does not sanitize and escape some parameters, such as email, dn, date, and points, before outputting then back in a page. An attacker can inject arbitrary script in the browser of an unsuspecting user in...

6.1CVSS6.3AI score0.01252EPSS
Exploits3References5
Nuclei
Nuclei
added yesterday41 views

Roxy-WI - Remote Code Execution

Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the sshcommand function without processing the inputs received from the user in the /app/funct.py file. id: CVE-2022-31126 info: name: Roxy-WI - Remote Code Execution author: ritikchaddha...

10CVSS7.6AI score0.90387EPSS
Exploits15References3
Nuclei
Nuclei
added yesterday41 views

Atmail 6.5.0 - Cross-Site Scripting

Atmail 6.5.0 contains a cross-site scripting vulnerability via the index.php/admin/index/ 'error' parameter. id: CVE-2022-30776 info: name: Atmail 6.5.0 - Cross-Site Scripting author: 3th1cyuk1 severity: medium description: | Atmail 6.5.0 contains a cross-site scripting vulnerability via the...

6.1CVSS6.3AI score0.0395EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday41 views

WordPress WP Video Gallery <=1.7.1 - SQL Injection

WordPress WP Video Gallery plugin through 1.7.1 contains a SQL injection vulnerability. The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized...

9.8CVSS7.3AI score0.09238EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday41 views

Appspace 6.2.4 - Server-Side Request Forgery

Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter. id: CVE-2021-27670 info: name: Appspace 6.2.4 - Server-Side Request Forgery author: ritikchaddha severity: critical description: Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter. impact...

9.8CVSS7.2AI score0.61274EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday41 views

IceWarp WebMail 11.4.5.0 - Cross-Site Scripting

IceWarp WebMail 11.4.5.0 is vulnerable to cross-site scripting via the language parameter. id: CVE-2020-27982 info: name: IceWarp WebMail 11.4.5.0 - Cross-Site Scripting author: madrobot severity: medium description: IceWarp WebMail 11.4.5.0 is vulnerable to cross-site scripting via the language...

6.1CVSS6.3AI score0.05272EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday41 views

Belkin Linksys RE6500 <1.0.012.001 - Remote Command Execution

Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page. id: CVE-2020-35713 info: name: Belkin Linksys RE6500 1.0.012.001 - Remote Command Execution author: gy741 severity:...

10CVSS7.5AI score0.32704EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday41 views

Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Remote File Inclusion/Server-Side Request Forgery

Onair2 3.9.9.2 and KenthaRadio 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery. id: CVE-2021-24472 info...

9.8CVSS7.3AI score0.56614EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday41 views

WordPress Domain Check <1.0.17 - Cross-Site Scripting

WordPress Domain Check plugin before 1.0.17 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the domain parameter before outputting it back in the page. id: CVE-2021-24926 info: name: WordPress Domain Check 1.0.17 - Cross-Site Scripting author: cckuailong...

6.1CVSS6.3AI score0.12857EPSS
Exploits5References4
Nuclei
Nuclei
added yesterday41 views

WordPress wpCentral <1.5.1 - Information Disclosure

WordPress wpCentral plugin before 1.5.1 is susceptible to information disclosure. An attacker can access the connection key for WordPress Admin account and thus potentially obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2020-9043 info: name: WordPress...

9CVSS7.2AI score0.08173EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday41 views

Htaccess by BestWebSoft < 1.7.6 - Cross-Site Scripting

The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues. id: CVE-2017-18496 info: name: Htaccess by BestWebSoft 1.7.6 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues. impact: |...

6.1CVSS6.4AI score0.014EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday41 views

Joomla! Component Cookex Agency CKForms - Local File Inclusion

A directory traversal vulnerability in the Cookex Agency CKForms comckforms component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via a .. dot dot in the controller parameter to index.php. id: CVE-2010-1345 info: name: Joomla! Component Cookex Agency CKForms - Local File...

5CVSS6.1AI score0.16872EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday41 views

CirCarLife <4.3 - Improper Authentication

CirCarLife before 4.3 is susceptible to improper authentication. A system software information disclosure exists due to lack of authentication for /html/device-id. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2018-16671 info: name:...

5.3CVSS6.5AI score0.08923EPSS
Exploits5References5
Nuclei
Nuclei
added yesterday41 views

Webgrind <= 1.5 - Local File Inclusion

Webgrind 1.5 relies on user input to display a file, which lets anyone view files from the local filesystem that the webserver user has access to via an index.php?op=fileviewer&file= URI id: CVE-2018-12909 info: name: Webgrind = 1.5 - Local File Inclusion author: DhiyaneshDk severity: high...

7.8CVSS7.1AI score0.18568EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday41 views

WordPress JH 404 Logger <=1.1 - Cross-Site Scripting

WordPress JH 404 Logger plugin through 1.1 contains a cross-site scripting vulnerability. Referer and path of 404 pages are not properly sanitized when they are output in the WordPress dashboard, which can lead to executing arbitrary JavaScript code. id: CVE-2021-24176 info: name: WordPress JH 40...

5.4CVSS6.1AI score0.02044EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday41 views

OpenCATS - Open Redirect

OpenCATS contains an open redirect vulnerability due to improper validation of user-supplied GET parameters. This, in turn, exposes OpenCATS to possible template injection and obtaining sensitive information, modifying data, and/or executing unauthorized operations. id: CVE-2023-27292 info: name:...

5.4CVSS6.1AI score0.01027EPSS
Exploits1References3
Nuclei
Nuclei
added 5 days ago41 views

ZKTeco BioTime v8.5.5 - Path Traversal

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. id: CVE-2023-38950 info: name: ZKTeco BioTime v8.5.5 - Path Traversal author: iamnoooob,pdresearch severity: high description: | A pa...

7.5CVSS7.4AI score0.8488EPSS
Exploits3References5
Nuclei
Nuclei
added 5 days ago41 views

LinuxKI Toolset <= 6.01 - Remote Command Execution

LinuxKI v6.0-1 and earlier are vulnerable to remote code execution. id: CVE-2020-7209 info: name: LinuxKI Toolset = 6.01 - Remote Command Execution author: dwisiswant0 severity: critical description: LinuxKI v6.0-1 and earlier are vulnerable to remote code execution. impact: | Successful...

9.8CVSS7.5AI score0.98846EPSS
Exploits10References6
Nuclei
Nuclei
added 6 days ago41 views

MSNSwitch Firmware MNT.2408 - Authentication Bypass

MSNSwitch Firmware MNT.2408 is susceptible to authentication bypass in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh. An attacker can arbitrarily configure settings, leading to possible remote code execution and subsequent unauthorized operations. id: CVE-2022-32429 info: name:...

9.8CVSS7.8AI score0.7572EPSS
Exploits4References5
Nuclei
Nuclei
added 2026/06/25 1:31 a.m.41 views

SonicWall SRA 4600 VPN - SQL Injection

The SonicWall SRA 4600 VPN appliance is susceptible to a pre-authentication SQL injection vulnerability. id: CVE-2019-7481 info: name: SonicWall SRA 4600 VPN - SQL Injection author: darrenmartyn severity: high description: The SonicWall SRA 4600 VPN appliance is susceptible to a pre-authenticatio...

7.5CVSS7.4AI score0.99906EPSS
Exploits0References5
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.41 views

NETGEAR Routers - Remote Code Execution

NETGEAR routers R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly others allow...

9.3CVSS8.5AI score0.99781EPSS
Exploits9References5
Nuclei
Nuclei
added yesterday40 views

WordPress Custom 404 Pro <= 3.11.1 - Reflected XSS

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Kunal Nagar Custom 404 Pro allows Reflected XSS.This issue affects Custom 404 Pro: from n/a through 3.11.1. id: CVE-2024-39646 info: name: WordPress Custom 404 Pro = 3.11.1 - Reflected XSS...

7.1CVSS5.9AI score0.00588EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday40 views

Widget4Call WordPress - Cross-Site Scripting

Widget4Call WordPress plugin = 1.0.7 contains a reflected cross-site scripting caused by unsanitized parameter output in the page, letting attackers execute arbitrary scripts in the context of high privilege users, exploit requires attacker to craft a malicious URL. id: CVE-2024-13099 info: name:...

5.4CVSS7.2AI score0.00674EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday40 views

Melis Technology Melis Platform - Unrestricted File Upload & Remote Code Execution

Melis Technology Melis Platform contains an unrestricted file upload caused by insufficient validation of 'mcsdetailimg' parameter in /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm, letting attackers upload malicious files and achieve remote code execution, exploit requires crafted...

9.3CVSS6.2AI score0.02503EPSS
Exploits3References3
Nuclei
Nuclei
added yesterday40 views

Visual CSS Style Editor < 7.5.4 - Cross-Site Scripting

The plugin does not sanitise and escape the wyppagetype parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue id: CVE-2021-24934 info: name: Visual CSS Style Editor 7.5.4 - Cross-Site Scripting author: Splint3r7 severity: medium description: | The...

6.1CVSS6.4AI score0.01397EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday40 views

MantisBT < 2.25.2 - Cross-Site Scripting

MantisBT before 2.25.2 contains a cross-site scripting vulnerability in browsersearchplugin.php. The application does not properly sanitize the 'type' parameter, which allows attackers to inject arbitrary web script or HTML via a crafted URL. id: CVE-2022-28508 info: name: MantisBT 2.25.2 -...

6.1CVSS6.4AI score0.05227EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday40 views

WebTitan < 3.60 - Local File Inclusion

Directory traversal vulnerability in logs-x.php in SpamTitan WebTitan before 3.60 allows remote authenticated users to read arbitrary files via a .. dot dot in the fname parameter in a view action. id: CVE-2011-4640 info: name: WebTitan 3.60 - Local File Inclusion author: ctflearner severity:...

4CVSS6.1AI score0.07323EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday40 views

BlueNet Technology Clinical Browsing System 1.2.1 - Sql Injection

A vulnerability was found in BlueNet Technology Clinical Browsing System 1.2.1. It has been classified as critical. This affects an unknown part of the file /xds/deleteStudy.php. The manipulation of the argument documentUniqueId leads to sql injection. It is possible to initiate the attack...

6.5CVSS6.5AI score0.12051EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday40 views

DATAGERRY - REST API Auth Bypass

Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests. id: CVE-2024-46627 info: name: DATAGERRY - REST API Auth Bypass author: gy741 severity: critical description: | Incorrect access control in BECN DATAGERRY v2.2 allows attackers...

9.1CVSS6.2AI score0.04099EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday40 views

JobMonster < 4.5.2.9 - Cross-Site Scripting

In the theme JobMonster 4.5.2.9 there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests. id: CVE-2022-1170 info: name: JobMonster 4.5.2.9 - Cross-Site Scripting author: Akincibor,ritikchaddha severity: medium description: | In the theme JobMonste...

6.1CVSS6.4AI score0.01836EPSS
Exploits1References3
Total number of security vulnerabilities4137