Lucene search
K
NvdMost viewed

363365 matches found

NVD
NVD
•added 2024/07/01 7:15 p.m.•102 views

CVE-2024-38473

Encoding problem in modproxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue...

8.1CVSS0.25878EPSS
Exploits1References3
NVD
NVD
•added 2025/05/05 8:15 p.m.•101 views

CVE-2025-46734

league/commonmark is a PHP Markdown parser. A cross-site scripting XSS vulnerability in the Attributes extension of the league/commonmark library versions 1.5.0 through 2.6.x allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configurati...

6.4CVSS0.00287EPSS
Exploits0References2
NVD
NVD
•added 2024/07/01 7:15 p.m.•101 views

CVE-2024-38472

SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new...

7.5CVSS0.6795EPSS
Exploits1References3
NVD
NVD
•added 2020/03/12 2:15 p.m.•101 views

CVE-2020-10495

CSRF in admin/edit-template.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to edit an article template, given the id, via a crafted request...

4.3CVSS4.5AI score0.00475EPSS
Exploits1References2
NVD
NVD
•added 2025/03/20 6:15 a.m.•100 views

CVE-2025-22228

BCryptPasswordEncoder.matchesCharSequence,String will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same...

7.4CVSS0.00568EPSS
Exploits0References2
NVD
NVD
•added 2022/09/21 11:15 p.m.•100 views

CVE-2022-39224

Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the extract and files methods of the RPM::File class of this...

7.8CVSS0.01628EPSS
Exploits1References3
NVD
NVD
•added 2025/01/14 6:15 p.m.•98 views

CVE-2025-21298

Windows OLE Remote Code Execution Vulnerability...

9.8CVSS0.80912EPSS
Exploits6References1
NVD
NVD
•added 2024/12/11 4:15 p.m.•98 views

CVE-2024-53677

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before...

9.8CVSS0.78198EPSS
Exploits15References2
NVD
NVD
•added 2024/06/15 2:15 p.m.•98 views

CVE-2024-31870

IBM Db2 for i 7.2, 7.3, 7.4, and 7.5 supplies user defined table function is vulnerable to user enumeration by a local authenticated attacker, without having authority to the related USRPRF objects. This can be used by a malicious actor to gather information about users that can be targeted in...

3.3CVSS0.00171EPSS
Exploits0References3
NVD
NVD
•added 2013/02/24 8:55 p.m.•98 views

CVE-2012-5337

Multiple cross-site scripting XSS vulnerabilities in jforum.page in JForum 2.1.9 allow remote attackers to inject arbitrary web script or HTML via the 1 action, 2 matchtype, 3 sortby, or 4 start parameters...

4.3CVSS5.8AI score0.02519EPSS
Exploits1References1
NVD
NVD
•added 2025/07/09 4:15 p.m.•97 views

CVE-2025-53662

Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

6.5CVSS0.00281EPSS
Exploits0References2
NVD
NVD
•added 2025/04/14 9:15 a.m.•97 views

CVE-2025-24859

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This...

8.8CVSS0.0106EPSS
Exploits0References3
NVD
NVD
•added 2024/12/21 7:15 a.m.•97 views

CVE-2024-11975

The Reactflow Visitor Recording and Heatmaps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpnonce' parameter in all versions up to, and including, 1.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...

6.1CVSS0.00436EPSS
Exploits0References4
NVD
NVD
•added 2024/08/27 8:15 p.m.•97 views

CVE-2024-8213

A vulnerability classified as critical has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is th...

9.8CVSS0.07178EPSS
Exploits1References6
NVD
NVD
•added 2024/07/01 7:15 p.m.•97 views

CVE-2024-38474

Substitution encoding issue in modrewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to...

9.8CVSS0.02456EPSS
Exploits0References3
NVD
NVD
•added 2022/05/26 12:15 p.m.•97 views

CVE-2021-42860

A stack buffer overflow exists in Mini-XML v3.2. When inputting an unformed XML string to the mxmlLoadString API, it will cause a stack-buffer-overflow in mxmlstringgetc:2611. NOTE: it is unclear whether this input is allowed by the API specification...

7.5CVSS0.0097EPSS
Exploits1References1
NVD
NVD
•added 2024/08/13 6:15 p.m.•96 views

CVE-2024-38063

Windows TCP/IP Remote Code Execution Vulnerability...

9.8CVSS0.70564EPSS
Exploits24References1
NVD
NVD
•added 2023/07/11 3:15 a.m.•96 views

CVE-2023-31405

SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction. There is no ability to view any information or any...

5.3CVSS5.2AI score0.0038EPSS
Exploits0References2
NVD
NVD
•added 2023/04/16 4:15 a.m.•96 views

CVE-2021-33990

Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file...

9.8CVSS9.5AI score0.11915EPSS
Exploits4References2
NVD
NVD
•added 2024/07/17 5:15 p.m.•95 views

CVE-2024-20419

A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem SSM On-Prem could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process...

10CVSS0.80767EPSS
Exploits3References2
NVD
NVD
•added 2007/06/21 6:30 p.m.•95 views

CVE-2007-3323

SQL injection vulnerability in comersusoptReviewReadExec.asp in Comersus Shop Cart 7.07 allows remote attackers to execute arbitrary SQL commands via the idProduct parameter. NOTE: this might be the same as CVE-2005-2190.2...

7.5CVSS8.2AI score0.01041EPSS
Exploits1References5
NVD
NVD
•added 2024/12/17 6:15 p.m.•94 views

CVE-2024-49820

IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man i...

3.7CVSS0.00241EPSS
Exploits0References1
NVD
NVD
•added 2024/12/17 6:15 p.m.•94 views

CVE-2024-49817

IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 stores user credentials in configuration files which can be read by a local privileged user...

4.4CVSS0.00185EPSS
Exploits0References1
NVD
NVD
•added 2024/11/15 4:15 p.m.•94 views

CVE-2024-49758

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. User with Admin role can add Notes to a device, the application did not properly sanitize the user input, when the ExamplePlugin enable, if java script code is inside the device's Notes, its will be trigger. This...

4.8CVSS0.00332EPSS
Exploits1References2
NVD
NVD
•added 2022/03/15 1:15 a.m.•94 views

CVE-2022-0944

Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1...

9.1CVSS0.08669EPSS
Exploits12References2
NVD
NVD
•added 2021/09/02 5:15 p.m.•94 views

CVE-2021-39322

The Easy Social Icons plugin = 3.0.8 for WordPress echoes out the raw value of $SERVER'PHPSELF' in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path...

6.1CVSS0.0236EPSS
Exploits2References2
NVD
NVD
•added 2022/03/20 10:15 p.m.•93 views

CVE-2020-26008

The PluginsUpload function in application/service/PluginsAdminService.php of ShopXO v1.9.0 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via uploading a crafted PHP file...

7.8CVSS0.00942EPSS
Exploits1References1
NVD
NVD
•added 2018/06/11 9:29 p.m.•93 views

CVE-2018-5163

If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache JSBC for other JavaScript code. If the parent process then runs this replaced code, the...

8.1CVSS5.9AI score0.02114EPSS
Exploits0References5
NVD
NVD
•added 2024/11/07 10:15 a.m.•92 views

CVE-2023-1973

A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted requests, leading the server to an OutofMemory error, exhausting the server's memory...

7.5CVSS0.01292EPSS
Exploits0References8
NVD
NVD
•added 2021/01/12 8:15 p.m.•92 views

CVE-2021-1636

Microsoft SQL Elevation of Privilege Vulnerability...

8.8CVSS8.8AI score0.06153EPSS
Exploits0References2
NVD
NVD
•added 2020/03/12 4:15 p.m.•92 views

CVE-2020-0796

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 SMBv3 protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'...

10CVSS10AI score0.9981EPSS
Exploits125References8
NVD
NVD
•added 2026/05/20 12:16 a.m.•91 views

CVE-2026-45585

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be...

6.8CVSS0.01249EPSS
Exploits2References2
NVD
NVD
•added 2024/05/03 3:15 a.m.•91 views

CVE-2023-40517

LG SuperSign Media Editor ContentRestController getObject Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG SuperSign Media Editor. Authentication is not required to exploit this...

7.5CVSS7.2AI score0.01915EPSS
Exploits0References1
NVD
NVD
•added 2024/01/11 3:15 a.m.•91 views

CVE-2024-22195

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting XSS. The Jinja xmlattr filter can be abused t...

6.1CVSS6.2AI score0.00892EPSS
Exploits0References7
NVD
NVD
•added 2023/02/23 4:15 p.m.•91 views

CVE-2023-24104

Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets...

9.8CVSS9.4AI score0.00847EPSS
Exploits1References2
NVD
NVD
•added 2015/11/18 3:59 p.m.•91 views

CVE-2015-4852

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to...

9.8CVSS9.4AI score0.96032EPSS
Exploits17References16
NVD
NVD
•added 2026/05/12 3:16 p.m.•90 views

CVE-2026-43938

YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger YAFNET.Core/Logger/DbLogger.cs captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column...

8.1CVSS0.00282EPSS
Exploits0References1
NVD
NVD
•added 2024/08/27 8:15 p.m.•90 views

CVE-2024-8214

A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected by this...

9.8CVSS0.05185EPSS
Exploits1References6
NVD
NVD
•added 2013/07/08 10:55 p.m.•90 views

CVE-2013-4786

The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol RAKP authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC...

7.8CVSS7.5AI score0.81802EPSS
Exploits2References7
NVD
NVD
•added 2026/05/07 2:16 p.m.•89 views

CVE-2026-41490

Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating...

8.3CVSS0.00265EPSS
Exploits1References2
NVD
NVD
•added 2025/04/25 3:15 p.m.•89 views

CVE-2025-32432

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity...

10CVSS0.99803EPSS
Exploits14References7
NVD
NVD
•added 2024/09/11 12:15 a.m.•89 views

CVE-2024-40662

In scheme of Uri.java, there is a possible way to craft a malformed Uri object due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

7.8CVSS0.00098EPSS
Exploits0References2
NVD
NVD
•added 2024/07/12 1:15 p.m.•89 views

CVE-2024-40954

In the Linux kernel, the following vulnerability has been resolved: net: do not leave a dangling sk pointer, when socket creation fails It is possible to trigger a use-after-free by: attaching an fentry probe to sockrelease and the probe calling the bpfgetsocketcookie helper running traceroute -I...

7.8CVSS0.00255EPSS
Exploits0References6
NVD
NVD
•added 2024/06/10 8:15 p.m.•89 views

CVE-2024-36414

SuiteCRM is an open-source Customer Relationship Management CRM software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue...

7.7CVSS0.00362EPSS
Exploits0References1
NVD
NVD
•added 2015/01/13 3:59 p.m.•89 views

CVE-2014-100038

Cross-site scripting XSS vulnerability in Storytlr 1.3.dev and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter to search/...

4.3CVSS5.7AI score0.01201EPSS
Exploits1References3
NVD
NVD
•added 2026/05/14 3:16 p.m.•88 views

CVE-2026-44375

Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the...

7.5CVSS0.00358EPSS
Exploits0References4
NVD
NVD
•added 2025/01/31 12:15 p.m.•88 views

CVE-2025-21672

In the Linux kernel, the following vulnerability has been resolved: afs: Fix merge preference rule failure condition syzbot reported a lock held when returning to userspace1. This is because if argc is less than 0 and the function returns directly, the held inode lock is not released. Fix this by...

5.5CVSS0.00136EPSS
Exploits0References2
NVD
NVD
•added 2023/10/19 7:15 p.m.•88 views

CVE-2023-45825

ydb-go-sdk is a pure Go native and database/sql driver for the YDB platform. Since ydb-go-sdk v3.48.6 if you use a custom credentials object implementation of interface Credentials it may leak into logs. This happens because this object could be serialized into an error message using...

5.5CVSS5.1AI score0.00219EPSS
Exploits0References4
NVD
NVD
•added 2023/01/18 12:15 a.m.•88 views

CVE-2023-21849

Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite component: Java utils. Supported versions that are affected are 12.2.3-12.2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications DBA...

7.5CVSS7AI score0.00627EPSS
Exploits0References1
NVD
NVD
•added 2021/11/10 10:15 p.m.•88 views

CVE-2020-23897

A User Mode Write AV in Editor!TMethodImplementationIntercept+0x54dcec of WildBit Viewer v6.6 allows attackers to cause a denial of service DoS via a crafted tga file...

5.5CVSS0.00545EPSS
Exploits0References2
Total number of security vulnerabilities5000