Lucene search
K
NvdMost viewed

364447 matches found

NVD
NVD
added 2025/07/23 6:15 a.m.53 views

CVE-2025-54438

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0...

9.8CVSS0.00611EPSS
Exploits0References1
NVD
NVD
added 2025/06/05 8:15 p.m.53 views

CVE-2025-5680

A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script...

8.8CVSS0.00433EPSS
Exploits1References4
NVD
NVD
added 2025/05/28 6:15 a.m.53 views

CVE-2025-4800

The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to a missing file type validation in the stmlmsaddassignmentattachment function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access an...

8.8CVSS0.00959EPSS
Exploits0References4
NVD
NVD
added 2025/05/14 3:15 a.m.53 views

CVE-2025-4520

The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions or above to...

5.4CVSS0.00266EPSS
Exploits0References2
NVD
NVD
added 2025/04/15 8:15 p.m.53 views

CVE-2025-32445

Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor...

9.9CVSS0.00724EPSS
Exploits0References2
NVD
NVD
added 2025/03/05 4:15 p.m.53 views

CVE-2023-38693

Lucee Server or simply Lucee is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173...

9.8CVSS0.0076EPSS
Exploits0References1
NVD
NVD
added 2025/02/08 10:15 a.m.53 views

CVE-2025-1115

A vulnerability classified as problematic was found in RT-Thread up to 5.1.0. Affected by this vulnerability is the function...

5.5CVSS0.00289EPSS
Exploits1References4
NVD
NVD
added 2025/02/06 7:15 a.m.53 views

CVE-2025-22890

Execution with unnecessary privileges issue exists in Defense Platform Home Edition Ver.3.9.51.x and earlier. If an attacker performs a specific operation, SYSTEM privilege of the Windows system where the product is running may be obtained...

8.8CVSS0.00185EPSS
Exploits0References2
NVD
NVD
added 2025/01/29 11:15 p.m.53 views

CVE-2024-57665

JFinalCMS 1.0 is vulnerable to SQL Injection in rc/main/java/com/cms/entity/Content.java. The cause of the vulnerability is that the title parameter is controllable and is concatenated directly into filterSql without filtering...

9.8CVSS0.00477EPSS
Exploits1References1
NVD
NVD
added 2024/12/09 9:15 p.m.53 views

CVE-2024-54149

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on Twig files and modify resources such...

8.4CVSS0.00405EPSS
Exploits0References2
NVD
NVD
added 2024/11/20 3:15 p.m.53 views

CVE-2024-52598

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Two interconnected vulnerabilities exist in version 5.4.1 a SSRF and URI validation bypass issue. The endpoint at POST /api/v1/twofaccounts/preview allows setting a remote URI to retrieve the...

7.5CVSS0.0058EPSS
Exploits1References1
NVD
NVD
added 2024/11/18 10:15 p.m.53 views

CVE-2024-52345

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in RobertoAlicata raqrcode ra-qrcode allows Stored XSS.This issue affects raqrcode: from n/a through = 2.1.0...

6.5CVSS0.00231EPSS
Exploits0References1
NVD
NVD
added 2024/11/15 9:15 p.m.53 views

CVE-2024-45611

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can bypass the access control policy to create a private RSS feed attached to another user account and use a malicious payload t...

5.7CVSS0.00305EPSS
Exploits0References1
NVD
NVD
added 2024/11/10 9:15 p.m.53 views

CVE-2024-46951

An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. An unchecked Implementation pointer in Pattern color space could lead to arbitrary code execution...

7.8CVSS0.00356EPSS
Exploits0References5
NVD
NVD
added 2024/11/08 5:15 a.m.53 views

CVE-2024-21538

Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service ReDoS due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string...

8.7CVSS0.00873EPSS
Exploits0References5
NVD
NVD
added 2024/10/08 6:15 p.m.53 views

CVE-2024-43590

Visual C++ Redistributable Installer Elevation of Privilege Vulnerability...

7.8CVSS0.00426EPSS
Exploits0References1
NVD
NVD
added 2024/10/07 9:15 p.m.53 views

CVE-2024-47772

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of...

6.5CVSS0.00331EPSS
Exploits0References2
NVD
NVD
added 2024/10/04 1:15 p.m.53 views

CVE-2024-47654

This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead...

7.5CVSS0.00472EPSS
Exploits0References1
NVD
NVD
added 2024/09/25 3:15 a.m.53 views

CVE-2024-7617

The Contact Form to Any API plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 form fields in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.2CVSS0.00585EPSS
Exploits0References3
NVD
NVD
added 2024/09/12 9:15 a.m.53 views

CVE-2024-8522

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'conlyfields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of...

10CVSS0.63134EPSS
Exploits6References4
NVD
NVD
added 2024/09/09 7:15 p.m.53 views

CVE-2024-7341

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authenticati...

7.1CVSS0.008EPSS
Exploits0References12
NVD
NVD
added 2024/09/08 12:15 p.m.53 views

CVE-2024-42342

Loway - CWE-444: Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling'...

4.3CVSS0.00264EPSS
Exploits0References1
NVD
NVD
added 2024/09/04 4:15 p.m.53 views

CVE-2024-8391

In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client. This is fixed in the 4.5.10 version. Note this does not affect the Vert.x gRPC server based grpc-java and Netty...

7.5CVSS0.0058EPSS
Exploits0References2
NVD
NVD
added 2024/08/14 5:15 p.m.53 views

CVE-2024-5914

A command injection issue in Palo Alto Networks Cortex XSOAR CommonScripts Pack allows an unauthenticated attacker to execute arbitrary commands within the context of an integration container...

9.8CVSS0.01234EPSS
Exploits0References1
NVD
NVD
added 2024/08/13 6:15 p.m.53 views

CVE-2024-38109

An authenticated attacker can exploit an Server-Side Request Forgery SSRF vulnerability in Microsoft Azure Health Bot to elevate privileges over a network...

9.1CVSS0.01833EPSS
Exploits0References1
NVD
NVD
added 2024/08/07 2:15 p.m.53 views

CVE-2024-43044

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the ClassLoaderProxyfetchJar method in the Remoting library...

8.8CVSS0.28782EPSS
Exploits4References1
NVD
NVD
added 2024/08/01 2:15 a.m.53 views

CVE-2024-6687

The CTT Expresso para WooCommerce plugin for WordPress is vulnerable to sensitive information exposure in all versions up to and including 3.2.12 via the /wp-content/uploads/cepw directory. The generated .pdf and log files are publicly accessible and contain sensitive information such as sender a...

7.5CVSS0.00415EPSS
Exploits0References2
NVD
NVD
added 2024/07/29 2:15 p.m.53 views

CVE-2024-6576

Improper Authentication vulnerability in Progress MOVEit Transfer SFTP module can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3...

9.8CVSS0.00618EPSS
Exploits0References2
NVD
NVD
added 2024/07/25 10:15 a.m.53 views

CVE-2024-37084

In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server...

9.8CVSS0.35211EPSS
Exploits4References1
NVD
NVD
added 2024/07/16 11:15 p.m.53 views

CVE-2024-21181

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware component: Core. Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic...

9.8CVSS0.01119EPSS
Exploits0References1
NVD
NVD
added 2024/07/11 4:15 a.m.53 views

CVE-2024-6397

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing...

9.8CVSS0.00706EPSS
Exploits0References6
NVD
NVD
added 2024/07/09 5:15 p.m.53 views

CVE-2024-38095

.NET and Visual Studio Denial of Service Vulnerability...

7.5CVSS0.02719EPSS
Exploits0References1
NVD
NVD
added 2024/07/09 5:15 p.m.53 views

CVE-2024-38024

Microsoft SharePoint Server Remote Code Execution Vulnerability...

7.2CVSS0.45219EPSS
Exploits1References1
NVD
NVD
added 2024/06/25 3:15 p.m.53 views

CVE-2024-37085

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory AD permissions can gain full access to an ESXi host that was previously configured to use AD for user management...

7.2CVSS0.2677EPSS
Exploits0References2
NVD
NVD
added 2024/06/11 5:15 p.m.53 views

CVE-2024-30064

Windows Kernel Elevation of Privilege Vulnerability...

8.8CVSS0.00791EPSS
Exploits0References1
NVD
NVD
added 2024/06/07 12:15 p.m.53 views

CVE-2024-4610

Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r34p0 through r40p0;...

7.8CVSS0.00758EPSS
Exploits0References2
NVD
NVD
added 2024/05/26 12:15 a.m.53 views

CVE-2024-5351

A vulnerability was found in anji-plus AJ-Report up to 1.4.1. It has been declared as critical. Affected by this vulnerability is the function getValueFromJs of the component Javascript Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been...

9.8CVSS6.4AI score0.00769EPSS
Exploits1References4
NVD
NVD
added 2024/05/07 4:15 p.m.53 views

CVE-2024-34341

Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker ...

5.4CVSS6AI score0.00784EPSS
Exploits0References6
NVD
NVD
added 2024/04/09 6:15 p.m.53 views

CVE-2024-31457

gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. gin-vue-admin pseudoversion 0.0.0-20240407133540-7bc7c3051067, corresponding to version 2.6.1, has a code injection vulnerability in the backend. In the Plugin System - Plugi...

7.7CVSS7.8AI score0.00904EPSS
Exploits0References3
NVD
NVD
added 2024/03/21 2:52 a.m.53 views

CVE-2024-27933

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in opnodeipcpipe leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node childproce...

8.8CVSS8.4AI score0.02276EPSS
Exploits1References10
NVD
NVD
added 2024/03/21 12:15 a.m.53 views

CVE-2024-28916

Xbox Gaming Services Elevation of Privilege Vulnerability...

8.8CVSS8.8AI score0.00652EPSS
Exploits0References1
NVD
NVD
added 2023/12/24 7:15 a.m.53 views

CVE-2023-51767

OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks for authentication bypass because the integer value of authenticated in mmanswerauthpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim...

7CVSS0.00661EPSS
Exploits0References34
NVD
NVD
added 2023/12/18 11:15 p.m.53 views

CVE-2023-49155

Cross-Site Request Forgery CSRF vulnerability in Wow-Company Button Generator – easily Button Builder.This issue affects Button Generator – easily Button Builder: from n/a through 2.3.8...

8.8CVSS0.00294EPSS
Exploits0References1
NVD
NVD
added 2023/12/05 11:15 p.m.53 views

CVE-2023-49282

msgraph-sdk-php is the Microsoft Graph Library for PHP. The Microsoft Graph PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The...

5.4CVSS0.02203EPSS
Exploits0References5
NVD
NVD
added 2023/10/28 2:15 p.m.53 views

CVE-2023-5835

A vulnerability classified as problematic was found in hu60t hu60wap6. Affected by this vulnerability is the function markdown of the file src/class/ubbparser.php. The manipulation leads to cross site scripting. The attack can be launched remotely. This product does not use versioning. This is wh...

6.1CVSS4.4AI score0.00385EPSS
Exploits0References3
NVD
NVD
added 2023/10/26 9:15 p.m.53 views

CVE-2023-33558

An information disclosure vulnerability in the component users-grid-data.php of Ocomon before v4.0.1 allows attackers to obtain sensitive information such as e-mails and usernames...

7.5CVSS7.2AI score0.00527EPSS
Exploits0References2
NVD
NVD
added 2023/09/06 1:15 p.m.53 views

CVE-2023-41942

A cross-site request forgery CSRF vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue...

4.3CVSS5AI score0.00287EPSS
Exploits0References2
NVD
NVD
added 2023/09/05 6:15 a.m.53 views

CVE-2023-4748

A vulnerability, which was classified as critical, has been found in Yongyou UFIDA-NC up to 20230807. This issue affects some unknown processing of the file PrintTemplateFileServlet.java. The manipulation of the argument filePath leads to path traversal. The attack may be initiated remotely. The...

7.5CVSS6.7AI score0.00765EPSS
Exploits1References3
NVD
NVD
added 2023/08/30 12:15 p.m.53 views

CVE-2023-32742

Unauth. Reflected Cross-Site Scripting XSS vulnerability in VeronaLabs WP SMS plugin = 6.1.4 versions...

7.1CVSS6.2AI score0.00396EPSS
Exploits0References1
NVD
NVD
added 2023/07/25 9:15 p.m.53 views

CVE-2023-38493

Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of t...

7.5CVSS7.6AI score0.00588EPSS
Exploits0References3
Total number of security vulnerabilities5000