Lucene search
K
Vulncheck KevRecent

4985 matches found

VulnCheck KEV
VulnCheck KEV
added 2025/12/05 12:0 a.m.12 views

VulnCheck KEV: CVE-2024-37656

An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via the insufficient URL parameter verification in bbs/logout.php...

6.1CVSS5.8AI score0.00494EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2025/12/05 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-66644

Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025...

9.8CVSS5.8AI score0.031EPSS
Exploits0References6
VulnCheck KEV
VulnCheck KEV
added 2025/12/04 12:0 a.m.60 views

VulnCheck KEV: CVE-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes...

10CVSS7.7AI score0.99562EPSS
Exploits387References364
VulnCheck KEV
VulnCheck KEV
added 2025/12/03 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-13390

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdkgenerateautologinlink" function. This is due to the feature using a cryptographically weak token...

10CVSS5.6AI score0.0472EPSS
Exploits3References2
VulnCheck KEV
VulnCheck KEV
added 2025/12/03 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-13342

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run save handler. This makes it...

9.8CVSS5.9AI score0.00464EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2025/12/02 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-13486

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepareform function. This is due to the function accepting user input and then passing that through calluserfuncarray. This makes it possible for...

9.8CVSS6.3AI score0.73557EPSS
Exploits10References3
VulnCheck KEV
VulnCheck KEV
added 2025/12/02 12:0 a.m.15 views

VulnCheck KEV: CVE-2023-52251

An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/topic/messages...

8.8CVSS6.2AI score0.85025EPSS
Exploits5References63
VulnCheck KEV
VulnCheck KEV
added 2025/12/01 12:0 a.m.8 views

VulnCheck KEV: CVE-2022-0142

The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution...

9.8CVSS5.9AI score0.0269EPSS
Exploits1References27
VulnCheck KEV
VulnCheck KEV
added 2025/12/01 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-48633

In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

5.5CVSS5.9AI score0.00245EPSS
Exploits0References5
VulnCheck KEV
VulnCheck KEV
added 2025/12/01 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-48572

In multiple locations, there is a possible way to launch activities from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

7.8CVSS5.9AI score0.00228EPSS
Exploits0References5
VulnCheck KEV
VulnCheck KEV
added 2025/12/01 12:0 a.m.2 views

VulnCheck KEV: CVE-2025-53364

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While sche...

5.3CVSS5.8AI score0.00814EPSS
Exploits0References33
VulnCheck KEV
VulnCheck KEV
added 2025/11/29 12:0 a.m.6 views

VulnCheck KEV: CVE-2024-49380

Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The /postLocal endpoint is vulnerable to an arbitrary file write vulnerability when a plenti user serves their website. This issue may lead to Remote Code Execution. Version 0.7.2 fixes the...

9.3CVSS5.9AI score0.02763EPSS
Exploits1References77
VulnCheck KEV
VulnCheck KEV
added 2025/11/28 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-22214

Landray EIS 2001 through 2006 allows Message/fimessagereceiver.aspx?replyid= SQL injection...

4.3CVSS5.9AI score0.01262EPSS
Exploits0References38
VulnCheck KEV
VulnCheck KEV
added 2025/11/28 12:0 a.m.5 views

VulnCheck KEV: CVE-2024-6690

The wccp-pro WordPress plugin before 15.3 contains an open-redirect flaw via the referrer parameter, allowing redirection of users to external sites...

6.1CVSS5.8AI score0.00473EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/28 12:0 a.m.14 views

VulnCheck KEV: CVE-2024-8852

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.86 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information such as full...

5.3CVSS5.8AI score0.01175EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/28 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-5605

An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known...

5.3CVSS5.8AI score0.00811EPSS
Exploits0References17
VulnCheck KEV
VulnCheck KEV
added 2025/11/27 12:0 a.m.10 views

VulnCheck KEV: CVE-2025-44137

MapTiler Tileserver-php v2.0 is vulnerable to Directory Traversal. The renderTile function within tileserver.php is responsible for delivering tiles that are stored as files on the server via web request. Creating the path to a file allows the insertion of "../" and thus read any file on the web...

8.2CVSS5.8AI score0.0136EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/27 12:0 a.m.9 views

VulnCheck KEV: CVE-2025-6403

A vulnerability was found in code-projects School Fees Payment System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /student.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been...

9.8CVSS5.7AI score0.017EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/27 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-64095

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files...

10CVSS5.8AI score0.44656EPSS
Exploits3References29
VulnCheck KEV
VulnCheck KEV
added 2025/11/27 12:0 a.m.14 views

VulnCheck KEV: CVE-2025-8943

The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls RBAC. Furthermore, in Flowise versions before 3.0.1 the...

9.8CVSS5.9AI score0.70866EPSS
Exploits3References140
VulnCheck KEV
VulnCheck KEV
added 2025/11/27 12:0 a.m.15 views

VulnCheck KEV: CVE-2024-53900

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection...

9.1CVSS5.8AI score0.03988EPSS
Exploits3References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/27 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-6174

The Qwizcards | online quizzes and flashcards WordPress plugin through 3.9.4 does not sanitise and escape the "stylesheet" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or any other user...

6.1CVSS5.8AI score0.0046EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/27 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-9985

The Featured Image from URL FIFU plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the...

5.3CVSS5.8AI score0.1107EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/27 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-44136

MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting XSS. The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser...

9.8CVSS6.1AI score0.02507EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/27 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-24354

imgproxy is server for resizing, processing, and converting images. Imgproxy does not block the 0.0.0.0 address, even with IMGPROXYALLOWLOOPBACKSOURCEADDRESSES set to false. This can expose services on the local host. This vulnerability is fixed in 3.27.2...

5.3CVSS5.8AI score0.00844EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/27 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-52472

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is...

9.3CVSS5.7AI score0.02207EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/26 12:0 a.m.12 views

VulnCheck KEV: CVE-2024-53375

An Authenticated Remote Code Execution RCE vulnerability affects the TP-Link Archer router series. A vulnerability exists in the "tmpgetsites" function of the HomeShield functionality provided by TP-Link. This vulnerability is still exploitable without the activation of the HomeShield functionali...

8CVSS7.3AI score0.40679EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/26 12:0 a.m.9 views

VulnCheck KEV: CVE-2025-34299

Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious SFTP server...

9.8CVSS6.2AI score0.72667EPSS
Exploits6References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/26 12:0 a.m.14 views

VulnCheck KEV: CVE-2023-43654

TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity...

10CVSS5.7AI score0.35256EPSS
Exploits6References84
VulnCheck KEV
VulnCheck KEV
added 2025/11/26 12:0 a.m.3 views

VulnCheck KEV: CVE-2023-45311

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project that depends on fsevents distributes code that was obtained from that URL at a time when it was controlled by an...

9.8CVSS6.2AI score0.01535EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/26 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-52207

PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory...

9.9CVSS5.9AI score0.01465EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/26 12:0 a.m.3 views

VulnCheck KEV: CVE-2024-10915

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgiuseradd of the file /cgi-bin/accountmgr.cgi?cmd=cgiuseradd. The manipulation of the argument group leads to os command injection. T...

9.8CVSS6.4AI score0.79135EPSS
Exploits2References4
VulnCheck KEV
VulnCheck KEV
added 2025/11/25 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-6389

The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeitarticlespaginationcallback function. This is due to the function accepting user input and then passing that through calluserfunc. This makes it possible for...

9.8CVSS6.1AI score0.43399EPSS
Exploits3References3
VulnCheck KEV
VulnCheck KEV
added 2025/11/25 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-12057

The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE...

9.8CVSS5.9AI score0.0041EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/24 12:0 a.m.14 views

VulnCheck KEV: CVE-2023-7330

Ruijie NBR series routers contain an unauthenticated arbitrary file upload vulnerability via /ddi/server/fileupload.php. The endpoint accepts attacker-supplied values in the name and uploadDir parameters and saves the provided multipart file content without adequate validation or sanitization of...

9.3CVSS6.4AI score0.00539EPSS
Exploits0References3
VulnCheck KEV
VulnCheck KEV
added 2025/11/24 12:0 a.m.26 views

VulnCheck KEV: CVE-2025-9528

A vulnerability was determined in Linksys E1700 1.0.0.4.003. This vulnerability affects the function systemCommand of the file /goform/systemCommand. Executing manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit has been publicly...

7.2CVSS5.6AI score0.50053EPSS
Exploits1References10
VulnCheck KEV
VulnCheck KEV
added 2025/11/24 12:0 a.m.5 views

VulnCheck KEV: CVE-2024-14007

Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware used by many white-labeled DVR/NVR/IPC products versions prior to 1.3.4 contain an authentication bypass in the NVMS-9000 control protocol. By sending a single crafted TCP payload to an exposed NVMS-9000 control port, an unauthenticated...

8.7CVSS5.9AI score0.00769EPSS
Exploits0References6
VulnCheck KEV
VulnCheck KEV
added 2025/11/20 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-61757

Vulnerability in the Identity Manager product of Oracle Fusion Middleware component: REST WebServices. Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager...

9.8CVSS5.8AI score0.88312EPSS
Exploits1References10
VulnCheck KEV
VulnCheck KEV
added 2025/11/19 12:0 a.m.5 views

VulnCheck KEV: CVE-2024-12912

An improper input insertion vulnerability in AiCloud on certain router models may lead to arbitrary command execution. Refer to the '01/02/2025 ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information...

7.2CVSS5.9AI score0.01238EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/19 12:0 a.m.7 views

VulnCheck KEV: CVE-2023-41346

ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-refresh module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the syst...

8.8CVSS6.1AI score0.01202EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/19 12:0 a.m.6 views

VulnCheck KEV: CVE-2023-41347

ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its check token module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system...

8.8CVSS6.1AI score0.01288EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/19 12:0 a.m.6 views

VulnCheck KEV: CVE-2023-41345

ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-generated module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the...

8.8CVSS6.1AI score0.01288EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/19 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-2492

An improper authentication control vulnerability exists in AiCloud. This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions. Refer to the 'ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information...

9.2CVSS6AI score0.00968EPSS
Exploits1References3
VulnCheck KEV
VulnCheck KEV
added 2025/11/19 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-55346

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request...

9.8CVSS6AI score0.1742EPSS
Exploits0References70
VulnCheck KEV
VulnCheck KEV
added 2025/11/19 12:0 a.m.33 views

VulnCheck KEV: CVE-2025-1302

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. Note: This is caused by an incomplete fix for...

9.8CVSS6AI score0.10701EPSS
Exploits8References73
VulnCheck KEV
VulnCheck KEV
added 2025/11/19 12:0 a.m.4 views

VulnCheck KEV: CVE-2023-41348

ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its code-authentication module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt th...

8.8CVSS6.1AI score0.01288EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/18 12:0 a.m.8 views

VulnCheck KEV: CVE-2020-26948

Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter...

9.8CVSS5.8AI score0.87154EPSS
Exploits4References80
VulnCheck KEV
VulnCheck KEV
added 2025/11/18 12:0 a.m.6 views

VulnCheck KEV: CVE-2022-1574

The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files such as PHP on the remote server...

9.8CVSS6AI score0.11866EPSS
Exploits2References102
VulnCheck KEV
VulnCheck KEV
added 2025/11/18 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-58034

An Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability CWE-78 vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may...

7.2CVSS6AI score0.54376EPSS
Exploits9References6
VulnCheck KEV
VulnCheck KEV
added 2025/11/18 12:0 a.m.10 views

VulnCheck KEV: CVE-2025-55190

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials usernames, passwor...

9.9CVSS5.8AI score0.04518EPSS
Exploits1References27
Total number of security vulnerabilities4985