Lucene search
K
Vulncheck KevRecent

4985 matches found

VulnCheck KEV
VulnCheck KEV
added 2025/11/17 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-12974

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through...

8.1CVSS6.5AI score0.00585EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/17 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-61666

Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any file on the file syste...

8.7CVSS5.8AI score0.01196EPSS
Exploits0References24
VulnCheck KEV
VulnCheck KEV
added 2025/11/14 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-8085

The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs...

8.6CVSS5.9AI score0.16399EPSS
Exploits1References22
VulnCheck KEV
VulnCheck KEV
added 2025/11/13 12:0 a.m.7 views

VulnCheck KEV: CVE-2022-4984

ZenTao Biz 6.5, ZenTao Max 3.0, ZenTao Open Source Edition 16.5, and ZenTao Open Source Edition 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database...

8.7CVSS6AI score0.00402EPSS
Exploits0References85
VulnCheck KEV
VulnCheck KEV
added 2025/11/12 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-13223

Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

8.8CVSS5.8AI score0.04835EPSS
Exploits1References9
VulnCheck KEV
VulnCheck KEV
added 2025/11/12 12:0 a.m.3 views

VulnCheck KEV: CVE-2024-37393

Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the...

9.8CVSS5.9AI score0.03304EPSS
Exploits2References85
VulnCheck KEV
VulnCheck KEV
added 2025/11/12 12:0 a.m.9 views

VulnCheck KEV: CVE-2022-4982

DBLTek GoIP-1 firmware versions up to and including GHSFVT-1.1-67-5 contain a local file inclusion vulnerability. The device's web server exposes handlers frame.html and frame.A100.html that accept a path parameter content or sidebar which is not properly validated or canonicalized. An attacker c...

8.7CVSS5.9AI score0.00438EPSS
Exploits0References3
VulnCheck KEV
VulnCheck KEV
added 2025/11/11 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-62215

Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Kernel allows an authorized attacker to elevate privileges locally...

7CVSS5.9AI score0.061EPSS
Exploits6References8
VulnCheck KEV
VulnCheck KEV
added 2025/11/10 12:0 a.m.6 views

VulnCheck KEV: CVE-2020-22623

Directory traversal vulnerability in Jinfornet Jreport 15.6 allows unauthenticated attackers to gain sensitive information...

7.5CVSS5.8AI score0.01121EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/10 12:0 a.m.3 views

VulnCheck KEV: CVE-2021-4462

Employee Records System version 1.0 contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload arbitrary files via the uploadID.php endpoint; uploaded files can be executed because the application does not perform proper server-side...

9.8CVSS6AI score0.03054EPSS
Exploits2References80
VulnCheck KEV
VulnCheck KEV
added 2025/11/10 12:0 a.m.2 views

VulnCheck KEV: CVE-2025-53118

An authentication bypass vulnerability exists which allows an unauthenticated attacker to control administrator backup functions, leading to compromise of passwords, secrets, and application session tokens stored by the Unified PAM...

9.8CVSS5.8AI score0.29365EPSS
Exploits0References75
VulnCheck KEV
VulnCheck KEV
added 2025/11/10 12:0 a.m.6 views

VulnCheck KEV: CVE-2023-6329

An authentication bypass vulnerability exists in Control iD iDSecure v4.7.32.0. The login routine used by iDS-Core.dll contains a "passwordCustom" option that allows an unauthenticated attacker to compute valid credentials that can be used to bypass authentication and act as an administrative use...

9.8CVSS5.8AI score0.65237EPSS
Exploits6References92
VulnCheck KEV
VulnCheck KEV
added 2025/11/10 12:0 a.m.4 views

VulnCheck KEV: CVE-2018-25124

PacsOne Server version 6.6.2 prior versions are likely affected contains a directory traversal vulnerability within the web-based DICOM viewer component. Successful exploitation allows a remote unauthenticated attacker to read arbitrary files via the 'nocache.php' endpoint with a crafted 'path'...

8.7CVSS6AI score0.00826EPSS
Exploits0References6
VulnCheck KEV
VulnCheck KEV
added 2025/11/10 12:0 a.m.16 views

VulnCheck KEV: CVE-2023-3606

A vulnerability was found in TamronOS up to 20230703. It has been classified as critical. This affects an unknown part of the file /api/ping. The manipulation of the argument host leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the...

8.8CVSS5.4AI score0.05871EPSS
Exploits1References63
VulnCheck KEV
VulnCheck KEV
added 2025/11/10 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-54123

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at /api/v2/hoverfly/middleware endpoint due to insufficient validation and sanitization in user input. The vulnerability exists i...

9.8CVSS6.6AI score0.10543EPSS
Exploits7References74
VulnCheck KEV
VulnCheck KEV
added 2025/11/10 12:0 a.m.9 views

VulnCheck KEV: CVE-2017-18365

The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product's source code. By sending a...

9.8CVSS6.1AI score0.21402EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/10 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-12480

Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete...

9.1CVSS5.8AI score0.90355EPSS
Exploits1References100
VulnCheck KEV
VulnCheck KEV
added 2025/11/10 12:0 a.m.180 views

VulnCheck KEV: CVE-2006-4837

Multiple PHP remote file inclusion vulnerabilities in DCP-Portal SE 6.0 allow remote attackers to execute arbitrary PHP code via a URL in the root parameter in 1 library/lib.php and 2 library/editor/editor.php. NOTE: the same primary issue can be used for full path disclosure with an invalid...

7.5CVSS6.2AI score0.02736EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/07 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-21042

Out-of-bounds write in libimagecodec.quram.so prior to SMR Apr-2025 Release 1 allows remote attackers to execute arbitrary code...

9.8CVSS6.1AI score0.11606EPSS
Exploits1References9
VulnCheck KEV
VulnCheck KEV
added 2025/11/07 12:0 a.m.5 views

VulnCheck KEV: CVE-2024-54006

Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge which could lead to authenticated remote command execution. Successful exploitation of these vulnerabilities result in the ability of an attacker to execute arbitrary commands as a privileged...

7.2CVSS6.2AI score0.0155EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/07 12:0 a.m.4 views

VulnCheck KEV: CVE-2020-36870

Various Ruijie Gateway EG and NBR models firmware versions 11.16B9P1 11.94B12P1 contain a code execution vulnerability in the EWEB management system that can be abused via front-end functionality. Attackers can exploit front-end code when features such as guest authentication, local server...

9.2CVSS6.3AI score0.00762EPSS
Exploits0References89
VulnCheck KEV
VulnCheck KEV
added 2025/11/07 12:0 a.m.18 views

VulnCheck KEV: CVE-2021-4449

The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may...

9.8CVSS6.5AI score0.05288EPSS
Exploits3References3
VulnCheck KEV
VulnCheck KEV
added 2025/11/05 12:0 a.m.8 views

VulnCheck KEV: CVE-2020-20601

An issue in ThinkCMF X2.2.2 and below allows attackers to execute arbitrary code via a crafted packet...

9.8CVSS6.2AI score0.07598EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/05 12:0 a.m.6 views

VulnCheck KEV: CVE-2021-26072

The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery SSRF vulnerability...

4.3CVSS5.8AI score0.38845EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/05 12:0 a.m.9 views

VulnCheck KEV: CVE-2018-25114

A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can...

9.3CVSS6.5AI score0.0282EPSS
Exploits0References24
VulnCheck KEV
VulnCheck KEV
added 2025/11/05 12:0 a.m.6 views

VulnCheck KEV: CVE-2021-32478

The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected...

6.1CVSS7.2AI score0.01157EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/11/05 12:0 a.m.15 views

VulnCheck KEV: CVE-2025-11749

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract th...

9.8CVSS5.8AI score0.75063EPSS
Exploits5References3
VulnCheck KEV
VulnCheck KEV
added 2025/11/03 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-32429

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an...

9.8CVSS5.9AI score0.8541EPSS
Exploits6References64
VulnCheck KEV
VulnCheck KEV
added 2025/11/01 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-11833

The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated...

9.8CVSS5.9AI score0.51507EPSS
Exploits1References5
VulnCheck KEV
VulnCheck KEV
added 2025/10/31 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-5397

The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the checklogin function not properly verifying a user's identity prior to successfully authenticating them This makes it possible for unauthenticated attackers...

9.8CVSS5.6AI score0.01005EPSS
Exploits0References3
VulnCheck KEV
VulnCheck KEV
added 2025/10/31 12:0 a.m.5 views

VulnCheck KEV: CVE-2024-45216

Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip...

9.8CVSS5.8AI score0.90709EPSS
Exploits1References165
VulnCheck KEV
VulnCheck KEV
added 2025/10/31 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-8489

The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it...

9.8CVSS5.8AI score0.09142EPSS
Exploits4References4
VulnCheck KEV
VulnCheck KEV
added 2025/10/31 12:0 a.m.22 views

VulnCheck KEV: CVE-2025-55748

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as...

9.3CVSS5.8AI score0.01639EPSS
Exploits0References113
VulnCheck KEV
VulnCheck KEV
added 2025/10/31 12:0 a.m.30 views

VulnCheck KEV: CVE-2021-37305

An Insecure Permissions issue in jeecg-boot 2.4.5 and earlier allows remote attackers to gain escalated privilege and view sensitive information via api uri: /sys/user/querySysUser?username=admin...

7.5CVSS5.8AI score0.0352EPSS
Exploits0References66
VulnCheck KEV
VulnCheck KEV
added 2025/10/30 12:0 a.m.7 views

VulnCheck KEV: CVE-2020-35714

Belkin LINKSYS RE6500 devices before 1.0.11.001 allow remote authenticated users to execute arbitrary commands via goform/systemCommand?command= in conjunction with the goform/pingstart program...

8.8CVSS5.9AI score0.02655EPSS
Exploits1References67
VulnCheck KEV
VulnCheck KEV
added 2025/10/30 12:0 a.m.12 views

VulnCheck KEV: CVE-2021-4461

Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the enc parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a...

9.3CVSS5.8AI score0.00602EPSS
Exploits0References119
VulnCheck KEV
VulnCheck KEV
added 2025/10/30 12:0 a.m.5 views

VulnCheck KEV: CVE-2023-7325

Anheng Mingyu Operation and Maintenance Audit and Risk Control System up to 2023-08-10 contains a server-side request forgery SSRF vulnerability in the xmlrpc.sock handler. The product accepts specially crafted XML-RPC requests that can be used to instruct the server to connect to internal unix...

9.3CVSS5.9AI score0.0037EPSS
Exploits0References100
VulnCheck KEV
VulnCheck KEV
added 2025/10/30 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-9491

Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a...

7.8CVSS6.1AI score0.63102EPSS
Exploits3References5
VulnCheck KEV
VulnCheck KEV
added 2025/10/29 12:0 a.m.71 views

VulnCheck KEV: CVE-2025-11705

The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS AJAX actions. This makes it possible for authenticat...

6.5CVSS5.9AI score0.00572EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/10/29 12:0 a.m.8 views

VulnCheck KEV: CVE-2018-25120

D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05 contain a command injection vulnerability in the Mail Test functionality. The web maintenance script posts to the internal goForm endpoint '/goform/MailTest' and uses several form parameters directly in a call t...

9.8CVSS6AI score0.09806EPSS
Exploits1References128
VulnCheck KEV
VulnCheck KEV
added 2025/10/29 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-12450

The LiteSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 7.5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages...

6.1CVSS5.9AI score0.00382EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/10/29 12:0 a.m.121 views

VulnCheck KEV: CVE-2024-51228

An issue in TOTOLINK-CX-A3002RU V1.0.4-B20171106.1512 and TOTOLINK-CX-N150RT V2.1.6-B20171121.1002 and TOTOLINK-CX-N300RT V2.1.6-B20170724.1420 and TOTOLINK-CX-N300RT V2.1.8-B20171113.1408 and TOTOLINK-CX-N300RT V2.1.8-B20191010.1107 and TOTOLINK-CX-N302RE V2.0.2-B20170511.1523 allows a remote...

6.8CVSS6.2AI score0.0379EPSS
Exploits0References120
VulnCheck KEV
VulnCheck KEV
added 2025/10/28 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-7083

A vulnerability was found in Belkin F9K1122 1.00.33. It has been classified as critical. This affects the function mp of the file /goform/mp of the component webs. The manipulation of the argument command leads to os command injection. It is possible to initiate the attack remotely. The exploit h...

8.8CVSS5.5AI score0.38138EPSS
Exploits1References108
VulnCheck KEV
VulnCheck KEV
added 2025/10/28 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-6204

An Improper Control of Generation of Code Code Injection vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code...

8CVSS6.1AI score0.76148EPSS
Exploits0References4
VulnCheck KEV
VulnCheck KEV
added 2025/10/28 12:0 a.m.8 views

VulnCheck KEV: CVE-2020-28653

Zoho ManageEngine OpManager Stable build before 125203 and Released build before 125233 allows Remote Code Execution via the Smart Update Manager SUM servlet...

9.8CVSS5.9AI score0.787EPSS
Exploits5References2
VulnCheck KEV
VulnCheck KEV
added 2025/10/28 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-54251

Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate XML queries and gain limited unauthorized write access...

4.3CVSS5.8AI score0.01609EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/10/27 12:0 a.m.6 views

VulnCheck KEV: CVE-2020-7882

Using the parameter of getPFXFolderList function, attackers can see the information of authorization certification and delete the files. It occurs because the parameter contains path traversal charactersie. '../../../'...

9.1CVSS5.8AI score0.01209EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2025/10/27 12:0 a.m.25 views

VulnCheck KEV: CVE-2020-36723

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the /listingpro-plugin/functions.php file. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, full names, email...

5.3CVSS5.8AI score0.01608EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2025/10/27 12:0 a.m.10 views

VulnCheck KEV: CVE-2025-6205

A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application...

9.1CVSS5.8AI score0.71059EPSS
Exploits0References83
VulnCheck KEV
VulnCheck KEV
added 2025/10/27 12:0 a.m.6 views

VulnCheck KEV: CVE-2022-33896

A buffer underflow vulnerability exists in the way Hword of Hancom Office 2020 version 11.0.0.5357 parses XML-based office files. A specially-crafted malformed file can cause memory corruption by using memory before buffer start, which can lead to code execution. A victim would need to access a...

7.8CVSS6AI score0.00499EPSS
Exploits1References2
Total number of security vulnerabilities4985