4985 matches found
VulnCheck KEV: CVE-2025-4427
Ivanti Endpoint Manager Mobile EPMM contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring...
VulnCheck KEV: CVE-2025-32709
Microsoft Windows Ancillary Function Driver for WinSock contains a use-after-free vulnerability that allows an authorized attacker to escalate privileges to administrator...
VulnCheck KEV: CVE-2025-32706
Microsoft Windows Common Log File System CLFS Driver contains a heap-based buffer overflow vulnerability that allows an authorized attacker to elevate privileges locally...
VulnCheck KEV: CVE-2024-46506
NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php...
VulnCheck KEV: CVE-2025-30397
Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL...
VulnCheck KEV: CVE-2025-32756
Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests...
VulnCheck KEV: CVE-2025-4428
Ivanti Endpoint Manager Mobile EPMM contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source...
VulnCheck KEV: CVE-2024-48766
NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos and directory traversal, as exploited in the wild in May 2025. This is related to components/logs.php...
VulnCheck KEV: CVE-2022-48164
An access control issue in the component /cgi-bin/ExportLogs.sh of Wavlink WL-WN533A8 M33A8.V5030.190716 allows unauthenticated attackers to download configuration data and log files and obtain admin credentials...
VulnCheck KEV: CVE-2025-27920
Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access...
VulnCheck KEV: CVE-2022-47075
An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to ExportEmployeeDetails.aspx, and to ExportReportingManager.aspx...
VulnCheck KEV: CVE-2019-20074
On Netis DL4323 devices, any user role can view sensitive information, such as a user password or the FTP password, via the form2saveConf.cgi page...
VulnCheck KEV: CVE-2024-11238
A vulnerability, which was classified as critical, was found in Landray EKP up to 16.0. This affects the function delPreviewFile of the file /sys/ui/sysuicomponent/sysUiComponent.do?method=delPreviewFile. The manipulation of the argument directoryPath leads to path traversal. It is possible...
VulnCheck KEV: CVE-2023-36144
An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an unauthenticated attacker to download the backup file of the device, exposing critical information about the device configuration...
VulnCheck KEV: CVE-2024-57049
A vulnerability in the TP-Link Archer c20 router with firmware version V6.6230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing...
VulnCheck KEV: CVE-2025-47445
Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.26...
VulnCheck KEV: CVE-2025-47730
The TeleMessage archiving backend through 2025-05-05 accepts API calls to request an authentication token from the TM SGNL aka Archive Signal app with the credentials of logfile for the user and enRR8UVVywXYbFkqUQDPRkO for the password...
VulnCheck KEV: CVE-2025-47729
TeleMessage TM SGNL contains a hidden functionality vulnerability in which the archiving backend holds cleartext copies of messages from TM SGNL application users...
VulnCheck KEV: CVE-2025-47539
A privilege escalation vulnerability is present in the Eventin plugin due to lack of permission checking in the /wp-json/eventin/v2/speakers/import REST API endpoint. This occurs when importing the user due to lack of permission validation of user roles...
VulnCheck KEV: CVE-2025-32819
A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings...
VulnCheck KEV: CVE-2025-4632
Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority...
VulnCheck KEV: CVE-2025-2011
The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...
VulnCheck KEV: CVE-2024-7399
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority...
VulnCheck KEV: CVE-2023-51833
A command injection issue in TRENDnet TEW-411BRPplus v.2.07eu that allows a local attacker to execute arbitrary code via the data1 parameter in the debug.cgi page...
VulnCheck KEV: CVE-2025-24016
Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers...
VulnCheck KEV: CVE-2023-38950
ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload...
VulnCheck KEV: CVE-2023-38952
Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not...
VulnCheck KEV: CVE-2025-4210
A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated remotely...
VulnCheck KEV: CVE-2025-4131
The GmapsMania plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's gmap shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...
VulnCheck KEV: CVE-2023-38951
ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 20240617.19506 allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the...
VulnCheck KEV: CVE-2025-27007
Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through = 1.0.82...
VulnCheck KEV: CVE-2025-34028
Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code...
VulnCheck KEV: CVE-2023-44221
SonicWall SMA100 appliances contain an OS command injection vulnerability in the SSL-VPN management interface that allows a remote, authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user...
VulnCheck KEV: CVE-2025-3929
An XSS issue was discovered in MDaemon Email Server version 25.0.1 and below. An attacker can send a specially crafted HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window, and...
VulnCheck KEV: CVE-2019-17050
An issue was discovered in the Voyager package through 1.2.7 for Laravel. An attacker with admin privileges and Compass access can read or delete arbitrary files, such as the .env file. NOTE: a software maintainer has suggested a solution in which Compass is switched off in a production environme...
VulnCheck KEV: CVE-2021-27162
An issue was discovered on FiberHome HG6245D devices through RP2613. The web daemon contains the hardcoded user / tattoo@home credentials for an ISP...
VulnCheck KEV: CVE-2021-41714
In Tipask 3.5.9, path parameters entered by the user are not validated when downloading attachments, a registered user can download arbitrary files on the Tipask server such as .env, /etc/passwd, laravel.log, causing infomation leakage...
VulnCheck KEV: CVE-2017-16894
In Laravel framework through 5.5.21, remote attackers can obtain sensitive information such as externally usable passwords via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in...
VulnCheck KEV: CVE-2024-38475
Apache HTTP Server contains an improper escaping of output vulnerability in modrewrite that allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code...
VulnCheck KEV: CVE-2025-30208
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content...
VulnCheck KEV: CVE-2025-42999
SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content...
VulnCheck KEV: CVE-2020-3529
A vulnerability in the SSL VPN negotiation process for Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to cause a reload of an affected device, resulting in a denial of service DoS condition...
VulnCheck KEV: CVE-2024-9234
The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the installandactivatepluginfromexternal function install-active-plugin REST API endpoint in all...
VulnCheck KEV: CVE-2024-4295
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...
VulnCheck KEV: CVE-2025-31324
SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries...
VulnCheck KEV: CVE-2017-9844
SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. NOTE: The vendor states that the devserver package of Visual Composer...
VulnCheck KEV: CVE-2022-26187
TOTOLINK N600R V4.3.0cu.7570B20200620 was discovered to contain a command injection vulnerability via the pingCheck function...
VulnCheck KEV: CVE-2022-28912
TOTOLink N600R V5.3c.7159B20190425 was discovered to contain a command injection vulnerability via the filename parameter in /setting/setUpgradeFW...
VulnCheck KEV: CVE-2025-42599
Qualitia Active! Mail contains a stack-based buffer overflow vulnerability that allows a remote, unauthenticated attacker to execute arbitrary or trigger a denial-of-service via a specially crafted request...
VulnCheck KEV: CVE-2025-32432
Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code...