Lucene search
K
Vulncheck KevRecent

4985 matches found

VulnCheck KEV
VulnCheck KEV
added 2025/05/13 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-4427

Ivanti Endpoint Manager Mobile EPMM contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring...

7.5CVSS5.8AI score0.99891EPSS
Exploits8References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/13 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-32709

Microsoft Windows Ancillary Function Driver for WinSock contains a use-after-free vulnerability that allows an authorized attacker to escalate privileges to administrator...

7.8CVSS5.8AI score0.01658EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/13 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-32706

Microsoft Windows Common Log File System CLFS Driver contains a heap-based buffer overflow vulnerability that allows an authorized attacker to elevate privileges locally...

7.8CVSS6AI score0.02059EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/13 12:0 a.m.3 views

VulnCheck KEV: CVE-2024-46506

NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php...

10CVSS5.8AI score0.62307EPSS
Exploits5References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/13 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-30397

Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL...

7.5CVSS5.9AI score0.21562EPSS
Exploits7References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/13 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-32756

Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests...

9.8CVSS6.3AI score0.31419EPSS
Exploits3References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/13 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-4428

Ivanti Endpoint Manager Mobile EPMM contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source...

8.8CVSS6.1AI score0.83641EPSS
Exploits10References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/12 12:0 a.m.2 views

VulnCheck KEV: CVE-2024-48766

NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos and directory traversal, as exploited in the wild in May 2025. This is related to components/logs.php...

8.6CVSS5.8AI score0.68076EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/12 12:0 a.m.5 views

VulnCheck KEV: CVE-2022-48164

An access control issue in the component /cgi-bin/ExportLogs.sh of Wavlink WL-WN533A8 M33A8.V5030.190716 allows unauthenticated attackers to download configuration data and log files and obtain admin credentials...

7.5CVSS5.8AI score0.03096EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/12 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-27920

Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access...

8.8CVSS5.9AI score0.01782EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/12 12:0 a.m.5 views

VulnCheck KEV: CVE-2022-47075

An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to ExportEmployeeDetails.aspx, and to ExportReportingManager.aspx...

7.5CVSS5.8AI score0.59407EPSS
Exploits5References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/09 12:0 a.m.5 views

VulnCheck KEV: CVE-2019-20074

On Netis DL4323 devices, any user role can view sensitive information, such as a user password or the FTP password, via the form2saveConf.cgi page...

8.8CVSS5.8AI score0.01426EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/09 12:0 a.m.3 views

VulnCheck KEV: CVE-2024-11238

A vulnerability, which was classified as critical, was found in Landray EKP up to 16.0. This affects the function delPreviewFile of the file /sys/ui/sysuicomponent/sysUiComponent.do?method=delPreviewFile. The manipulation of the argument directoryPath leads to path traversal. It is possible...

6.9CVSS5.5AI score0.05597EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/09 12:0 a.m.4 views

VulnCheck KEV: CVE-2023-36144

An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an unauthenticated attacker to download the backup file of the device, exposing critical information about the device configuration...

7.5CVSS5.8AI score0.39723EPSS
Exploits2References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/09 12:0 a.m.7 views

VulnCheck KEV: CVE-2024-57049

A vulnerability in the TP-Link Archer c20 router with firmware version V6.6230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing...

9.8CVSS7.3AI score0.03211EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/08 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-47445

Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.26...

9.8CVSS5.8AI score0.0465EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/08 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-47730

The TeleMessage archiving backend through 2025-05-05 accepts API calls to request an authentication token from the TM SGNL aka Archive Signal app with the credentials of logfile for the user and enRR8UVVywXYbFkqUQDPRkO for the password...

7.5CVSS5.8AI score0.00323EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/08 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-47729

TeleMessage TM SGNL contains a hidden functionality vulnerability in which the archiving backend holds cleartext copies of messages from TM SGNL application users...

4.9CVSS5.8AI score0.00394EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/07 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-47539

A privilege escalation vulnerability is present in the Eventin plugin due to lack of permission checking in the /wp-json/eventin/v2/speakers/import REST API endpoint. This occurs when importing the user due to lack of permission validation of user roles...

5.8AI score0.3092EPSS
Exploits4References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/07 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-32819

A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings...

8.8CVSS5.9AI score0.06787EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/06 12:0 a.m.9 views

VulnCheck KEV: CVE-2025-4632

Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority...

9.8CVSS5.9AI score0.23953EPSS
Exploits4References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/05 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-2011

The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

7.5CVSS5.9AI score0.46435EPSS
Exploits6References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/05 12:0 a.m.6 views

VulnCheck KEV: CVE-2024-7399

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority...

8.8CVSS7.4AI score0.91941EPSS
Exploits3References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/04 12:0 a.m.5 views

VulnCheck KEV: CVE-2023-51833

A command injection issue in TRENDnet TEW-411BRPplus v.2.07eu that allows a local attacker to execute arbitrary code via the data1 parameter in the debug.cgi page...

8.1CVSS6.2AI score0.04429EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/03 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-24016

Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers...

9.9CVSS7.9AI score0.92579EPSS
Exploits10References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/02 12:0 a.m.5 views

VulnCheck KEV: CVE-2023-38950

ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload...

7.5CVSS5.9AI score0.8488EPSS
Exploits3References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/02 12:0 a.m.5 views

VulnCheck KEV: CVE-2023-38952

Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not...

7.5CVSS5.8AI score0.02438EPSS
Exploits2References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/02 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-4210

A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated remotely...

7.5CVSS5.4AI score0.01813EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/02 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-4131

The GmapsMania plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's gmap shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

6.4CVSS5.8AI score0.00197EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/05/02 12:0 a.m.4 views

VulnCheck KEV: CVE-2023-38951

ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 20240617.19506 allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the...

9.8CVSS5.9AI score0.03197EPSS
Exploits2References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/30 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-27007

Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through = 1.0.82...

9.8CVSS5.8AI score0.5088EPSS
Exploits3References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/30 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-34028

Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code...

10CVSS6AI score0.97157EPSS
Exploits5References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/29 12:0 a.m.2 views

VulnCheck KEV: CVE-2023-44221

SonicWall SMA100 appliances contain an OS command injection vulnerability in the SSL-VPN management interface that allows a remote, authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user...

7.2CVSS6AI score0.74933EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/29 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-3929

An XSS issue was discovered in MDaemon Email Server version 25.0.1 and below. An attacker can send a specially crafted HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window, and...

6.1CVSS6AI score0.00474EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/29 12:0 a.m.6 views

VulnCheck KEV: CVE-2019-17050

An issue was discovered in the Voyager package through 1.2.7 for Laravel. An attacker with admin privileges and Compass access can read or delete arbitrary files, such as the .env file. NOTE: a software maintainer has suggested a solution in which Compass is switched off in a production environme...

7.2CVSS5.9AI score0.01253EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/29 12:0 a.m.5 views

VulnCheck KEV: CVE-2021-27162

An issue was discovered on FiberHome HG6245D devices through RP2613. The web daemon contains the hardcoded user / tattoo@home credentials for an ISP...

9.8CVSS5.8AI score0.26847EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/29 12:0 a.m.4 views

VulnCheck KEV: CVE-2021-41714

In Tipask 3.5.9, path parameters entered by the user are not validated when downloading attachments, a registered user can download arbitrary files on the Tipask server such as .env, /etc/passwd, laravel.log, causing infomation leakage...

7.7CVSS5.9AI score0.00603EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/29 12:0 a.m.4 views

VulnCheck KEV: CVE-2017-16894

In Laravel framework through 5.5.21, remote attackers can obtain sensitive information such as externally usable passwords via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in...

7.5CVSS5.8AI score0.8703EPSS
Exploits4References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/29 12:0 a.m.5 views

VulnCheck KEV: CVE-2024-38475

Apache HTTP Server contains an improper escaping of output vulnerability in modrewrite that allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code...

9.1CVSS6.2AI score0.99957EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/28 12:0 a.m.2 views

VulnCheck KEV: CVE-2025-30208

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content...

7.5CVSS7.1AI score0.74998EPSS
Exploits28References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/27 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-42999

SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content...

9.1CVSS5.8AI score0.11222EPSS
Exploits3References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/23 12:0 a.m.3 views

VulnCheck KEV: CVE-2020-3529

A vulnerability in the SSL VPN negotiation process for Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to cause a reload of an affected device, resulting in a denial of service DoS condition...

8.6CVSS7.3AI score0.01833EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/23 12:0 a.m.4 views

VulnCheck KEV: CVE-2024-9234

The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the installandactivatepluginfromexternal function install-active-plugin REST API endpoint in all...

9.8CVSS5.9AI score0.10429EPSS
Exploits3References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/23 12:0 a.m.7 views

VulnCheck KEV: CVE-2024-4295

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

9.8CVSS5.9AI score0.10161EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/22 12:0 a.m.2 views

VulnCheck KEV: CVE-2025-31324

SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries...

10CVSS7.2AI score0.99359EPSS
Exploits18References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/22 12:0 a.m.5 views

VulnCheck KEV: CVE-2017-9844

SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. NOTE: The vendor states that the devserver package of Visual Composer...

7.5CVSS7.6AI score0.05513EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/21 12:0 a.m.3 views

VulnCheck KEV: CVE-2022-26187

TOTOLINK N600R V4.3.0cu.7570B20200620 was discovered to contain a command injection vulnerability via the pingCheck function...

9.8CVSS7.3AI score0.19579EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/19 12:0 a.m.2 views

VulnCheck KEV: CVE-2022-28912

TOTOLink N600R V5.3c.7159B20190425 was discovered to contain a command injection vulnerability via the filename parameter in /setting/setUpgradeFW...

10CVSS7.3AI score0.02492EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/18 12:0 a.m.2 views

VulnCheck KEV: CVE-2025-42599

Qualitia Active! Mail contains a stack-based buffer overflow vulnerability that allows a remote, unauthenticated attacker to execute arbitrary or trigger a denial-of-service via a specially crafted request...

9.8CVSS6.5AI score0.0302EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/18 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-32432

Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code...

10CVSS7.6AI score0.99803EPSS
Exploits14References1
Total number of security vulnerabilities4985