Lucene search
K
Vulncheck KevRecent

4985 matches found

VulnCheck KEV
VulnCheck KEV
added 2025/04/17 12:0 a.m.5 views

VulnCheck KEV: CVE-2024-57726

SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role...

9.9CVSS7.3AI score0.09328EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/17 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-24799

GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18...

9.8CVSS5.9AI score0.86182EPSS
Exploits5References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/17 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-1976

Broadcom Brocade Fabric OS contains a code injection vulnerability that allows a local user with administrative privileges to execute arbitrary code with full root privileges...

8.6CVSS7.6AI score0.00736EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/17 12:0 a.m.4 views

VulnCheck KEV: CVE-2024-57728

SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file i.e. zip slip. This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user...

7.2CVSS7.6AI score0.07549EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/16 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-24054

Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network...

6.5CVSS7.2AI score0.58974EPSS
Exploits20References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/16 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-31201

Apple iOS, iPadOS, macOS, and other Apple products contain an arbitrary read and write vulnerability that allows an attacker to bypass Pointer Authentication...

9.8CVSS5.9AI score0.12763EPSS
Exploits4References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/16 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-31200

Apple iOS, iPadOS, macOS, and other Apple products contain a memory corruption vulnerability that allows for code execution when processing an audio stream in a maliciously crafted media file...

9.8CVSS6.2AI score0.21922EPSS
Exploits6References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/15 12:0 a.m.3 views

VulnCheck KEV: CVE-2021-20035

SonicWall SMA100 appliances contain an OS command injection vulnerability in the management interface that allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution...

6.8CVSS6.1AI score0.0389EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/14 12:0 a.m.3 views

VulnCheck KEV: CVE-2024-13979

A SQL injection vulnerability exists in the St. Joe ERP system "圣乔ERP系统" that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. The application fails to properly sanitize user-supplied input before incorporating it...

9.8CVSS6.2AI score0.02899EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/12 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-3248

Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests...

9.8CVSS6.2AI score0.99972EPSS
Exploits33References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/11 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-2636

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary...

9.8CVSS5.8AI score0.10305EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/09 12:0 a.m.5 views

VulnCheck KEV: CVE-2024-38023

Microsoft SharePoint Server Remote Code Execution Vulnerability...

7.2CVSS7.4AI score0.5318EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/09 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-3102

The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secretkey' value in the 'autheticateuser' function in all versions up to, and including,...

8.1CVSS5.8AI score0.76126EPSS
Exploits8References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/09 12:0 a.m.3 views

VulnCheck KEV: CVE-2024-58136

Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432...

10CVSS7.5AI score0.99803EPSS
Exploits15References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/09 12:0 a.m.3 views

VulnCheck KEV: CVE-2024-38024

Microsoft SharePoint Server Remote Code Execution Vulnerability...

7.2CVSS7.4AI score0.45495EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/08 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-29824

Microsoft Windows Common Log File System CLFS Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally...

7.8CVSS7.2AI score0.1806EPSS
Exploits4References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/07 12:0 a.m.4 views

VulnCheck KEV: CVE-2021-36276

Dell DBUtilDrv2.sys driver versions 2.5 and 2.6 contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required...

8.8CVSS7.3AI score0.00269EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/07 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-27636

Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through = 4.10.1, from 4.8.0 through = 4.8.4, from 3.10.0 through = 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS...

5.6CVSS5.8AI score0.79817EPSS
Exploits3References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/07 12:0 a.m.3 views

VulnCheck KEV: CVE-2024-11859

DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its code...

8.4CVSS7.3AI score0.01802EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/04 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-2907

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to...

9.8CVSS5.8AI score0.01286EPSS
Exploits2References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/04 12:0 a.m.2 views

VulnCheck KEV: CVE-2025-30406

Gladinet CentreStack and Triofox contains a use of hard-coded cryptographic key vulnerability in the way that the application manages keys used for ViewState integrity verification. Successful exploitation allows an attacker to forge ViewState payloads for server-side deserialization, allowing...

9.8CVSS5.8AI score0.93842EPSS
Exploits6References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/04 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-2075

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to addrole and userrole functions missing proper capability checks performed through the...

8.8CVSS5.8AI score0.02474EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/03 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-24071

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network...

6.5CVSS7.1AI score0.25068EPSS
Exploits21References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/03 12:0 a.m.4 views

VulnCheck KEV: CVE-2024-20666

BitLocker Security Feature Bypass Vulnerability...

6.6CVSS5.8AI score0.03078EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/03 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-22457

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution...

9.8CVSS7.9AI score0.99979EPSS
Exploits7References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/03 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-24061

Protection mechanism failure in Windows Mark of the Web MOTW allows an unauthorized attacker to bypass a security feature locally...

7.8CVSS7.2AI score0.0113EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/04/01 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-31082

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in InfornWeb News & Blog Designer Pack blog-designer-pack allows PHP Local File Inclusion.This issue affects News & Blog Designer Pack: from n/a through = 4.0...

8.1CVSS5.8AI score0.00795EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/31 12:0 a.m.3 views

VulnCheck KEV: CVE-2023-31478

An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key...

7.5CVSS5.8AI score0.29699EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/31 12:0 a.m.2 views

VulnCheck KEV: CVE-2022-20933

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. This vulnerability is due to insufficient validation of...

8.6CVSS5.8AI score0.00992EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/31 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-26319

FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments...

9.8CVSS5.9AI score0.50789EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/30 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-2825

Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-31161. Reason: This Record is a reservation duplicate of CVE-2025-31161. Notes: All CVE users should reference CVE-2025-31161 instead of this Record. All references and descriptions in this Record have been removed to prevent...

9.8CVSS7.3AI score0.99947EPSS
Exploits22References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/28 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-31103

A-blog CMS contains an untrusted data deserialization vulnerability that if successfully exploited can be leveraged to execute an arbitrary script on the server...

7.5CVSS6AI score0.00474EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/28 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-29927

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching...

9.1CVSS7.3AI score0.99621EPSS
Exploits58References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/27 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-2294

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubiohybridthemeloadtemplate function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing...

9.8CVSS6AI score0.76761EPSS
Exploits12References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/27 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-27218

Sitecore Experience Manager XM and Experience Platform XP 10.4 before KB1002844 allow remote code execution through insecure deserialization...

5.3CVSS6.4AI score0.6356EPSS
Exploits4References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/27 12:0 a.m.2 views

VulnCheck KEV: CVE-2025-2485

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnduploadcf7upload' function. This makes it possible for attackers to inject a...

8.8CVSS5.8AI score0.00538EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/27 12:0 a.m.4 views

VulnCheck KEV: CVE-2024-8353

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'givetitle' and 'cardaddress'. This makes it possible for...

10CVSS5.8AI score0.28931EPSS
Exploits3References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/26 12:0 a.m.3 views

VulnCheck KEV: CVE-2019-9874

Sitecore CMS and Experience Platform XP contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter CSRFTOKEN...

9.8CVSS7.7AI score0.83857EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/26 12:0 a.m.4 views

VulnCheck KEV: CVE-2019-9875

Sitecore CMS and Experience Platform XP contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter CSRFTOKEN...

8.8CVSS7.7AI score0.14154EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/26 12:0 a.m.2 views

VulnCheck KEV: CVE-2025-30355

Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known...

7.5CVSS5.7AI score0.01157EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/25 12:0 a.m.3 views

VulnCheck KEV: CVE-2021-35402

A vulnerability is present in Prolink PRC2402M that could allow unauthenticated remote adversaries to inject commands due to improper checks on input supplied to 'liveapi.cgi'...

10CVSS5.9AI score0.00955EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/25 12:0 a.m.2 views

VulnCheck KEV: CVE-2025-2783

Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being provided in unspecified circumstances. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google...

8.3CVSS7.3AI score0.08404EPSS
Exploits6References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/25 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-2563

The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges...

8.1CVSS5.8AI score0.44565EPSS
Exploits7References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/24 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-30154

reviewdog action-setup GitHub Action contains an embedded malicious code vulnerability that dumps exposed secrets to Github Actions Workflow Logs...

8.6CVSS5.8AI score0.02296EPSS
Exploits2References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/21 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-30349

Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute that may use base64-encoded JavaScript code, as exploited in the wild in March 2025...

7.2CVSS5.8AI score0.30164EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/21 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-2609

Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is...

8.2CVSS5.7AI score0.01098EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/21 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-2610

Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling Alarm Module modules allows authenticated stored cross-site scripting. This vulnerability is associated with program files protected/components/MagnusLog.Php. This issue affects...

7.6CVSS5.4AI score0.00896EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/19 12:0 a.m.3 views

VulnCheck KEV: CVE-2024-47374

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through = 6.5.0.2...

7.1CVSS5.8AI score0.0141EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/19 12:0 a.m.9 views

VulnCheck KEV: CVE-2024-8503

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database...

9.8CVSS5.9AI score0.80023EPSS
Exploits10References1
VulnCheck KEV
VulnCheck KEV
added 2025/03/19 12:0 a.m.3 views

VulnCheck KEV: CVE-2024-3807

The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'portopageheadershortcodetype', 'slideshowtype' and 'postlayout' post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions,...

8.8CVSS5.8AI score0.01538EPSS
Exploits0References1
Total number of security vulnerabilities4985