4985 matches found
VulnCheck KEV: CVE-2024-57726
SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role...
VulnCheck KEV: CVE-2025-24799
GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18...
VulnCheck KEV: CVE-2025-1976
Broadcom Brocade Fabric OS contains a code injection vulnerability that allows a local user with administrative privileges to execute arbitrary code with full root privileges...
VulnCheck KEV: CVE-2024-57728
SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file i.e. zip slip. This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user...
VulnCheck KEV: CVE-2025-24054
Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network...
VulnCheck KEV: CVE-2025-31201
Apple iOS, iPadOS, macOS, and other Apple products contain an arbitrary read and write vulnerability that allows an attacker to bypass Pointer Authentication...
VulnCheck KEV: CVE-2025-31200
Apple iOS, iPadOS, macOS, and other Apple products contain a memory corruption vulnerability that allows for code execution when processing an audio stream in a maliciously crafted media file...
VulnCheck KEV: CVE-2021-20035
SonicWall SMA100 appliances contain an OS command injection vulnerability in the management interface that allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution...
VulnCheck KEV: CVE-2024-13979
A SQL injection vulnerability exists in the St. Joe ERP system "圣乔ERP系统" that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. The application fails to properly sanitize user-supplied input before incorporating it...
VulnCheck KEV: CVE-2025-3248
Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests...
VulnCheck KEV: CVE-2025-2636
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary...
VulnCheck KEV: CVE-2024-38023
Microsoft SharePoint Server Remote Code Execution Vulnerability...
VulnCheck KEV: CVE-2025-3102
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secretkey' value in the 'autheticateuser' function in all versions up to, and including,...
VulnCheck KEV: CVE-2024-58136
Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432...
VulnCheck KEV: CVE-2024-38024
Microsoft SharePoint Server Remote Code Execution Vulnerability...
VulnCheck KEV: CVE-2025-29824
Microsoft Windows Common Log File System CLFS Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally...
VulnCheck KEV: CVE-2021-36276
Dell DBUtilDrv2.sys driver versions 2.5 and 2.6 contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required...
VulnCheck KEV: CVE-2025-27636
Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through = 4.10.1, from 4.8.0 through = 4.8.4, from 3.10.0 through = 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS...
VulnCheck KEV: CVE-2024-11859
DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its code...
VulnCheck KEV: CVE-2025-2907
The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to...
VulnCheck KEV: CVE-2025-30406
Gladinet CentreStack and Triofox contains a use of hard-coded cryptographic key vulnerability in the way that the application manages keys used for ViewState integrity verification. Successful exploitation allows an attacker to forge ViewState payloads for server-side deserialization, allowing...
VulnCheck KEV: CVE-2025-2075
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to addrole and userrole functions missing proper capability checks performed through the...
VulnCheck KEV: CVE-2025-24071
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network...
VulnCheck KEV: CVE-2024-20666
BitLocker Security Feature Bypass Vulnerability...
VulnCheck KEV: CVE-2025-22457
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution...
VulnCheck KEV: CVE-2025-24061
Protection mechanism failure in Windows Mark of the Web MOTW allows an unauthorized attacker to bypass a security feature locally...
VulnCheck KEV: CVE-2025-31082
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in InfornWeb News & Blog Designer Pack blog-designer-pack allows PHP Local File Inclusion.This issue affects News & Blog Designer Pack: from n/a through = 4.0...
VulnCheck KEV: CVE-2023-31478
An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key...
VulnCheck KEV: CVE-2022-20933
A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. This vulnerability is due to insufficient validation of...
VulnCheck KEV: CVE-2025-26319
FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments...
VulnCheck KEV: CVE-2025-2825
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-31161. Reason: This Record is a reservation duplicate of CVE-2025-31161. Notes: All CVE users should reference CVE-2025-31161 instead of this Record. All references and descriptions in this Record have been removed to prevent...
VulnCheck KEV: CVE-2025-31103
A-blog CMS contains an untrusted data deserialization vulnerability that if successfully exploited can be leveraged to execute an arbitrary script on the server...
VulnCheck KEV: CVE-2025-29927
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching...
VulnCheck KEV: CVE-2025-2294
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubiohybridthemeloadtemplate function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing...
VulnCheck KEV: CVE-2025-27218
Sitecore Experience Manager XM and Experience Platform XP 10.4 before KB1002844 allow remote code execution through insecure deserialization...
VulnCheck KEV: CVE-2025-2485
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnduploadcf7upload' function. This makes it possible for attackers to inject a...
VulnCheck KEV: CVE-2024-8353
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'givetitle' and 'cardaddress'. This makes it possible for...
VulnCheck KEV: CVE-2019-9874
Sitecore CMS and Experience Platform XP contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter CSRFTOKEN...
VulnCheck KEV: CVE-2019-9875
Sitecore CMS and Experience Platform XP contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter CSRFTOKEN...
VulnCheck KEV: CVE-2025-30355
Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known...
VulnCheck KEV: CVE-2021-35402
A vulnerability is present in Prolink PRC2402M that could allow unauthenticated remote adversaries to inject commands due to improper checks on input supplied to 'liveapi.cgi'...
VulnCheck KEV: CVE-2025-2783
Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being provided in unspecified circumstances. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google...
VulnCheck KEV: CVE-2025-2563
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges...
VulnCheck KEV: CVE-2025-30154
reviewdog action-setup GitHub Action contains an embedded malicious code vulnerability that dumps exposed secrets to Github Actions Workflow Logs...
VulnCheck KEV: CVE-2025-30349
Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute that may use base64-encoded JavaScript code, as exploited in the wild in March 2025...
VulnCheck KEV: CVE-2025-2609
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is...
VulnCheck KEV: CVE-2025-2610
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling Alarm Module modules allows authenticated stored cross-site scripting. This vulnerability is associated with program files protected/components/MagnusLog.Php. This issue affects...
VulnCheck KEV: CVE-2024-47374
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through = 6.5.0.2...
VulnCheck KEV: CVE-2024-8503
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database...
VulnCheck KEV: CVE-2024-3807
The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'portopageheadershortcodetype', 'slideshowtype' and 'postlayout' post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions,...