Lucene search
K
Vulncheck KevRecent

4985 matches found

VulnCheck KEV
VulnCheck KEV
added 2026/04/07 12:0 a.m.28 views

VulnCheck KEV: CVE-2026-22679

Weaver Fanwei E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft PO...

9.8CVSS6.7AI score0.2148EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/06 12:0 a.m.6 views

VulnCheck KEV: CVE-2021-4473

Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers...

9.8CVSS6.7AI score0.06165EPSS
Exploits1References3
VulnCheck KEV
VulnCheck KEV
added 2026/04/06 12:0 a.m.8 views

VulnCheck KEV: CVE-2026-3965

A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The...

6.5CVSS5.3AI score0.00441EPSS
Exploits0References12
VulnCheck KEV
VulnCheck KEV
added 2026/04/06 12:0 a.m.1 views

VulnCheck KEV: CVE-2026-1405

The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'sliderfuturehandleimageupload' function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the...

9.8CVSS6.5AI score0.03177EPSS
Exploits2References10
VulnCheck KEV
VulnCheck KEV
added 2026/04/06 12:0 a.m.17 views

VulnCheck KEV: CVE-2023-39964

1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, arbitrary file reads allow an attacker to read arbitrary important configuration files on the server. In the api/v1/file.go file, there is a function called LoadFromFile, which directly reads the...

7.5CVSS5.9AI score0.0082EPSS
Exploits1References7
VulnCheck KEV
VulnCheck KEV
added 2026/04/06 12:0 a.m.21 views

VulnCheck KEV: CVE-2026-0740

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NFFUAJAXControllersUploads::handleupload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload...

9.8CVSS6.5AI score0.54254EPSS
Exploits6References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/06 12:0 a.m.17 views

VulnCheck KEV: CVE-2023-49606

A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make ...

9.8CVSS6AI score0.63076EPSS
Exploits2References22
VulnCheck KEV
VulnCheck KEV
added 2026/04/06 12:0 a.m.4 views

VulnCheck KEV: CVE-2023-21529

Microsoft Exchange Server Remote Code Execution Vulnerability...

8.8CVSS5.9AI score0.62104EPSS
Exploits0References3
VulnCheck KEV
VulnCheck KEV
added 2026/04/05 12:0 a.m.10 views

VulnCheck KEV: CVE-2025-59528

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided...

10CVSS6.1AI score0.90183EPSS
Exploits21References12
VulnCheck KEV
VulnCheck KEV
added 2026/04/04 12:0 a.m.32 views

VulnCheck KEV: CVE-2026-35616

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests...

9.8CVSS6AI score0.88505EPSS
Exploits8References6
VulnCheck KEV
VulnCheck KEV
added 2026/04/04 12:0 a.m.25 views

VulnCheck KEV: CVE-2023-22621

Strapi through 4.5.5 allows authenticated Server-Side Template Injection SSTI that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses t...

10CVSS7.6AI score0.76825EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/02 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-13920

The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdkpublicaction AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user...

5.3CVSS5.8AI score0.00669EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/02 12:0 a.m.8 views

VulnCheck KEV: CVE-2026-1557

The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information...

7.5CVSS5.9AI score0.01722EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/02 12:0 a.m.5 views

VulnCheck KEV: CVE-2026-1277

The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirectto' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentiall...

4.7CVSS5.8AI score0.00592EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-71257

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke restricted functionality a...

9.1CVSS5.8AI score0.044EPSS
Exploits1References3
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-14437

The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials...

7.5CVSS5.8AI score0.01986EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.20 views

VulnCheck KEV: CVE-2022-28987

Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login...

5.3CVSS5.8AI score0.09705EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.12 views

VulnCheck KEV: CVE-2023-24000

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in GamiPress gamipress allows SQL Injection.This issue affects GamiPress: from n/a through 2.5.7...

9.8CVSS8.9AI score0.0257EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.5 views

VulnCheck KEV: CVE-2026-27971

Qwik is a performance focused javascript framework. qwik =1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where...

9.8CVSS6.2AI score0.04632EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.8 views

VulnCheck KEV: CVE-2024-6265

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uwpsortby’ parameter in all versions up to, and including, 1.2.10 due to insufficient escaping on the user supplied...

9.8CVSS5.9AI score0.024EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.12 views

VulnCheck KEV: CVE-2022-3254

The WordPress Classifieds Plugin WordPress plugin before 4.3 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection...

9.8CVSS5.9AI score0.05103EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.34 views

VulnCheck KEV: CVE-2025-59716

ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/email/token endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user...

5.3CVSS5.8AI score0.00908EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.52 views

VulnCheck KEV: CVE-2026-24477

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticate...

8.7CVSS5.8AI score0.01566EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.10 views

VulnCheck KEV: CVE-2023-36899

ASP.NET Elevation of Privilege Vulnerability...

8.8CVSS5.8AI score0.74288EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.2 views

VulnCheck KEV: CVE-2025-54726

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Miguel Useche JS Archive List jquery-archive-list-widget allows SQL Injection.This issue affects JS Archive List: from n/a through 6.1.6...

9.3CVSS5.9AI score0.01425EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-32355

Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource...

7.9CVSS5.8AI score0.01249EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.19 views

VulnCheck KEV: CVE-2026-3502

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code...

7.8CVSS6.3AI score0.0575EPSS
Exploits2References4
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.10 views

VulnCheck KEV: CVE-2024-11868

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible for unauthenticated attackers to extract potentially sensitive paid course...

5.3CVSS5.8AI score0.01131EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.19 views

VulnCheck KEV: CVE-2025-32257

Exposure of Sensitive System Information Due to Uncleared Debug Information vulnerability in 1clickmigration 1 Click WordPress Migration 1-click-migration allows Retrieve Embedded Sensitive Data.This issue affects 1 Click WordPress Migration: from n/a through = 2.5.7...

5.3CVSS8.5AI score0.00785EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.8 views

VulnCheck KEV: CVE-2022-1453

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from t...

9.8CVSS5.9AI score0.07053EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.10 views

VulnCheck KEV: CVE-2025-48281

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in mystyleplatform MyStyle Custom Product Designer mystyle-custom-product-designer allows Blind SQL Injection.This issue affects MyStyle Custom Product Designer: from n/a through = 3.21.1...

9.3CVSS5.9AI score0.01308EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.4 views

VulnCheck KEV: CVE-2024-13609

The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2 via the class-ocm-backup.php. This makes it possible for unauthenticated attackers to extract sensitive data includi...

5.9CVSS5.8AI score0.01575EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.30 views

VulnCheck KEV: CVE-2026-4020

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permissioncallback that unconditionally returns true, allowing any...

7.5CVSS5.8AI score0.39704EPSS
Exploits2References8
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.9 views

VulnCheck KEV: CVE-2025-10090

A flaw has been found in Jinher OA up to 1.2. The impacted element is an unknown function of the file /C6/Jhsoft.Web.departments/GetTreeDate.aspx. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be us...

9.8CVSS5.6AI score0.01664EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.175 views

VulnCheck KEV: CVE-2025-11368

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/loadcontentviaajax which allows arbitrary callback execution of...

5.3CVSS6AI score0.00914EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.13 views

VulnCheck KEV: CVE-2026-5281

Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. Chromium security severity: High...

8.8CVSS6.2AI score0.05036EPSS
Exploits0References4
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.11 views

VulnCheck KEV: CVE-2023-40600

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Exactly WWW EWWW Image Optimizer. It works only when debug.log is turned on.This issue affects EWWW Image Optimizer: from n/a through 7.2.0...

7.5CVSS7.8AI score0.02036EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.39 views

VulnCheck KEV: CVE-2025-8266

A vulnerability has been found in yanyutao0402 ChanCMS up to 3.1.2 and classified as critical. Affected by this vulnerability is the function getArticle of the file app/modules/cms/controller/collect.js. The manipulation of the argument targetUrl leads to deserialization. The attack can be launch...

6.5CVSS5.4AI score0.00971EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/31 12:0 a.m.22 views

VulnCheck KEV: CVE-2024-12025

The Collapsing Categories plugin for WordPress is vulnerable to SQL Injection via the 'taxonomy' parameter of the /wp-json/collapsing-categories/v1/get REST API in all versions up to, and including, 3.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparati...

7.5CVSS5.9AI score0.02542EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/30 12:0 a.m.11 views

VulnCheck KEV: CVE-2026-35056

XenForo before 2.3.9 and before 2.2.18 allows remote code execution RCE by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server...

8.6CVSS6.7AI score0.00666EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/30 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-66744

In Yonyou YonBIP v3 and before, the LoginWithV8 interface in the series data application service system is vulnerable to path traversal, allowing unauthorized access to sensitive information within the system...

7.5CVSS5.8AI score0.01446EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/29 12:0 a.m.2 views

VulnCheck KEV: CVE-2026-3055

Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread...

9.8CVSS7.3AI score0.83996EPSS
Exploits7References33
VulnCheck KEV
VulnCheck KEV
added 2026/03/28 12:0 a.m.12 views

VulnCheck KEV: CVE-2026-21643

An improper neutralization of special elements used in an sql command 'sql injection' vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests...

9.8CVSS7.5AI score0.94085EPSS
Exploits1References17
VulnCheck KEV
VulnCheck KEV
added 2026/03/27 12:0 a.m.4 views

VulnCheck KEV: CVE-2025-53521

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution RCE. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

9.8CVSS5.9AI score0.02246EPSS
Exploits0References6
VulnCheck KEV
VulnCheck KEV
added 2026/03/24 12:0 a.m.17 views

VulnCheck KEV: CVE-2023-47253

Qualitor through 8.20 allows remote attackers to execute arbitrary code via PHP code in the html/ad/adpesquisasql/request/processVariavel.php gridValoresPopHidden parameter...

9.8CVSS6.2AI score0.14422EPSS
Exploits4References12
VulnCheck KEV
VulnCheck KEV
added 2026/03/24 12:0 a.m.14 views

VulnCheck KEV: CVE-2026-4001

The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval in the processcustomformula function within includes/process/price.php. This is due to insufficient sanitization an...

9.8CVSS6.3AI score0.00707EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/23 12:0 a.m.19 views

VulnCheck KEV: CVE-2026-33634

Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware, and replace all 7 tags in aquasecurity/setup-trivy with malicious...

9.4CVSS5.9AI score0.60368EPSS
Exploits2References5
VulnCheck KEV
VulnCheck KEV
added 2026/03/23 12:0 a.m.9 views

VulnCheck KEV: CVE-2014-6321

Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via crafted packets, aka "Microsoft Schannel...

10CVSS6.3AI score0.95988EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/23 12:0 a.m.7 views

VulnCheck KEV: CVE-2020-5284

Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory .next. This does not affect files outside of the dist directory .next. In general, the dist directory only holds build assets unless your applicatio...

5CVSS5.8AI score0.43426EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/03/23 12:0 a.m.8 views

VulnCheck KEV: CVE-2020-9374

On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vulnerability in the diagnostics area can be exploited when an attacker sends specific shell metacharacters to the panel's traceroute feature...

9.8CVSS6AI score0.42047EPSS
Exploits4References2
Total number of security vulnerabilities4985