CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2022-20122 The PowerVR GPU driver allows unprivileged apps to allocated pinned memory, unpin it (which makes it available to be freed), and continue using the page in GPU calls. No privileges required and this r... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-39815 The PowerVR GPU driver allows unprivileged apps to allocated pinned memory, unpin it (which makes it available to be freed), and continue using the page in GPU calls. No privileges required and this r... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-37223 JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-37199 JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/user/list. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-35869 This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Authentication is not required to exploit this vuln... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-42627 The WAN configuration page "wan.htm" on D-Link DIR-615 devices with firmware 20.06 can be accessed directly without authentication which can lead to disclose the information about WAN settings and als... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-34907 An authentication bypass vulnerability exists in FileWave before 14.6.3 and 14.7.x before 14.7.2. Exploitation could allow an unauthenticated actor to gain access to the system with the highest author... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-35733 Missing authentication for critical function vulnerability in UNIMO Technology digital video recorders (UDR-JA1004/JA1008/JA1016 firmware versions v1.0.20.13 and earlier, and UDR-JA1016 firmware versi... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-34919 The file upload wizard in Zengenti Contensis Classic before 15.2.1.79 does not correctly check that a user has authenticated. By uploading a crafted aspx file, it is possible to execute arbitrary comm... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-42232 TP-Link Archer A7 Archer A7(US)_V5_210519 is affected by a command injection vulnerability in /usr/bin/tddp. The vulnerability is caused by the program taking part of the received data packet as part ... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36572 Sinsiu Sinsiu Enterprise Website System v1.1.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /upload/admin.php?/deal/. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-38667 HTTP applications (servers) based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelining is used. The HTTP parser supports HTTP pipelining, but the asynchronous Conne... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-34577 A vulnerability in adm.cgi of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to execute arbitrary code via a crafted POST request. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-35150 Baijicms v4 was discovered to contain an arbitrary file upload vulnerability. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-37134 D-link DIR-816 A2_v1.10CNB04.img is vulnerable to Buffer Overflow via /goform/form2Wan.cgi. When wantype is 3, l2tp_usrname will be decrypted by base64, and the result will be stored in v94, which doe... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-37087 H3C H200 H200V100R004 was discovered to contain a stack overflow via the function SetMobileAPInfoById. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-34858 Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-34149 Authentication Bypass vulnerability in miniOrange WP OAuth Server plugin <= 3.0.4 at WordPress. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-3586 A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from an... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-27836 A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restri... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-2927 Weak Password Requirements in GitHub repository notrinos/notrinoserp prior to 0.7. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36198 Multiple SQL injections detected in Bus Pass Management System 1.0 via buspassms/admin/view-enquiry.php, buspassms/admin/pass-bwdates-reports-details.php, buspassms/admin/changeimage.php, buspassms/ad... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-34916 Apache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control o... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-2466 It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36030 Project-nexus is a general-purpose blog website framework. Affected versions are subject to SQL injection due to a lack of sensitization of user input. This issue has not yet been patched. Users are a... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-37175 Tenda ac15 firmware V15.03.05.18 httpd server has stack buffer overflow in /goform/formWifiBasicSet. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36578 jizhicms v2.3.1 has SQL injection in the background. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36606 Ywoa before v6.1 was discovered to contain a SQL injection vulnerability via /oa/setup/checkPool?database. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-34989 Fruits Bazar v1.0 was discovered to contain a SQL injection vulnerability via the recover_email parameter at user_password_recover.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36605 Yimioa v6.1 was discovered to contain a SQL injection vulnerability via the orderbyGET parameter. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36161 Orange Station 1.0 was discovered to contain a SQL injection vulnerability via the username parameter. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36412 In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass. (An API request may, in effect, be executed with the credentials of a user who authentica... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-35201 Tenda-AC18 V15.03.05.05 was discovered to contain a remote command execution (RCE) vulnerability. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-34615 Mealie 1.0.0beta3 employs weak password requirements which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36220 Kiosk breakout (without quit password) in Safe Exam Browser (Windows) <3.4.0, which allows an attacker to achieve code execution via the browsers' print dialog. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-29805 A Java Deserialization vulnerability in the Fishbowl Server in Fishbowl Inventory before 2022.4.1 allows remote attackers to execute arbitrary code via a crafted XML payload. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-35540 Hardcoded JWT Secret in AgileConfig <1.6.8 Server allows remote attackers to use the generated JWT token to gain administrator access. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-36599 lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36947 Unsafe Parsing of a PNG tRNS chunk in FastStone Image Viewer through 7.5 results in a stack buffer overflow. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36729 Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the M_Id parameter at /librarian/del.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36728 Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the RollNo parameter at /staff/delstu.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36727 Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the bookId parameter at /staff/delete.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36725 Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the M_Id parameter at /student/dele.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36722 Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the title parameter at /librarian/history.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-35175 Barangay Management System v1.0 was discovered to contain a SQL injection vulnerability via the hidden_id parameter at /blotter/blotter.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-35164 LibreDWG v0.12.4.4608 & commit f2dea29 was discovered to contain a heap use-after-free via bit_copy_chain. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-35154 Shopro Mall System v1.3.8 was discovered to contain a SQL injection vulnerability via the value parameter. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-29953 The Bently Nevada 3700 series of condition monitoring equipment through 2022-04-29 has a maintenance interface on port 4001/TCP with undocumented, hardcoded credentials. An attacker capable of connect... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-29958 JTEKT TOYOPUC PLCs through 2022-04-29 do not ensure data integrity. They utilize the unauthenticated CMPLink/TCP protocol for engineering purposes, including downloading projects and control logic to ... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-35153 FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php. | 9.8 | CRITICAL | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.