CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2022-20707 Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arb... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-2086 The Integrate Google Drive β Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site plugin for WordPress is vulnerable to unauthorized acces... | 10.0 | CRITICAL | β | 0 |
| CVE-2020-14516 In Rockwell Automation FactoryTalk Services Platform Versions 6.10.00 and 6.11.00, there is an issue with the implementation of the SHA-256 hashing algorithm with FactoryTalk Services Platform that pr... | 10.0 | CRITICAL | β | 0 |
| CVE-2020-36157 An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Roles. Due to the lack of filtering on the role parameter that coul... | 10.0 | CRITICAL | β | 0 |
| CVE-2021-41163 Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscri... | 10.0 | CRITICAL | β | 0 |
| CVE-2020-7356 CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitized before being retu... | 10.0 | CRITICAL | β | 0 |
| CVE-2020-9412 The file transfer component of TIBCO Software Inc.'s TIBCO Managed File Transfer Platform Server for IBM i contains a vulnerability that theoretically allows execution of arbitrary commands at the pri... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-45066 A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-0001 A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges. | 10.0 | CRITICAL | β | 0 |
| CVE-2023-49815 Unrestricted Upload of File with Dangerous Type vulnerability in WappPress Team WappPress.This issue affects WappPress: from n/a through 5.0.3. | 10.0 | CRITICAL | β | 0 |
| CVE-2021-21951 An out-of-bounds write vulnerability exists in the CMD_DEVICE_GET_SERVER_LIST_REQUEST functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h in function read_udp_push_config_file.... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-4370 A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authen... | 10.0 | CRITICAL | β | 0 |
| CVE-2021-45630 Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects CBR40 before 2.5.0.24, CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, R... | 10.0 | CRITICAL | β | 0 |
| CVE-2021-40850 TCMAN GIM is vulnerable to a SQL injection vulnerability inside several available webservice methods in /PC/WebService.asmx. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-12539 The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credenti... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-28289 FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with f... | 10.0 | CRITICAL | β | 0 |
| CVE-2017-14451 An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequen... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-48967 The ventilator and the Service PC lack sufficient audit logging capabilities to allow for detection of malicious activity and subsequent forensic examination. An attacker with access to the ventilator... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-26216 Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-1633 The Synectix LAN 232 TRIO 3-Port serial to ethernet adapter exposes its web management interface without requiring authentication, allowing unauthenticated users to modify critical device settings or ... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-34938 PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing ... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-33107 Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-32432 Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to be... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2025-54253 Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to by... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2025-29813 Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-48106 Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Clanora clanora allows Using Malicious Files.This issue affects Clanora: from n/a through < 1.3.1. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-49060 Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Wastia wastia allows Upload a Web Shell to a Web Server.This issue affects Wastia: from n/a through < 1.1.3. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-60206 Improper Control of Generation of Code ('Code Injection') vulnerability in Beplusthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through <= 7.8.3. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-49752 Azure Bastion Elevation of Privilege Vulnerability | 10.0 | CRITICAL | β | 0 |
| CVE-2025-41115 SCIM provisioning wasΒ introducedΒ in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-8615 The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_location_load_excel_file_callback() function in all version... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-58384 In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-4196 An improper input validation vulnerability was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request to the Web Control component. Affect... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-31982 XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the s... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-41672 A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-50567 Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. ... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-39754 A static login vulnerability exists in the wctrls functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted set of network packets can lead to root access. An attacker can send packets t... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-36290 A buffer overflow vulnerability exists in the login.cgi Goto_chidx() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to stack-based buffer overflow. An at... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-53624 The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing Gi... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-41656 An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-50707 Unauthenticated remote code execution vulnerability in Uniguest Tripleplay before 24.2.1 allows remote attackers to execute arbitrary code via the X-Forwarded-For header in an HTTP GET request. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-48748 Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-1212 Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution. | 10.0 | CRITICAL | KEV | 0 |
| CVE-2021-34770 A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unaut... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-28354 There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.@smb[%d].username in... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-31351 Unrestricted Upload of File with Dangerous Type vulnerability in Copymatic Copymatic β AI Content Writer & Generator.This issue affects Copymatic β AI Content Writer & Generator: from n/a through 1.6. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-61492 A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-64093 Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device. | 10.0 | CRITICAL | β | 0 |
| CVE-2023-41918 A vulnerability allows unauthorized access to functionality inadequately constrained by ACLs. Attackers may exploit this to unauthenticated execute commands potentially leading to unauthorized data ma... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-36532 Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | 10.0 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.