CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-4285 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolantis Information Technologies Agentis allows SQL Injection.This issue affects Agentis: before ... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-51568 CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthentic... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-49447 Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Food Menu allows Using Malicious Files. This issue affects FW Food Menu : from n/a through 6.0.0. | 10.0 | CRITICAL | β | 0 |
| CVE-2023-38586 An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sonoma 14. A sandboxed process may be able to circumvent sandbox restrictions. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-51545 Username Enumeration vulnerabilities allow access to application level username add, delete, modify and list functions.Β Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; ... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-63531 A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the receiverLogin.php component. The application fails to properly sanitize user-supplied input in SQL queries, allo... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-61945 Radiometrics VizAir is vulnerable to any remote attacker via access to the admin panel of the VizAir system without authentication. Once inside, the attacker can modify critical weather parameters suc... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-22947 In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote atta... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2025-64090 This vulnerability allows authenticated attackers to execute commands via the hostname of the device. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-24786 WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an u... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-41918 A vulnerability allows unauthorized access to functionality inadequately constrained by ACLs. Attackers may exploit this to unauthenticated execute commands potentially leading to unauthorized data ma... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-34990 In the module "Help Desk - Customer Support Management System" (helpdesk) up to version 2.4.0 from FME Modules for PrestaShop, a customer can upload .php files. Methods `HelpdeskHelpdeskModuleFrontCon... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-3605 The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 ... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-3941 Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to write any file on the system with root privileges. This issue affects ZkTeco-based OEM devices (ZkTeco ProF... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-20079 A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an a... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-23616 A buffer overflow vulnerability exists in Symantec Server Management Suite version 7.9 and before. A remote, anonymous attacker can exploit this vulnerability to achieve remote code execution as SYSTE... | 10.0 | CRITICAL | β | 0 |
| CVE-2019-11210 The server component of TIBCO Software Inc.'s TIBCO Enterprise Runtime for R - Server Edition, and TIBCO Spotfire Analytics Platform for AWS Marketplace contains a vulnerability that theoretically all... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-56731 Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch ... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-53283 Unrestricted Upload of File with Dangerous Type vulnerability in borisolhor Drop Uploader for CF7 - Drag&Drop File Uploader Addon drop-uploader-for-contact-form-7-dragdrop-file-uploader-addon allows U... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-63216 The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to auth... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-62521 ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to ... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-13390 The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk... | 10.0 | CRITICAL | β | 0 |
| CVE-2019-16932 A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-39761 Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code exec... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-49372 Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.This issue affects HAPPY: from n/a through... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-13152 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSS Software Mobuy Online Machinery Monitoring Panel allows SQL Injection.This issue affects Mobuy... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-5120 A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution environment and achieve remote code execution (RCE). The v... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-22004 Due to length check, an attacker with privilege access on a Linux Nonsecure operating system can trigger a vulnerability and leak the secureΒ memory from the Trusted Application | 10.0 | CRITICAL | β | 0 |
| CVE-2020-26821 SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact ... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-50704 Unauthenticated remote code execution vulnerability in Uniguest Tripleplay before 24.2.1 allows remote attackers to execute arbitrary code via a specially crafted HTTP POST request. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-24865 The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files witho... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-42497 Arbitrary Code Execution vulnerability in Api2Cart Bridge Connector plugin <= 1.1.0 on WordPress. | 10.0 | CRITICAL | β | 0 |
| CVE-2017-8110 www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-46661 IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the attacker to provide template expressions, aka Server-Side Template-Injection. All ... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-48839 Improper Input Validation vulnerability allows Remote Code Execution.Β Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 | 10.0 | CRITICAL | β | 0 |
| CVE-2024-48840 Unauthorized Access vulnerabilities allow Remote Code Execution.Β Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 | 10.0 | CRITICAL | β | 0 |
| CVE-2024-31996 XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape `{`,... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-48841 Network access can be used to execute arbitrary code with elevated privileges. This issue affects FLXEON 9.3.4 and older. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-5932 The GiveWP β Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input fro... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-47901 A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which ... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-23656 Unrestricted Upload of File with Dangerous Type vulnerability in MainWP MainWP File Uploader Extension.This issue affects MainWP File Uploader Extension: from n/a through 4.1. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-23614 A buffer overflow vulnerability exists in Symantec Messaging Gateway versions 9.5 and before. A remote, anonymous attacker can exploit this vulnerability to achieve remote code execution as root. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-38366 trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which ... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-41917 Inadequate input validation exposes the system to potential remote code execution (RCE) risks. Attackers can exploit this vulnerability by appending shell commands to the Speed-Measurement feature, en... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-36679 In the module "Module Live Chat Pro (All in One Messaging)" (livechatpro) <=8.4.0, a guest can perform PHP Code injection. Due to a predictable token, the method `Lcp::saveTranslations()` suffer of a ... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-3939 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in ZkTeco-based OEM devices allows OS Command Injection. Since all the found command impleme... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-23621 A buffer overflow exists in IBM Merge Healthcare eFilm Workstation license server. A remote, unauthenticated attacker can exploit this vulnerability to achieve remote code execution. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-39791 Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge repeaters, software versions 3.3.23.6.9 and prior, enable an unauthenticated remote a... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-46839 Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk β Best Help Desk & Support Plugin.This issue affects JS Help Desk β Best Help Desk & Support Plugin: from n/a... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-42802 GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwante... | 10.0 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.