CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2022-28368 Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file). | 9.8 | CRITICAL | β | 0 |
| CVE-2022-27534 Kaspersky Anti-Virus products for home and Kaspersky Endpoint Security with antivirus databases released before 12 March 2022 had a bug in a data parsing module that potentially allowed an attacker to... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-27177 A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2 | 9.8 | CRITICAL | β | 0 |
| CVE-2021-33912 libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with ... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-33913 libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted ... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-27477 Newbee-Mall v1.0.0 was discovered to contain an arbitrary file upload via the Upload function at /admin/goods/edit. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-32976 Five buffer overflows in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to initiate a denial-of-service attack and execute arbitr... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-32974 Improper input validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to execute commands. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-32953 An attacker could utilize SQL commands to create a new user MDT AutoSave versions prior to v6.02.06 and update the userβs permissions, granting the attacker the ability to login. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-23247 A command injection vulerability found in quick game engine allows arbitrary remote code in quick app. Allows remote attacke0rs to gain arbitrary code execution in quick game engine | 9.8 | CRITICAL | β | 0 |
| CVE-2022-26562 An issue in provider/libserver/ECKrbAuth.cpp of Kopano Core <= v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired. It also exists in th... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-44135 pagekit all versions, as of 15-10-2021, is vulnerable to SQL Injection via Comment listing. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-44738 Buffer overflow vulnerability has been identified in Lexmark devices through 2021-12-07 in postscript interpreter. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-44734 Embedded web server input sanitization vulnerability in Lexmark devices through 2021-12-07, which can which can lead to remote code execution on the device. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-44735 Embedded web server command injection vulnerability in Lexmark devices through 2021-12-07. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-44736 The initial admin account setup wizard on Lexmark devices allow unauthenticated access to the βout of service eraseβ feature. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-44090 An SQL Injection vulnerability exists in Sourcecodester Online Reviewer System 1.0 via the password parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-44244 An SQL Injection vulnerabiity exists in Sourcecodester Logistic Hub Parcel's Management System 1.0 via the username parameter in login.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-44245 An SQL Injection vulnerability exists in Courcecodester COVID 19 Testing Management System (CTMS) 1.0 via the (1) username and (2) contactno parameters. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46061 An SQL Injection vulnerability exists in Sourcecodester Computer and Mobile Repair Shop Management system (RSMS) 1.0 via the code parameter in /rsms/ node app. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-22928 MCMS v5.2.4 was discovered to have a hardcoded shiro-key, allowing attackers to exploit the key and execute arbitrary code. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-22929 MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute arbitrary code via a crafted ZIP file. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-22930 A remote code execution (RCE) vulnerability in the Template Management function of MCMS v5.2.4 allows attackers to execute arbitrary code via a crafted payload. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-23314 MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via /ms/mdiy/model/importJson.do. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-23315 MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-0318 Heap-based Buffer Overflow in vim/vim prior to 8.2. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-43722 D-Link DIR-645 1.03 A1 is vulnerable to Buffer Overflow. The hnap_main function in the cgibin handler uses sprintf to format the soapaction header onto the stack and has no limit on the size. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-43479 A Remote Code Execution (RCE) vulnerability exists in The-Secretary 2.5 via install.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35003 This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer C90 1.0.6 Build 20200114 rel.73164(5553) routers. Authentication is not required to exp... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35004 This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link TL-WA1201 1.0.1 Build 20200709 rel.66244(5553) wireless access points. Authentication is not r... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-40855 The EU Technical Specifications for Digital COVID Certificates before 1.1 mishandle certificate governance. A non-production public key certificate could have been used in production. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46198 An SQL Injection vulnerability exists in Sourceodester Courier Management System 1.0 via the email parameter in /cms/ajax.php app. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46201 An SQL Injection vulnerability exists in Sourcecodester Online Resort Management System 1.0 via the id parameterv in /orms/ node. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-43484 A Remote Code Execution (RCE) vulnerability exists in Simple Client Management System 1.0 in create.php due to the failure to validate the extension of the file being sent in a request. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46307 An SQL Injection vulnerability exists in Projectworlds Online Examination System 1.0 via the eid parameter in account.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46308 An SQL Injection vulnerability exists in Sourcecodester Online Railway Reservation Sysytem 1.0 via the sid parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46309 An SQL Injection vulnerability exists in Sourcecodester Employee and Visitor Gate Pass Logging System 1.0 via the username parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-4877 IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could be vulnerable to unauthorized modifications by using public fields in public classes. IBM X-Force ID: 190843. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-4879 IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could allow a remote attacker to bypass security restrictions, caused by improper validation of authentication cookies. IBM X-Force ID: 190847. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-43506 An SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the password parameter in Login.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-40247 SQL injection vulnerability in Sourcecodester Budget and Expense Tracker System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username field. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46009 In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46007 totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead t... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-23128 Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper H... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-43142 An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-24136 Hospital Management System v1.0 is affected by an unrestricted upload of dangerous file type vulerability in treatmentrecord.php. To exploit, an attacker can upload any PHP file, and then execute it. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-40595 SQL injection vulnerability in Sourcecodester Online Leave Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter to /leave_system/classes/Log... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-23363 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via index.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-23364 HMS v1.0 was discovered to contain a SQL injection vulnerability via adminlogin.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-23365 HMS v1.0 was discovered to contain a SQL injection vulnerability via doctorlogin.php. | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.