CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-21415 Authentication bypass by spoofing in Azure AI Face Service allows an authorized attacker to elevate privileges over a network. | 9.9 | CRITICAL | β | 0 |
| CVE-2024-57726 SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate pr... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-10960 The Brizy β Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in all versions up to, and including, 2.6.4. Th... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-51548 Dangerous File Upload vulnerabilities allow upload of malicious scripts.Β Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 | 9.9 | CRITICAL | β | 0 |
| CVE-2024-12583 The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. T... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-25693 There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to traverse the file system to access files or execute code ou... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-11082 The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the hypeanimations_panel() function in all versions up to, and including,... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-43602 Azure CycleCloud Remote Code Execution Vulnerability | 9.9 | CRITICAL | β | 0 |
| CVE-2024-46888 A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly sanitize user provided paths for SFTP-based file up- and downloads. This... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-51482 ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is ... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-33699 The LevelOne WBR-6012 router's web application has a vulnerability in its firmware version R0.40e6, allowing attackers to change the administrator password and gain higher privileges without the curre... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-42515 Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g., <>), the underlying library converts these encoded characters... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-6678 An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker ... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-2599 File upload restriction evasion vulnerability in AMSS++ version 4.31. This vulnerability could allow an authenticated user to potentially obtain RCE through webshell, compromising the entire infrastru... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-30860 WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a remote code execution (RCE) vulnerability exists in the application's da... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-30861 WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. From version 0.2.5 to before version 0.2.10, an unauthenticated remote code execution (RCE) vulnera... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-33226 An issue in the component Access64.sys of Wistron Corporation TBT Force Power Control v1.0.0.0 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests. | 9.9 | CRITICAL | β | 0 |
| CVE-2024-3592 The Quiz And Survey Master β Best Quiz, Exam and Survey Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'question_id' parameter in all versions up to, and including, 9... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-33644 Improper Control of Generation of Code ('Code Injection') vulnerability in WPCustomify Customify Site Library allows Code Injection.This issue affects Customify Site Library: from n/a through 0.0.9. | 9.9 | CRITICAL | β | 0 |
| CVE-2024-25108 Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users inte... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-21663 Discord-Recon is a Discord bot created to automate bug bounty recon, automated scans and information gathering via a discord server. Discord-Recon is vulnerable to remote code execution. An attacker i... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-50723 XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programmi... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-35344 Certain Anpviz products contain a hardcoded cryptographic key stored in the firmware of the device. This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-D350, IPC-D3150, IPC-D4250, IPC-D380, IPC-D... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-39943 rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell i... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-40050 Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution. ... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-37909 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.1-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, any user who can edit... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-46243 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an exist... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-3744 Server-Side Request Forgery vulnerability in SLims version 9.6.0. This vulnerability could allow an authenticated attacker to send requests to internal services or upload the contents of relevant file... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-34207 Unrestricted upload of file with dangerous type vulnerability in create template function in EasyUse MailHunter Ultimate 2023 and earlier allows remote authenticated users to perform arbitrary system ... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-5201 The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the 'php' shortcode. This allows authenticated attackers with subscriber-level perm... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-40177 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can use the content field of their user profile page to execute arbitrary s... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-40622 SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, under certain condition allows an authenticated attacker to view sensitive information which is otherwise... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-34612 Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execu... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-40020 PrivateUploader is an open source image hosting server written in Vue and TypeScript. In affected versions `app/routes/v3/admin.controller.ts` did not correctly verify whether the user was an administ... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-50721 XWiki Platform is a generic wiki platform. Starting in 4.5-rc-1 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the search administration interface doesn't properly escape the id and label of s... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-41110 Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-32069 XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute anything with the right of the author of... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-30899 A vulnerability has been identified in Siveillance Video 2020 R2 (All versions < V20.2 HotfixRev14), Siveillance Video 2020 R3 (All versions < V20.3 HotfixRev12), Siveillance Video 2021 R1 (All versio... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-34251 Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the admin... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-28445 Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could resul... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-22579 Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. | 9.9 | CRITICAL | β | 0 |
| CVE-2023-25616 In some scenario, SAP Business Objects Business Intelligence Platform (CMC) - versions 420, 430, Program ObjectΒ execution can lead to code injection vulnerability which could allow an attacker to gain... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-30839 PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even withou... | 9.9 | CRITICAL | β | 0 |
| CVE-2022-45808 SQL Injection vulnerability inΒ LearnPress β WordPress LMS Plugin <=Β 4.1.7.3.2 versions. | 9.9 | CRITICAL | β | 0 |
| CVE-2017-16268 Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the ... | 9.9 | CRITICAL | β | 0 |
| CVE-2017-16269 Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the ... | 9.9 | CRITICAL | β | 0 |
| CVE-2017-16266 Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the ... | 9.9 | CRITICAL | β | 0 |
| CVE-2017-16262 Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the ... | 9.9 | CRITICAL | β | 0 |
| CVE-2017-16264 Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the ... | 9.9 | CRITICAL | β | 0 |
| CVE-2017-16267 Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the ... | 9.9 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.