CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-66956 Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL. | 9.9 | CRITICAL | β | 0 |
| CVE-2025-57795 Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remot... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-25115 n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execut... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-27574 OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a secur... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-25049 n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflo... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-23836 HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution o... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-0963 An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-25053 n8n is an open source workflow automation platform. Prior to versions 1.123.10 and 2.5.0, vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to e... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-8624 The MDTF β Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' attribute of the 'mdf_select_title' shortcode in all versions up to, and including, 1.... | 9.9 | CRITICAL | β | 0 |
| CVE-2025-62056 Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes News Event news-event.This issue affects News Event: from n/a through <= 1.0.1. | 9.9 | CRITICAL | β | 0 |
| CVE-2024-6386 The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation a... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-21708 A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user. | 9.9 | CRITICAL | β | 0 |
| CVE-2024-37288 A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Secur... | 9.9 | CRITICAL | β | 0 |
| CVE-2020-1595 <p>A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from unsafe data input. An attacker who successfully exploited the vulnerability could run ... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-24908 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows ... | 9.9 | CRITICAL | β | 0 |
| CVE-2024-43249 Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form Pro allows Command Injection.This issue affects Bit Form Pro: from n/a through 2.6.4. | 9.9 | CRITICAL | β | 0 |
| CVE-2026-21666 A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server. | 9.9 | CRITICAL | β | 0 |
| CVE-2026-27495 n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could exploit a vulnerability in ... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-22172 OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows shared-token or password-authenticated connections to self-declare elevated... | 9.9 | CRITICAL | β | 0 |
| CVE-2020-11011 In Phproject before version 1.7.8, there's a vulnerability which allows users with access to file uploads to execute arbitrary code. This is patched in version 1.7.8. | 9.9 | CRITICAL | β | 0 |
| CVE-2024-30236 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Con... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-23515 Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary s... | 9.9 | CRITICAL | β | 0 |
| CVE-2022-24665 PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via a WordPress gutenberg block by any user able to edit posts. | 9.9 | CRITICAL | β | 0 |
| CVE-2022-41681 There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the SC... | 9.9 | CRITICAL | β | 0 |
| CVE-2025-70982 Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data. | 9.9 | CRITICAL | β | 0 |
| CVE-2023-0016 SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-24740 Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzleβs agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) ... | 9.9 | CRITICAL | β | 0 |
| CVE-2017-16260 Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the ... | 9.9 | CRITICAL | β | 0 |
| CVE-2017-16266 Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the ... | 9.9 | CRITICAL | β | 0 |
| CVE-2022-45808 SQL Injection vulnerability inΒ LearnPress β WordPress LMS Plugin <=Β 4.1.7.3.2 versions. | 9.9 | CRITICAL | β | 0 |
| CVE-2026-27702 Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows a... | 9.9 | CRITICAL | β | 0 |
| CVE-2017-16263 Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the ... | 9.9 | CRITICAL | β | 0 |
| CVE-2016-15057 ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum. This issue affects Apache Continuum: all version... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-36468 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document,... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-33190 Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.1-rc4 an improper configuration of role based access control (RBAC) perm... | 9.9 | CRITICAL | β | 0 |
| CVE-2025-68555 Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Nutrie nutrie allows Upload a Web Shell to a Web Server.This issue affects Nutrie: from n/a through < 2.0.1. | 9.9 | CRITICAL | β | 0 |
| CVE-2023-33318 Unrestricted Upload of File with Dangerous Type vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.40. | 9.9 | CRITICAL | β | 0 |
| CVE-2019-10758 mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment. | 9.9 | CRITICAL | KEV | 0 |
| CVE-2025-31048 Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through 1.1.4. | 9.9 | CRITICAL | β | 0 |
| CVE-2025-46066 An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges | 9.9 | CRITICAL | β | 0 |
| CVE-2025-47283 Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.1... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-29130 A vulnerability has been identified in SIMATIC CN 4100 (All versions < V2.5). Affected device consists of improper access controls in the configuration files that leads to privilege escalation. An att... | 9.9 | CRITICAL | β | 0 |
| CVE-2023-23645 Improper Control of Generation of Code ('Code Injection') vulnerability in MainWP MainWP Code Snippets Extension allows Code Injection.This issue affects MainWP Code Snippets Extension: from n/a throu... | 9.9 | CRITICAL | β | 0 |
| CVE-2025-67781 An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unprivileged users can manipulate privileged processes to gain more privileges on Windows com... | 9.9 | CRITICAL | β | 0 |
| CVE-2025-55343 Quipux 4.0.1 through e1774ac allows authenticated users to conduct SQL injection attacks via busqueda/busqueda.php txt_depe_codi, busqueda/busqueda.php txt_usua_codi, anexos_lista.php radi_temp, Admin... | 9.9 | CRITICAL | β | 0 |
| CVE-2025-30996 Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify ... | 9.9 | CRITICAL | β | 0 |
| CVE-2025-69403 Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.3.0. | 9.9 | CRITICAL | β | 0 |
| CVE-2025-68110 ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes ... | 9.9 | CRITICAL | β | 0 |
| CVE-2025-67084 File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Exec... | 9.9 | CRITICAL | β | 0 |
| CVE-2025-14700 An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection... | 9.9 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.