CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2022-4117 The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL in... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-4047 The Return Refund and Exchange For WooCommerce WordPress plugin before 4.0.9 does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-48818 An issue in IIT Bombay, Mumbai, India Bodhitree of cs101 version allows a remote attacker to execute arbitrary code. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-55028 A template injection vulnerability in the Dashboard of NASA Fprime v3.4.3 allows attackers to execute arbitrary code via uploading a crafted Vue file. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-55030 A command injection vulnerability in the Command Dispatcher Service of NASA Fprime v3.4.3 allows attackers to execute arbitrary commands. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-26969 In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-55507 An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-36783 TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection via the host_time parameter in the NTPSyncWithHost function. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-54809 Netgear Inc WNR854T 1.5.2 (North America) contains a stack-based buffer overflow vulnerability in the parse_st_header function due to use of a request header parameter in a strncpy where size is deter... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-54808 Netgear WNR854T 1.5.2 (North America) contains a stack-based buffer overflow vulnerability in the SetDefaultConnectionService function due to an unconstrained use of sscanf. The vulnerability allows f... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-54807 In Netgear WNR854T 1.5.2 (North America), the UPNP service is vulnerable to command injection in the function addmap_exec which parses the NewInternalClient parameter of the AddPortMapping SOAPAction ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-54806 Netgear WNR854T 1.5.2 (North America) is vulnerable to Arbitrary command execution in cmd.cgi which allows for the execution of system commands via the web interface. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-54805 Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter get_email. After which, they can vi... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-55461 SeaCMS <=13.0 is vulnerable to command execution in phome.php via the function Ebak_RepPathFiletext(). | 9.8 | CRITICAL | β | 0 |
| CVE-2024-54804 Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter wan_hostname and forcing a reboot. ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-25373 The Memory Management Module of NASA cFS (Core Flight System) Aquila has insecure permissions, which can be exploited to gain an RCE on the platform. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-39349 A vulnerability regarding buffer copy without checking size of input ('Classic Buffer Overflow') is found in the libjansson component and it does not affect the upstream library. This allows remote at... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-24119 Certain General Electric Renewable Energy products have a hidden feature for unauthenticated remote access to the device configuration shell. This affects iNET and iNET II before 8.3.0. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-24117 Certain General Electric Renewable Energy products download firmware without an integrity check. This affects iNET and iNET II before 8.3.0, SD before 6.4.7, TD220X before 2.0.16, and TD220MAX before ... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-24116 Certain General Electric Renewable Energy products have inadequate encryption strength. This affects iNET and iNET II before 8.3.0. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-45467 In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /us... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-24170 Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/fromSetWirelessRepeat. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-33835 Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the remoteIp parameter from formSetSafeWanWebMan function. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-54803 Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter pppoe_peer_mac and forcing a reboot... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-55509 SQL injection vulnerability in CodeAstro Complaint Management System v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via the id parameter of the delete.php component. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-54802 In Netgear WNR854T 1.5.2 (North America), the UPNP service (/usr/sbin/upnp) is vulnerable to stack-based buffer overflow in the M-SEARCH Host header. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-45466 In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-27837 An issue was discovered in Artifex Ghostscript before 10.05.0. Access to arbitrary files can occur through a truncated path with invalid UTF-8 characters, for base/gp_mswin.c and base/winrtsup.cpp. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-47516 A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-29661 A File Upload vulnerability in DedeCMS v5.7 allows a local attacker to execute arbitrary code via a crafted payload. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-45896 Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-6611 A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox < 128 and Thunderbird < 128. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-44640 Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC). | 9.8 | CRITICAL | β | 0 |
| CVE-2024-6057 Improper authentication in the vault password feature in Devolutions Remote Desktop Manager 2024.1.31.0 and earlier allows an attacker that has compromised an access to an RDM instance to bypass the v... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-44015 An issue was discovered in Simmeth Lieferantenmanager before 5.6. An attacker can inject raw SQL queries. By activating MSSQL features, the attacker is able to execute arbitrary commands on the MSSQL ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-54148 Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-33350 Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a remote attacker to execute arbitrary code and obtain sensitive information via the include/model/file.php component. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-3495 Delta Electronics COMMGR v1 and v2Β uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-31666 An issue in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via a crafted script to the edit_addon_post.php component. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-33768 lunasvg v2.3.9 was discovered to contain a segmentation violation via the component composition_solid_source_over. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-25535 HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-33444 SQL injection vulnerability in onethink v.1.1 allows a remote attacker to escalate privileges via a crafted script to the ModelModel.class.php component. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-38468 Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized password resets via the resetPassword API. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-50717 SQL injection vulnerability in Smart Agent v.1.1.0 allows a remote attacker to execute arbitrary code via the client parameter in the /recuperaLog.php component. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-47949 The Nintendo NetworkBuffer class, as used in Animal Crossing: New Horizons before 2.0.6 and other products, allows remote attackers to execute arbitrary code via a large UDP packet that causes a buffe... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-28613 SQL Injection vulnerability in PHP Task Management System v.1.0 allows a remote attacker to escalate privileges and obtain sensitive information via the task_id parameter of the task-details.php, and ... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-44750 HCL Domino is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arb... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-50716 SQL injection vulnerability in Smart Agent v.1.1.0 allows a remote attacker to execute arbitrary code via the id parameter in the /sendPushManually.php component. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-26002 Telesquare TLR-2005KSH 1.1.4 is affected by an unauthorized stack overflow vulnerability when requesting the admin.cgi parameter with setSyncTimeHost. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-24166 Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/formWifiBasicSet. | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.