CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-53644 OpenCV is an Open Source Computer Vision Library. Versions 4.10.0 and 4.11.0 have an uninitialized pointer variable on stack that may lead to arbitrary heap buffer write when reading crafted JPEG imag... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-52046 Totolink A3300R V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in the sub_4197C0 function via the mac and desc parameters. This vulnerability allows unauthenticated att... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-34111 An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows r... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-30080 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability | 9.8 | CRITICAL | — | 0 |
| CVE-2022-36934 An integer overflow in WhatsApp could result in remote code execution in an established video call. | 9.8 | CRITICAL | — | 0 |
| CVE-2024-35307 Argument Injection Leading to Remote Code Execution in Realtime Graph Extension, allowing unauthenticated attackers to execute arbitrary code on the server. This issue affects Pandora FMS: from 700 th... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-35306 OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 through <777. | 9.8 | CRITICAL | — | 0 |
| CVE-2024-12687 Deserialization of Untrusted Data vulnerability in PlexTrac (Runbooks modules) which allows Object Injection and arbitrary file writes. This issue affects PlexTrac: from 1.61.3 before 2.8.1. | 9.8 | CRITICAL | — | 0 |
| CVE-2024-35305 Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through <777. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-50756 Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_adm function via the newpass parameter. This vulnerability allows attackers to execute arbitrary commands... | 9.8 | CRITICAL | — | 0 |
| CVE-2011-10019 Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] par... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-4445 The FL3R FeelBox WordPress plugin through 8.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a S... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-3700 Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Simple Care software installations. This ... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-12084 A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the ... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-0585 The a+HRD from aEnrich Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | 9.8 | CRITICAL | — | 0 |
| CVE-2024-11704 A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially l... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-8007 The pwrstudio web application of EV Charger (in the server in Circontrol Raption through 5.6.2) is vulnerable to OS command injection via three fields of the configuration menu for ntpserver0, ntpserv... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-6360 Incorrect Permission Assignment for Critical Resource vulnerability in OpenText™ Vertica could allow Privilege Abuse and result in unauthorized access or privileges to Vertica agent apikey. This issue... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-52777 DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L, <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/basic/license_update.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2024-38476 Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-55547 SNMP objects in NET-SNMP used in ORing IAP-420 allows Command Injection. This issue affects IAP-420: through 2.01e. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-26347 A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user per... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-1100 A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privile... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-26410 The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials ... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-38541 In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias() In of_modalias(), if the buffer happens to be too small even for the 1st sn... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-26339 A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the devic... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-57520 Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-26341 A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arb... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-52782 DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/audit/newstatistics/mon_stat_hist_new.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-26342 A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create ar... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-52781 DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/tool/traceroute.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-1017 Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort som... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-12727 A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code exec... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-1016 Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption an... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-52780 DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/basic/mgmt_edit.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-26344 A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable ... | 9.8 | CRITICAL | — | 0 |
| CVE-2019-20461 An issue was discovered on Alecto IVM-100 2019-11-12 devices. The device uses a custom UDP protocol to start and control video and audio services. The protocol has been partially reverse engineered. B... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-26345 A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user gro... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-9392 A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-52779 DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/audit/newstatistics/mon_stat_top10.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-24102 The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to determine a user’s current loca... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-50588 An unauthenticated attacker with access to the local network of the medical office can use known default credentials to gain remote DBA access to the Elefant Firebird database. The data in the datab... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-10763 The Campress theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.35 via the 'campress_woocommerce_get_ajax_products' function. This makes it possible for ... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-1387 Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user. | 9.8 | CRITICAL | — | 0 |
| CVE-2024-52778 DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/audit/newstatistics/mon_stat_hist.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2024-38441 Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 and 3.1.19 are al... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-9401 Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort ... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-11482 A vulnerability in ESM 11.6.10 allows unauthenticated access to the internal Snowservice API and enables remote code execution through command injection, executed as the root user. | 9.8 | CRITICAL | — | 0 |
| CVE-2024-28747 An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges. | 9.8 | CRITICAL | — | 0 |
| CVE-2024-39171 Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a... | 9.8 | CRITICAL | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.