CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-1128 The Everest Forms β Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file typ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-45824 CVE-2024-45824 IMPACT A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows f... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-1066 OpenPLC_V3 contains an arbitrary file upload vulnerability, which could be leveraged for malvertising or phishing campaigns. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-57035 WeGIA v3.2.0 is vulnerable to SQL Injection viathe nextPage parameter in /controle/control.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-57034 WeGIA < 3.2.0 is vulnerable to SQL Injection in query_geracao_auto.php via the query parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-57032 WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application does not validate the value of the old password, so it is possible to change the password by placing an... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-27140 WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, `importar_dump.php` endpoint. This vulner... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-25513 Seacms <=13.3 is vulnerable to SQL Injection in admin_members.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-56525 In Public Knowledge Project (PKP) OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super admin in the journal context, and ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-54820 XOne Web Monitor v02.10.2024.530 framework 1.0.4.9 was discovered to contain a SQL injection vulnerability in the login page. This vulnerability allows attackers to extract all usernames and passwords... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-28677 Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-37080 vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-48126 HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-56897 Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to th... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-40480 A Broken Access Control vulnerability was found in /admin/update.php and /admin/dashboard.php in Kashipara Online Exam System v1.0, which allows remote unauthenticated attackers to view administrator ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-37632 TOTOLINK A3700R V9.1.2u.6165_20211012 was discovered to contain a stack overflow via the password parameter in function loginAuth . | 9.8 | CRITICAL | β | 0 |
| CVE-2024-28537 Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the page parameter of fromNatStaticSetting function. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-51828 A SQL Injection vulnerability in /admin/convert/export.class.php in PMB 7.4.7 and earlier versions allows remote unauthenticated attackers to execute arbitrary SQL commands via the query parameter in ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-27768 Unitronics Unistream Unilogic β Versions prior to 1.35.227 - CWE-22: 'Path Traversal' may allow RCE | 9.8 | CRITICAL | β | 0 |
| CVE-2023-37058 Insecure Permissions vulnerability in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to escalate privileges via a crafted command. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-0390 INPRAX "iZZi connect" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-37057 An issue in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to execute arbitrary code via the router's authentication mechanism. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-52677 HkCms <= v2.3.2.240702 is vulnerable to file upload in the getFileName method in /app/common/library/Upload.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2018-25099 In the CryptX module before 0.062 for Perl, gcm_decrypt_verify() and chacha20poly1305_decrypt_verify() do not verify the tag. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-24300 4ipnet EAP-767 v3.42.00 is vulnerable to Incorrect Access Control. The device uses the same set of credentials, regardless of how many times a user logs in, the content of the cookie remains unchanged... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-42812 In D-Link DIR-860L v2.03, there is a buffer overflow vulnerability due to the lack of length verification for the SID field in gena.cgi. Attackers who successfully exploit this vulnerability can cause... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-25216 Employee Managment System v1.0 was discovered to contain a SQL injection vulnerability via the mailud parameter at /aprocess.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-7081 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in POSTAHSΔ°L Online Payment System allows SQL Injection.This issue affects Online Payment System: bef... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-22974 SQL Injection vulnerability in SeaCMS v.13.2 and before allows a remote attacker to execute arbitrary code via the DoTranExecSql parameter in the phome.php component. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-49803 IBM Security Verify Access Appliance 10.0.0 through 10.0.8 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-39704 Soft Circle French-Bread Melty Blood: Actress Again: Current Code through 1.07 Rev. 1.4.0 allows a remote attacker to execute arbitrary code on a client's machine via a crafted packet on TCP port 4631... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-57581 Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the firewallEn parameter in the formSetFirewallCfg function. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-52153 A SQL Injection vulnerability in /pmb/opac_css/includes/sessions.inc.php in PMB 7.4.7 and earlier allows remote unauthenticated attackers to inject arbitrary SQL commands via the PmbOpac-LOGIN cookie ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-23220 WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adic... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-31807 TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the hostTime parameter in the NTPSyncWithHost function. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-57595 DLINK DIR-825 REVB 2.03 devices have an OS command injection vulnerability in the CGl interface apc_client_pin.cgi, which allows remote attackers to execute arbitrary commands via the parameter "wps_p... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-33411 A SQL injection vulnerability in /model/get_admin_profile.php in Campcodes Complete Web-Based School Management System 1.0 allows attacker to execute arbitrary SQL commands via the my_index parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-47857 SSH Communication Security PrivX versions between 18.0-36.0 implement insufficient validation on public key signatures when using native SSH connections via a proxy port. This allows an existing PrivX... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-23219 WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adic... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-28254 A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-38474 Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by anyΒ U... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-52381 Script injection vulnerability in the email module.Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-33409 SQL injection vulnerability in index.php in campcodes Complete Web-Based School Management System 1.0 allows attacker to execute arbitrary SQL commands via the name parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-33408 A SQL injection vulnerability in /model/get_classroom.php in campcodes Complete Web-Based School Management System 1.0 allows attacker to execute arbitrary SQL commands via the id parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-24924 Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username | 9.8 | CRITICAL | β | 0 |
| CVE-2024-42638 H3C Magic B1ST v100R012 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-23218 WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adic... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-57580 Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the devName parameter in the formSetDeviceName function. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-42978 An issue in the handler function in /goform/telnet of Tenda FH1206 v02.03.01.35 allows attackers to execute arbitrary commands via a crafted HTTP request. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-52765 H3C GR-1800AX MiniGRW1B0V100R007 is vulnerable to remote code execution (RCE) via the aspForm parameter. | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.