CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2024-57521 SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-59503 Server-side request forgery (ssrf) in Azure Compute Gallery allows an unauthorized attacker to elevate privileges over a network. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-36250 IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary commands due to improper process controls.... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-12539 The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credenti... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-39760 Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code exec... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-2227 This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remedi... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-54914 Azure Networking Elevation of Privilege Vulnerability | 10.0 | CRITICAL | β | 0 |
| CVE-2024-38513 Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows us... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-22609 Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach a... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-54122 Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Desk... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-5407 A vulnerability in RhinOS 3.0-1190 could allow PHP code injection through the "search" parameter in /portal/search.htm. This vulnerability could allow a remote attacker to perform a reverse shell on t... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-22216 In default installations of Microchip maxView Storage Manager (for Adaptec Smart Storage Controllers) where Redfish server is configured for remote system management, unauthorized access can occur, wi... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-5243 Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SMG Software Information Portal allows Code... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-37099 Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.14.1. | 10.0 | CRITICAL | β | 0 |
| CVE-2025-26853 DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 has a broken authorization schema. | 10.0 | CRITICAL | β | 0 |
| CVE-2021-4434 The Social Warfare plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.5.2 via the 'swp_url' parameter. This allows attackers to execute code on the server. | 10.0 | CRITICAL | β | 0 |
| CVE-2023-37470 Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could pot... | 10.0 | CRITICAL | β | 0 |
| CVE-2017-12905 Server Side Request Forgery vulnerability in Vebto Pixie Image Editor 1.4 and 1.7 allows remote attackers to disclose information or execute arbitrary code via the url parameter to Launderer.php. | 10.0 | CRITICAL | β | 0 |
| CVE-2023-2163 Incorrect verifier pruningΒ in BPF in Linux KernelΒ >=5.4Β leads to unsafe code paths being incorrectly marked as safe, resulting inΒ arbitrary read/write in kernel memory, lateral privilege escalation, a... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-49447 Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Food Menu allows Using Malicious Files. This issue affects FW Food Menu : from n/a through 6.0.0. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-7591 Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and abo... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-30510 Unrestricted Upload of File with Dangerous Type vulnerability in Salon Booking System Salon booking system.This issue affects Salon booking system: from n/a through 9.5. | 10.0 | CRITICAL | β | 0 |
| CVE-2023-6339 Google Nest WiFi Pro root code-execution & user-data compromise | 10.0 | CRITICAL | β | 0 |
| CVE-2023-46731 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-52181 Deserialization of Untrusted Data vulnerability in Presslabs Theme per user.This issue affects Theme per user: from n/a through 1.0.1. | 10.0 | CRITICAL | β | 0 |
| CVE-2022-42150 TinyLab linux-lab v1.1-rc1 and cloud-labv0.8-rc2, v1.1-rc1 are vulnerable to insecure permissions. The default configuration could cause Container Escape. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-28354 There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.@smb[%d].username in... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-49617 The MachineSense application programmable interface (API) is improperly protected and can be accessed without authentication. A remote attacker could retrieve and modify sensitive information wit... | 10.0 | CRITICAL | β | 0 |
| CVE-2017-8110 www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php. | 10.0 | CRITICAL | β | 0 |
| CVE-2024-32651 changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-46348 YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictab... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-24482 A vulnerability has been identified in COMOS V10.2 (All versions), COMOS V10.3.3.1 (All versions < V10.3.3.1.45), COMOS V10.3.3.2 (All versions < V10.3.3.2.33), COMOS V10.3.3.3 (All versions < V10.3.3... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-2422 Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used. | 10.0 | CRITICAL | β | 0 |
| CVE-2022-29822 Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection | 10.0 | CRITICAL | β | 0 |
| CVE-2024-11186 On affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than intended. This advisory impacts... | 10.0 | CRITICAL | β | 0 |
| CVE-2021-26728 Command injection and stack-based buffer overflow vulnerabilities in the KillDupUsr_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server ... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-34819 A vulnerability has been identified in SIMATIC CP 1242-7 V2 (All versions < V3.3.46), SIMATIC CP 1243-1 (All versions < V3.3.46), SIMATIC CP 1243-7 LTE EU (All versions < V3.3.46), SIMATIC CP 1243-7 L... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-2310 An authentication bypass vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.12, 9.x prior to 9.2.23, 8.x prior to 8.2.28, and controlled release 11.x prior to 11.2.1 allows a remote atta... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-41240 Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthe... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-22570 A buffer overflow vulnerability found in the UniFi Door Access Reader Liteβs (UA Lite) firmware (Version 3.8.28.24 and earlier) allows a malicious actor who has gained access to a network to control a... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-48426 u-boot bug that allows for u-boot shell and interrupt over UART | 10.0 | CRITICAL | β | 0 |
| CVE-2024-56731 Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch ... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-4196 An improper input validation vulnerability was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request to the Web Control component. Affect... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-1839 Intrado 911 Emergency Gateway login form is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an unauthenticated remote attacker to execute malicious code, exfiltrate da... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-59528 Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input conf... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-61934 A binding to an unrestricted IP address vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ... | 10.0 | CRITICAL | β | 0 |
| CVE-2022-22995 The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitr... | 10.0 | CRITICAL | β | 0 |
| CVE-2021-43832 Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate en... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-39761 Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code exec... | 10.0 | CRITICAL | β | 0 |
| CVE-2021-43981 mySCADA myPRO: Versions 8.20.0 and prior has a feature to send emails, which may allow an attacker to inject arbitrary operating system commands through a specific parameter. | 10.0 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.