CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2022-24491 Windows Network File System Remote Code Execution Vulnerability | 9.8 | CRITICAL | — | 0 |
| CVE-2022-0679 The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX act... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-42786 It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) has Remote Code Execution vulnerabilities in multiple instances of the API requests. The affected endpoints do not hav... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-42854 It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) PluginServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/plugin/pmx" API. The affected en... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44622 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/check_reg_verify_code function which could let a remove malicious user execute arbitrary code ... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-26994 Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pptp function via the pptpUserName and pptpPass... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-26272 A remote code execution (RCE) vulnerability in Ionize v1.0.8.1 allows attackers to execute arbitrary code via a crafted string written to the file application/config/config.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-26628 Matrimony v1.0 was discovered to contain a SQL injection vulnerability via the Password parameter. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-26279 EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-0658 The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamica... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-0784 The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action (available to unauthenticated ... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-28219 Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-0787 The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated u... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-0846 The SpeakOut! Email Petitions WordPress plugin before 2.14.15.1 does not sanitise and escape the id parameter before using it in a SQL statement via the dk_speakout_sendmail AJAX action, leading to an... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-26995 Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pptp (wan_pptp.html) function via the pptp_fix_ip, pptp_fix_mask, pptp_fix_gw, and wan_dns1_stat parameters. Thi... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44623 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 via the /cloud_config/router_post/check_reset_pwd_verify_code interface. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44625 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in /cloud_config/cloud_device/info interface, which allows a malicious user to executee arbitrary code on the system via a craf... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44626 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reg_verify_code feature, which allows malicious users to execute arbitrary code on the sys... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44627 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reset_pwd_veirfy_code feature, which allows malicious users to execute arbitrary code on t... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44628 A Buffer Overflow vulnerabiltiy exists in TP-LINK WR-886N 20190826 2.3.8 in thee /cloud_config/router_post/login feature, which allows malicious users to execute arbitrary code on the system via a cra... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44629 A Buffer Overflow vulnerabilitiy exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/register feature, which allows malicious users to execute arbitrary code on the system via a ... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44630 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/modify_account_pwd feature, which allows malicious users to execute arbitrary code on the syst... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44631 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/reset_cloud_pwd feature, which allows malicous users to execute arbitrary code on the system v... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44632 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/upgrade_info feature, which allows malicious users to execute arbitrary code on the system via... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-26635 PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection. Note: Third parties have disputed this as not affecting PHP-Memcached directly. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-41752 Stack overflow vulnerability in Jerryscript before commit e1ce7dd7271288be8c0c8136eea9107df73a8ce2 on Oct 20, 2021 due to an unbounded recursive call to the new opt() function. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-4045 TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-41751 Buffer overflow vulnerability in file ecma-builtin-array-prototype.c:909 in function ecma_builtin_array_prototype_object_slice in Jerryscript before commit e1ce7dd7271288be8c0c8136eea9107df73a8ce2 on ... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-30080 An issue was discovered in the route lookup process in beego before 1.12.11 that allows attackers to bypass access control. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-46009 In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-0254 The WordPress Zero Spam WordPress plugin before 5.2.11 does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a ... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-26996 Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pppoe function via the pppoe_username, pppoe_passwd, and pppoe_servicename parameters. This vulnerability allows... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-26997 Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the upnp function via the upnp_ttl parameter. This vulnerability allows attackers to execute arbitrary commands via ... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-43636 Two Buffer Overflow vulnerabilities exists in T10 V2_Firmware V4.1.8cu.5207_B20210320 in the http_request_parse function when processing host data in the HTTP request process. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-26998 Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the wps setting function via the wps_enrolee_pin parameter. This vulnerability allows attackers to execute arbitrary... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-0169 The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-27158 pearweb < 1.32 suffers from Deserialization of Untrusted Data. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-41842 An issue was discovered in AtaLegacySmm in the kernel 5.0 before 05.08.46, 5.1 before 05.16.46, 5.2 before 05.26.46, 5.3 before 05.35.46, 5.4 before 05.43.46, and 5.5 before 05.51.45 in Insyde InsydeH... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-27157 pearweb < 1.32 is suffers from a Weak Password Recovery Mechanism via include/users/passwordmanage.php. | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44496 An issue was discovered in FIS GT.M through V7.0-000 (related to the YottaDB code base). Using crafted input, an attacker can control the size variable and buffer that is passed to a call to memcpy. A... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-44486 An issue was discovered in YottaDB through r1.32 and V7.0-000. Using crafted input, attackers can manipulate the value of a function pointer used in op_write in sr_port/op_write.c in order to gain con... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-42230 Seowon 130-SLC router all versions as of 2021-09-15 is vulnerable to Remote Code Execution via the queriesCnt parameter. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-22704 The zabbix-agent2 package before 5.4.9-r1 for Alpine Linux sometimes allows privilege escalation to root because the design incorrectly expected that systemd would (in effect) determine part of the co... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-26999 Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the static ip settings function via the wan_ip_stat, wan_mask_stat, wan_gw_stat, and wan_dns1_stat parameters. This ... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-23865 Nyron 1.0 is affected by a SQL injection vulnerability through Nyron/Library/Catalog/winlibsrch.aspx. To exploit this vulnerability, an attacker must inject '"> on the thes1 parameter. | 9.8 | CRITICAL | — | 0 |
| CVE-2022-27000 Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the time and time zone function via the h_primary_ntp_server, h_backup_ntp_server, and h_time_zone parameters. This ... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-27001 Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the dhcp function via the hostname parameter. This vulnerability allows attackers to execute arbitrary commands via... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-27002 Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns、ddns_host parameters. This vulnerability allows attackers to ... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-31522 Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache ... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-24606 Luocms v2.0 is affected by SQL Injection in /admin/news/sort_ok.php. | 9.8 | CRITICAL | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.