Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2024-9932 The Wux Blog Editor plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'wuxbt_insertImageNew' function in versions up to, and including, 3.0.0... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-63389 A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authe... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-54723 Deserialization of Untrusted Data vulnerability in BoldThemes DentiCare denticare allows Object Injection.This issue affects DentiCare: from n/a through < 1.4.3. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-53242 Deserialization of Untrusted Data vulnerability in VictorThemes Seil seil allows Object Injection.This issue affects Seil: from n/a through <= 1.7.1. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-56157 Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-60210 Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms - Frontend Listing everest-forms-frontend-listing allows Object Injection.This issue affects Everest Forms - Frontend Listing... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-36061 EnGenius EWS356-FIT devices through 1.1.30 allow blind OS command injection. This allows an attacker to execute arbitrary OS commands via shell metacharacters to the Ping and Speed Test utilities. | 9.8 | CRITICAL | — | 0 |
| CVE-2024-10924 The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling ... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-50375 A CWE-306 "Missing Authentication for Critical Function" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-58627 Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue ... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-58636 Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft gf-infusionsoft allows Object Injection.This issue affects WP Gravity Forms Keap/Infusionsoft: from n/a ... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-1974 A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingr... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-49380 Deserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: fro... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-65482 An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-60174 Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Constant Contact Plugin gf-constant-contact allows Object Injection.This issue affects WP Gravity Forms Constant Contact P... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-52095 An issue in PDQ Smart Deploy V.3.0.2040 allows an attacker to escalate privileges via the Credential encryption routines in SDCommon.dll | 9.8 | CRITICAL | — | 0 |
| CVE-2025-10568 HyperX NGENUITY software is potentially vulnerable to arbitrary code execution. HP is releasing updated software to address the potential vulnerability. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-66039 FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When prov... | 9.8 | CRITICAL | — | 0 |
| CVE-2008-7109 The Scanner File Utility (aka listener) in Kyocera Mita (KM) 3.3.0.1 allows remote attackers to bypass authorization and upload arbitrary files to the client system via a modified program that does no... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-52471 ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-43017 HP ThinPro 8.1 System management application failed to verify user's true id. HP has released HP ThinPro 8.1 SP8, which includes updates to mitigate potential vulnerabilities. | 9.8 | CRITICAL | — | 0 |
| CVE-2024-57049 A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-59367 An authentication bypass vulnerability has been identified in certain DSL series routers, may allow remote attackers to gain unauthorized access into the affected system. Refer to the 'Security Update... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-41375 SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-60039 Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-0634 Use After Free vulnerability in Samsung Open Source rLottie allows Remote Code Inclusion.This issue affects rLottie: V0.2. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-55423 A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passe... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-12735 The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, a... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-50388 An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute commands. We have already fixed the... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-6325 Incorrect Privilege Assignment vulnerability in KingAddons.com King Addons for Elementor king-addons allows Privilege Escalation.This issue affects King Addons for Elementor: from n/a through <= 51.1.... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-60221 Deserialization of Untrusted Data vulnerability in captivateaudio Captivate Sync captivatesync-trade allows Object Injection.This issue affects Captivate Sync: from n/a through <= 3.0.3. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-60226 Deserialization of Untrusted Data vulnerability in axiomthemes White Rabbit whiterabbit allows Object Injection.This issue affects White Rabbit: from n/a through <= 1.5.2. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-66489 Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gainin... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-23883 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it aga... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-23884 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update pack... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-66401 MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-23534 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates al... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-23533 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residu... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-23532 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismat... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-23531 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without v... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-23530 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHe... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-0107 An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclos... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-1162 A flaw has been found in UTT HiPER 810 1.7.4-141218. The impacted element is the function strcpy of the file /goform/setSysAdm. This manipulation of the argument passwd1 causes buffer overflow. Remote... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-60232 Deserialization of Untrusted Data vulnerability in quantumcloud KBx Pro Ultimate knowledgebase-helpdesk-pro allows Object Injection.This issue affects KBx Pro Ultimate: from n/a through <= 8.0.5. | 9.8 | CRITICAL | — | 0 |
| CVE-2023-53894 phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashe... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-0610 SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12 | 9.8 | CRITICAL | — | 0 |
| CVE-2025-56005 An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl`... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-60090 Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Insightly gf-insightly allows Object Injection.This issue affects WP Gravity Forms Insightly: from n/a through <= 1.1.6. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-65823 The Meatmeet Pro was found to be shipped with hardcoded Wi-Fi credentials in the firmware, for the test network it was developed on. If an attacker retrieved this, and found the physical location of t... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-22978 eladmin <=2.7 is vulnerable to CSV Injection in the exception log download module. | 9.8 | CRITICAL | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.