Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2023-23924 Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on... | 10.0 | CRITICAL | — | 0 |
| CVE-2022-46742 Code injection in paddle.audio.functional.get_window in PaddlePaddle 2.4.0-rc0 allows arbitrary code execution. | 10.0 | CRITICAL | — | 0 |
| CVE-2022-24816 JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as th... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2022-45444 Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 contains hard-coded passwords for select users in the application’s database. This could allow a remote ... | 10.0 | CRITICAL | — | 0 |
| CVE-2022-22486 IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose s... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-28100 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-52... | 10.0 | CRITICAL | — | 0 |
| CVE-2025-48200 The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution. | 10.0 | CRITICAL | — | 0 |
| CVE-2025-36535 The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution dep... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-45144 com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations. When a user logs in via the OAuth method, the identityOAuth par... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-2131 Versions of INEA ME RTU firmware prior to 3.36 are vulnerable to OS command injection, which could allow an attacker to remotely execute arbitrary code. | 10.0 | CRITICAL | — | 0 |
| CVE-2025-20282 A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the un... | 10.0 | CRITICAL | — | 0 |
| CVE-2025-54122 Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Desk... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-1424 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules and MELSEC iQ-R Series CPU modules allows a remot... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-2024 Improper authentication in OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 allow access to an unauthorized user under certain circumstances. | 10.0 | CRITICAL | — | 0 |
| CVE-2024-42472 Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write f... | 10.0 | CRITICAL | — | 0 |
| CVE-2024-34166 An os command injection vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted set of HTTP requests can lead to arbitrar... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-35189 Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a remote code execution vulnerability that could allow an unauthenticated user to upload a malicious payload and execute it. | 10.0 | CRITICAL | — | 0 |
| CVE-2023-3765 Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. | 10.0 | CRITICAL | — | 0 |
| CVE-2022-36648 The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the h... | 10.0 | CRITICAL | — | 0 |
| CVE-2024-39754 A static login vulnerability exists in the wctrls functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted set of network packets can lead to root access. An attacker can send packets t... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-3991 An OS command injection vulnerability exists in the httpd iperfrun.cgi functionality of FreshTomato 2023.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can se... | 10.0 | CRITICAL | — | 0 |
| CVE-2022-47893 There is a remote code execution vulnerability that affects all versions of NetMan 204. A remote attacker could upload a firmware file containing a webshell, that could allow him to execute arbitrary ... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-4309 Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify... | 10.0 | CRITICAL | — | 0 |
| CVE-2025-22612 Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve ... | 10.0 | CRITICAL | — | 0 |
| CVE-2022-20695 A vulnerability in the authentication functionality of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to bypass authentication controls and log in to the ... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-25960 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zendrop Zendrop – Global Dropshipping zendrop-dropshipping-and-fulfillment allows SQL Injection.Th... | 10.0 | CRITICAL | — | 0 |
| CVE-2021-40422 An authentication bypass vulnerability exists in the device password generation functionality of Swift Sensors Gateway SG3-1010. A specially-crafted network request can lead to remote code execution. ... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-42802 GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwante... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-40151 When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UD... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-29384 Unrestricted Upload of File with Dangerous Type vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin – JobWP.This issue affects WordPress Job Board and Recruitment Plugin – JobWP: fro... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-42770 Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TC... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-49772 Deserialization of Untrusted Data vulnerability in Phpbits Creative Studio Genesis Simple Love.This issue affects Genesis Simple Love: from n/a through 2.0. | 10.0 | CRITICAL | — | 0 |
| CVE-2023-25970 Unrestricted Upload of File with Dangerous Type vulnerability in Zendrop Zendrop – Global Dropshipping.This issue affects Zendrop – Global Dropshipping: from n/a through 1.0.0. | 10.0 | CRITICAL | — | 0 |
| CVE-2025-9846 Unrestricted Upload of File with Dangerous Type vulnerability in TalentSys Consulting Information Technology Industry Inc. Inka.Net allows Command Injection.This issue affects Inka.Net: before 6.7.1. | 10.0 | CRITICAL | — | 0 |
| CVE-2021-34770 A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unaut... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-38586 An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sonoma 14. A sandboxed process may be able to circumvent sandbox restrictions. | 10.0 | CRITICAL | — | 0 |
| CVE-2023-25054 Improper Control of Generation of Code ('Code Injection') vulnerability in David F. Carr RSVPMaker.This issue affects RSVPMaker: from n/a through 10.6.6. | 10.0 | CRITICAL | — | 0 |
| CVE-2025-37164 A remote code execution issue exists in HPE OneView. | 10.0 | CRITICAL | KEV | 0 |
| CVE-2025-55182 A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-... | 10.0 | CRITICAL | KEV | 0 |
| CVE-2024-2227 This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remedi... | 10.0 | CRITICAL | — | 0 |
| CVE-2022-24803 Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension. Versions prior to 0.4.0, when used to render user-supplied input in AsciiDoc markup, may allow an att... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-51419 Unrestricted Upload of File with Dangerous Type vulnerability in Bertha.Ai BERTHA AI. Your AI co-pilot for WordPress and Chrome.This issue affects BERTHA AI. Your AI co-pilot for WordPress and Chrome:... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-51468 Unrestricted Upload of File with Dangerous Type vulnerability in Jacques Malgrange Rencontre – Dating Site.This issue affects Rencontre – Dating Site: from n/a through 3.10.1. | 10.0 | CRITICAL | — | 0 |
| CVE-2023-51473 Unrestricted Upload of File with Dangerous Type vulnerability in Pixelemu TerraClassifieds – Simple Classifieds Plugin.This issue affects TerraClassifieds – Simple Classifieds Plugin: from n/a through... | 10.0 | CRITICAL | — | 0 |
| CVE-2021-32933 An attacker could leverage an API to pass along a malicious file that could then manipulate the process creation command line in MDT AutoSave versions prior to v6.02.06 and run a command line argument... | 10.0 | CRITICAL | — | 0 |
| CVE-2024-23614 A buffer overflow vulnerability exists in Symantec Messaging Gateway versions 9.5 and before. A remote, anonymous attacker can exploit this vulnerability to achieve remote code execution as root. | 10.0 | CRITICAL | — | 0 |
| CVE-2022-25226 ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via 'http://thin-vnc:8080/cmd?cmd=connect' by obtaining a valid SID without any kind of authentication. It is ... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-52221 Unrestricted Upload of File with Dangerous Type vulnerability in UkrSolution Barcode Scanner and Inventory manager.This issue affects Barcode Scanner and Inventory manager: from n/a through 1.5.1. | 10.0 | CRITICAL | — | 0 |
| CVE-2024-23616 A buffer overflow vulnerability exists in Symantec Server Management Suite version 7.9 and before. A remote, anonymous attacker can exploit this vulnerability to achieve remote code execution as SYSTE... | 10.0 | CRITICAL | — | 0 |
| CVE-2024-57521 SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java. | 10.0 | CRITICAL | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.