Skip to main content
CVE-2018-9848 CRITICAL POC Act Now

In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP Gxlcms Qy
NVD
CVSS 3.0
9.8
EPSS
2.2%
CVE-2018-9847 CRITICAL POC Act Now

In Gxlcms QY v1.0.0713, the update function in Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to execute arbitrary PHP code by placing this code into a template. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP Gxlcms Qy
NVD
CVSS 3.0
9.8
EPSS
1.6%
CVE-2018-9331 HIGH POC This Week

An issue was discovered in zzcms 8.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Zzcms
NVD GitHub
CVSS 3.1
7.5
EPSS
2.6%
CVE-2018-9844 MEDIUM POC This Month

The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload WordPress XSS Wordpress File Upload
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
3.8%
CVE-2018-9326 CRITICAL Act Now

Etherpad 1.6.3 before 1.6.4 allows an attacker to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Etherpad
NVD
CVSS 3.0
9.8
EPSS
2.0%
CVE-2018-9330 MEDIUM POC This Month

register.jsp in Coremail XT3.0 allows stored XSS, as demonstrated by the third form field to a URI under register/, a different vulnerability than CVE-2015-6942. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Coremail Xt
NVD
CVSS 3.0
5.4
EPSS
0.5%
CVE-2018-9846 HIGH PATCH This Week

In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection PHP Webmail Debian Linux
NVD GitHub
CVSS 3.0
8.8
EPSS
2.3%
CVE-2018-9841 HIGH This Week

The export function in libavfilter/vf_signature.c in FFmpeg through 3.4.2 allows remote attackers to cause a denial of service (out-of-array access) or possibly have unspecified other impact via a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Denial Of Service Buffer Overflow Ffmpeg
NVD
CVSS 3.0
8.8
EPSS
1.8%
CVE-2018-9327 HIGH This Week

Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to execute arbitrary code on the server. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Etherpad
NVD
CVSS 3.0
8.1
EPSS
1.6%
CVE-2018-9325 HIGH This Week

Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to export all the existing pads of an instance without knowledge of pad names. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Etherpad
NVD
CVSS 3.0
7.5
EPSS
1.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy