Skip to main content
CVE-2020-12641 CRITICAL POC KEV PATCH THREAT Act Now

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Command Injection PHP Webmail Backports Sle +1
NVD GitHub
CVSS 3.1
9.8
EPSS
84.5%
CVE-2020-12640 CRITICAL POC PATCH Act Now

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP Path Traversal Webmail Backports Sle Leap
NVD GitHub
CVSS 3.1
9.8
EPSS
6.7%
CVE-2020-8790 CRITICAL POC Act Now

The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) has weak password requirements combined with improper restriction of excessive authentication attempts, which could. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Oklok
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2020-12110 CRITICAL POC THREAT Act Now

Certain TP-Link devices have a Hardcoded Encryption Key. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass TP-Link Nc200 Firmware Nc210 Firmware Nc220 Firmware +4
NVD
CVSS 3.1
9.8
EPSS
14.4%
CVE-2020-1961 CRITICAL PATCH Act Now

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Syncope
NVD
CVSS 3.1
9.8
EPSS
4.6%
CVE-2020-1959 CRITICAL PATCH Act Now

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java RCE Syncope
NVD
CVSS 3.1
9.8
EPSS
4.8%
CVE-2020-1631 CRITICAL KEV THREAT Act Now

A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Juniper Path Traversal Junos
NVD
CVSS 3.1
9.8
EPSS
4.7%
CVE-2020-12627 CRITICAL PATCH Act Now

Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

Authentication Bypass Calibre Web
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy