Skip to main content
CVE-2021-44087 CRITICAL POC Act Now

A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows an unauthenticated remote attacker to upload a maliciously crafted PHP via photo. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Attendance And Payroll System
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
4.7%
CVE-2021-44088 CRITICAL POC Act Now

An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows a remote attacker to bypass authentication via unsanitized login parameters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Attendance And Payroll System
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
3.3%
CVE-2022-25760 CRITICAL POC Act Now

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Accesslog
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2022-25354 CRITICAL POC PATCH Act Now

The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution Information Disclosure Set In
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-25352 CRITICAL POC PATCH Act Now

The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution Information Disclosure Libnested
NVD GitHub
CVSS 3.1
9.8
EPSS
2.0%
CVE-2022-0749 CRITICAL POC Act Now

This affects all versions of package SinGooCMS.Utility. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Singoocms Utility
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-0748 CRITICAL POC Act Now

The package post-loader from 0.0.0 are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Post Loader
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2022-1000 CRITICAL POC PATCH Act Now

Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Tiny File Manager
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-0237 HIGH POC This Week

Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Insight Agent
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2022-26526 HIGH POC This Week

Anaconda Anaconda3 (Anaconda Distribution) through 2021.11.0.0 and Miniconda3 through 4.11.0.0 can create a world-writable directory under %PROGRAMDATA% and place that directory into the system PATH. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Anaconda3 Miniconda3
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-21221 HIGH POC PATCH This Week

The package github.com/valyala/fasthttp before 1.34.0 are vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Microsoft Path Traversal Fasthttp
NVD GitHub
CVSS 3.1
7.5
EPSS
2.5%
CVE-2022-25514 HIGH POC This Week

stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow via the function ttUSHORT() at stb_truetype.h. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Stb Truetype H
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-26534 HIGH POC This Week

FISCO-BCOS release-3.0.0-rc2 was discovered to contain an issue where a malicious node, via a malicious viewchange packet, will cause normal nodes to change view excessively and stop generating. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Fisco Bcos
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-26300 HIGH POC This Week

EOS v2.1.0 was discovered to contain a heap-buffer-overflow via the function txn_test_gen_plugin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Eos
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-25296 HIGH POC This Week

The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Information Disclosure Bodymen
NVD
CVSS 3.1
7.3
EPSS
1.0%
CVE-2022-25516 MEDIUM POC This Month

stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow via the function stbtt__find_table at stb_truetype.h. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Stb Truetype H
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-25515 MEDIUM POC This Month

stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow via the function ttULONG() at stb_truetype.h. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Stb Truetype H
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-24302 MEDIUM POC PATCH This Month

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Race Condition Information Disclosure Paramiko Debian Linux Fedora
NVD GitHub
CVSS 3.1
5.9
EPSS
2.1%
CVE-2022-26501 CRITICAL KEV THREAT Act Now

Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Veeam Backup Replication
NVD
CVSS 3.1
9.8
EPSS
4.3%
CVE-2022-24074 CRITICAL Act Now

Whale Bridge, a default extension in Whale browser before 3.12.129.18, allowed to receive any SendMessage request from the content script itself that could lead to controlling Whale Bridge if the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Whale
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-22273 CRITICAL PATCH Act Now

Improper neutralization of Special Elements leading to OS Command Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products and older firmware versions of Secure Mobile Access. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Command Injection Sma 200 Firmware Sma 210 Firmware Sma 400 Firmware Sma 410 Firmware +5
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-0757 HIGH This Week

Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Nexpose
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2022-26504 HIGH This Week

Improper authentication in Veeam Backup & Replication 9.5U3, 9.5U4,10.x and 11.x component used for Microsoft System Center Virtual Machine Manager (SCVMM) allows attackers execute arbitrary code via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass RCE Microsoft Veeam Backup Replication
NVD
CVSS 3.1
8.8
EPSS
2.5%
CVE-2022-26500 HIGH KEV THREAT This Week

Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal Veeam Backup Replication
NVD
CVSS 3.1
8.8
EPSS
5.9%
CVE-2022-24770 HIGH PATCH This Week

`gradio` is an open source framework for building interactive machine learning models and demos. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Gradio
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2022-25364 HIGH This Week

In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Privilege Escalation Enterprise
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2022-26511 HIGH This Week

WPS Presentation 11.8.0.5745 insecurely load d3dx9_41.dll when opening .pps files('current directory type' DLL loading). Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wps Presentation
NVD
CVSS 3.1
7.8
EPSS
0.6%
CVE-2022-26081 HIGH This Week

The installer of WPS Office Version 10.8.0.5745 insecurely load shcore.dll, allowing an attacker to execute arbitrary code with the privilege of the user invoking the installer. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Microsoft Wps Office
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2022-25969 HIGH This Week

The installer of WPS Office Version 10.8.0.6186 insecurely load VERSION.DLL (or some other DLLs), allowing an attacker to execute arbitrary code with the privilege of the user invoking the installer. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Microsoft Wps Office
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2022-25949 HIGH This Week

The kernel mode driver kwatch3 of KINGSOFT Internet Security 9 Plus Version 2010.06.23.247 fails to properly handle crafted inputs, leading to stack-based buffer overflow. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Stack Overflow Buffer Overflow Internet Security 9 Plus
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2022-26503 HIGH This Week

Deserialization of untrusted data in Veeam Agent for Windows 2.0, 2.1, 2.2, 3.0.2, 4.x, and 5.x allows local users to run arbitrary code with local system privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Microsoft Veeam
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2022-21822 HIGH PATCH This Week

NVIDIA FLARE contains a vulnerability in the admin interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Nvidia Federated Learning Application Runtime Environment
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-24761 HIGH PATCH This Week

Waitress is a Web Server Gateway Interface server for Python 2 and 3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Python Request Smuggling Waitress Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2022-24759 HIGH PATCH This Week

`@chainsafe/libp2p-noise` contains TypeScript implementation of noise protocol, an encryption protocol used in libp2p. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required.

Jwt Attack Information Disclosure Js Libp2P Noise
NVD GitHub
CVSS 3.1
7.4
EPSS
0.5%
CVE-2022-24073 HIGH This Week

The Web Request API in Whale browser before 3.12.129.18 allowed to deny access to the extension store or redirect to any URL when users access the store. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Whale
NVD
CVSS 3.1
7.1
EPSS
0.6%
CVE-2022-24075 MEDIUM This Month

Whale browser before 3.12.129.18 allowed extensions to replace JavaScript files of the HWP viewer website which could access to local HWP files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Whale
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-0758 MEDIUM This Month

Rapid7 Nexpose versions 6.6.129 and earlier suffer from a reflected cross site scripting vulnerability, within the shared scan configuration component of the tool. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Nexpose
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-24072 MEDIUM This Month

The devtools API in Whale browser before 3.12.129.18 allowed extension developers to inject arbitrary JavaScript into the extension store web page via devtools.inspectedWindow, leading to extensions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Whale
NVD
CVSS 3.1
6.1
EPSS
0.6%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy