Skip to main content
CVE-2022-26258 CRITICAL POC KEV THREAT Emergency

D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Command Injection D-Link Dir 820L Firmware
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
81.2%
Threat
7.4
CVE-2022-26278 CRITICAL POC Act Now

Tenda AC9 v15.03.2.21_cn was discovered to contain a stack overflow via the time parameter in the PowerSaveSet function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Memory Corruption Buffer Overflow Ac9 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-0735 CRITICAL POC THREAT Act Now

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
13.2%
CVE-2022-0846 CRITICAL POC Act Now

The SpeakOut!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Speakout Email Petitions
NVD WPScan
CVSS 3.1
9.8
EPSS
8.8%
CVE-2022-0787 CRITICAL POC Act Now

The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Limit Login Attempts
NVD WPScan
CVSS 3.1
9.8
EPSS
8.9%
CVE-2022-0784 CRITICAL POC THREAT Act Now

The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action (available to unauthenticated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Title Experiments Free
NVD WPScan
CVSS 3.1
9.8
EPSS
10.1%
CVE-2022-0679 CRITICAL POC THREAT Act Now

The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal Narnoo Distributor
NVD WPScan
CVSS 3.1
9.8
EPSS
47.8%
CVE-2022-0479 CRITICAL POC PATCH THREAT Act Now

The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS SQLi WordPress Popup Builder
NVD WPScan
CVSS 3.1
9.8
EPSS
44.1%
CVE-2022-23884 CRITICAL POC Act Now

Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Integer Overflow Buffer Overflow Bedrock Server
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2022-0342 CRITICAL POC THREAT Act Now

An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Zyxel Usg40 Firmware Usg40W Firmware Usg60 Firmware +20
NVD
CVSS 3.1
9.8
EPSS
84.8%
CVE-2022-23882 CRITICAL POC Act Now

TuziCMS 2.0.6 is affected by SQL injection in \App\Manage\Controller\BannerController.class.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Tuzicms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-26268 CRITICAL POC Act Now

Xiaohuanxiong v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /app/controller/Books.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Xiaohuanxiong
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-26255 CRITICAL POC Act Now

Clash for Windows v0.19.8 was discovered to allow arbitrary code execution via a crafted payload injected into the Proxies name column. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Microsoft XSS Clash
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-0249 CRITICAL POC Act Now

A vulnerability was discovered in GitLab starting with version 12. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Gitlab
NVD
CVSS 3.1
9.1
EPSS
1.1%
CVE-2022-0427 HIGH POC This Week

Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Gitlab CSRF
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2022-0770 HIGH POC This Week

The Translate WordPress with GTranslate WordPress plugin before 2.9.9 does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Translate Wordpress With Gtranslate
NVD WPScan
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-0499 HIGH POC This Week

The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF WordPress Sermon Browser
NVD WPScan
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-26259 HIGH POC This Week

A buffer over flow in Xiongmai DVR devices NBD80X16S-KL, NBD80X09S-KL, NBD80X08S-KL, NBD80X09RA-KL, AHB80X04R-MH, AHB80X04R-MH-V2, AHB80X04-R-MH-V3, AHB80N16T-GS, AHB80N32F4-LME, and NBD90S0VT-QW. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Nbd80X16S Kl Firmware Nbd80X09S Kl Firmware Nbd80X08S Kl Firmware +7
NVD
CVSS 3.1
7.8
EPSS
2.4%
CVE-2022-26271 HIGH POC This Week

74cmsSE v3.4.1 was discovered to contain an arbitrary file read vulnerability via the $url parameter at \index\controller\Download.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Information Disclosure 74Cms
NVD GitHub
CVSS 3.1
7.5
EPSS
4.6%
CVE-2022-26642 HIGH POC This Week

TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the X_TP_ClonedMACAddress parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

TP-Link Buffer Overflow Tl Wr840N Firmware
NVD GitHub
CVSS 3.1
7.2
EPSS
1.2%
CVE-2022-26641 HIGH POC This Week

TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the httpRemotePort parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

TP-Link Buffer Overflow Tl Wr840N Firmware
NVD GitHub
CVSS 3.1
7.2
EPSS
1.2%
CVE-2022-26640 HIGH POC This Week

TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the minAddress parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

TP-Link Buffer Overflow Tl Wr840N Firmware
NVD GitHub
CVSS 3.1
7.2
EPSS
1.2%
CVE-2022-26639 HIGH POC This Week

TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the DNSServers parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

TP-Link Buffer Overflow Tl Wr840N Firmware
NVD GitHub
CVSS 3.1
7.2
EPSS
1.2%
CVE-2022-26280 MEDIUM POC This Month

Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Libarchive Fedora
NVD GitHub
CVSS 3.1
6.5
EPSS
1.9%
CVE-2022-0549 MEDIUM POC This Month

An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-26980 MEDIUM POC PATCH This Month

Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP XSS Teampass
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2022-0818 MEDIUM POC This Month

The WooCommerce Affiliate Plugin WordPress plugin before 4.16.4.5 does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF WordPress Woocommerce Affiliate
NVD WPScan
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-0680 MEDIUM POC This Month

The Plezi WordPress plugin before 1.0.3 has a REST endpoint allowing unauthenticated users to update the plz_configuration_tracker_enable option, which is then displayed in the admin panel without. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Plezi
NVD WPScan
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-0647 MEDIUM POC This Month

The Bulk Creator WordPress plugin through 1.0.1 does not sanitize and escape the post_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Bulk Creator
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0643 MEDIUM POC This Month

The Bank Mellat WordPress plugin through 1.3.7 does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Bank Mellat
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0641 MEDIUM POC This Month

The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the ays_fb_tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Popup Like Box
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0621 MEDIUM POC This Month

The dTabs WordPress plugin through 1.4 does not sanitize and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Dtabs
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0620 MEDIUM POC This Month

The Delete Old Orders WordPress plugin through 0.2 does not sanitize and escape the date parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Delete Old Orders
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0619 MEDIUM POC This Month

The Database Peek WordPress plugin through 1.2 does not sanitize and escape the match parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Database Peek
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0600 MEDIUM POC This Month

The Conference Scheduler WordPress plugin before 2.4.3 does not sanitize and escape the tab parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Conference Scheduler
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0599 MEDIUM POC This Month

The Mapping Multiple URLs Redirect Same Page WordPress plugin through 5.8 does not sanitize and escape the mmursp_id parameter before outputting it back in an admin page, leading to a Reflected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Mapping Multiple Urls Redirect Same Page
NVD WPScan
CVSS 3.1
6.1
EPSS
1.7%
CVE-2022-25757 CRITICAL Act Now

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Apisix
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2022-26273 CRITICAL Act Now

EyouCMS v1.5.4 was discovered to lack parameter filtering in \user\controller\shop.php, leading to payment logic vulnerabilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Information Disclosure Eyoucms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-26296 MEDIUM POC This Month

BOOM: The Berkeley Out-of-Order RISC-V Processor commit d77c2c3 was discovered to allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Risvc Boom
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
CVE-2022-26291 MEDIUM POC This Month

lrzip v0.641 was discovered to contain a multiple concurrency use-after-free between the functions zpaq_decompress_buf() and clear_rulist(). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Memory Corruption Use After Free Long Range Zip Debian Linux
NVD GitHub
CVSS 3.1
5.5
EPSS
0.9%
CVE-2022-1056 MEDIUM POC PATCH This Month

Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Libtiff Active Iq Unified Manager
NVD
CVSS 3.1
5.5
EPSS
1.1%
CVE-2022-0720 MEDIUM POC This Month

The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Amelia
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-0595 MEDIUM POC PATCH THREAT This Month

The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS File Upload WordPress Drag And Drop Multiple File Upload Contact Form 7
NVD WPScan
CVSS 3.1
5.4
EPSS
13.6%
CVE-2022-0450 MEDIUM POC This Month

The Menu Image, Icons made easy WordPress plugin before 3.0.6 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress CSRF Menu Image Icons Made Easy
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-0397 MEDIUM POC This Month

The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.4 does not sanitise and escape the key parameter before outputting it back in the wishlist_quickview AJAX action's response. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Wpc Smart Wishlist For Woocommerce
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-24303 CRITICAL PATCH Act Now

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Pillow Fedora
NVD GitHub
CVSS 3.1
9.1
EPSS
2.8%
CVE-2022-0493 MEDIUM POC This Month

The String locator WordPress plugin before 2.5.0 does not properly validate the path of the files to be searched, allowing high privilege users such as admin to query arbitrary files on the web. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal String Locator
NVD WPScan
CVSS 3.1
4.9
EPSS
1.4%
CVE-2022-0751 HIGH This Week

Inaccurate display of Snippet files containing special characters in all versions of GitLab CE/EE allows an attacker to create Snippets with misleading content which could trick unsuspecting users. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2022-0388 MEDIUM POC This Month

The Interactive Medical Drawing of Human Body WordPress plugin before 2.6 does not sanitise and escape the Link field, allowing high privilege users to perform Cross-Site Scripting attacks even when. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Interactive Medical Drawing Of Human Body
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-0344 MEDIUM POC This Month

An issue has been discovered in GitLab affecting all versions starting from 10.0 before 14.5.4, all versions starting from 10.1 before 14.6.4, all versions starting from 10.2 before 14.7.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
1.1%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy