Skip to main content
CVE-2022-26258 CRITICAL POC KEV THREAT Emergency

D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Command Injection D-Link Dir 820L Firmware
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
81.2%
Threat
7.4
CVE-2022-26278 CRITICAL POC Act Now

Tenda AC9 v15.03.2.21_cn was discovered to contain a stack overflow via the time parameter in the PowerSaveSet function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Memory Corruption Buffer Overflow Ac9 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-0735 CRITICAL POC THREAT Act Now

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
13.2%
CVE-2022-0846 CRITICAL POC Act Now

The SpeakOut!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Speakout Email Petitions
NVD WPScan
CVSS 3.1
9.8
EPSS
8.8%
CVE-2022-0787 CRITICAL POC Act Now

The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Limit Login Attempts
NVD WPScan
CVSS 3.1
9.8
EPSS
8.9%
CVE-2022-0784 CRITICAL POC THREAT Act Now

The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action (available to unauthenticated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Title Experiments Free
NVD WPScan
CVSS 3.1
9.8
EPSS
10.1%
CVE-2022-0679 CRITICAL POC THREAT Act Now

The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal Narnoo Distributor
NVD WPScan
CVSS 3.1
9.8
EPSS
47.8%
CVE-2022-0479 CRITICAL POC PATCH THREAT Act Now

The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS SQLi WordPress Popup Builder
NVD WPScan
CVSS 3.1
9.8
EPSS
44.1%
CVE-2022-23884 CRITICAL POC Act Now

Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Integer Overflow Buffer Overflow Bedrock Server
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2022-0342 CRITICAL POC THREAT Act Now

An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Zyxel Usg40 Firmware Usg40W Firmware Usg60 Firmware +20
NVD
CVSS 3.1
9.8
EPSS
84.8%
CVE-2022-23882 CRITICAL POC Act Now

TuziCMS 2.0.6 is affected by SQL injection in \App\Manage\Controller\BannerController.class.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Tuzicms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-26268 CRITICAL POC Act Now

Xiaohuanxiong v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /app/controller/Books.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Xiaohuanxiong
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-26255 CRITICAL POC Act Now

Clash for Windows v0.19.8 was discovered to allow arbitrary code execution via a crafted payload injected into the Proxies name column. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Microsoft XSS Clash
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-0249 CRITICAL POC Act Now

A vulnerability was discovered in GitLab starting with version 12. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Gitlab
NVD
CVSS 3.1
9.1
EPSS
1.1%
CVE-2022-25757 CRITICAL Act Now

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Apisix
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2022-26273 CRITICAL Act Now

EyouCMS v1.5.4 was discovered to lack parameter filtering in \user\controller\shop.php, leading to payment logic vulnerabilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Information Disclosure Eyoucms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-24303 CRITICAL PATCH Act Now

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Pillow Fedora
NVD GitHub
CVSS 3.1
9.1
EPSS
2.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy