Skip to main content
CVE-2022-0939 CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Calibre Web
NVD GitHub
CVSS 3.1
9.9
EPSS
1.0%
CVE-2022-1162 CRITICAL POC THREAT Act Now

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Gitlab
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
76.2%
CVE-2022-25569 CRITICAL POC Act Now

Bettini Srl GAMS Product Line v4.3.0 was discovered to re-use static SSH keys across installations, allowing unauthenticated attackers to login as root users via extracting a key from the software. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Sgsetup
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-0990 CRITICAL POC PATCH Act Now

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Calibre Web
NVD GitHub
CVSS 3.1
9.1
EPSS
1.3%
CVE-2022-1165 CRITICAL POC PATCH Act Now

The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Blackhole For Bad Bots
NVD WPScan
CVSS 3.1
9.1
EPSS
1.6%
CVE-2022-28062 HIGH POC This Week

Car Rental System v1.0 contains an arbitrary file upload vulnerability via the Add Car component which allows attackers to upload a webshell and execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Online Car Rental System
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2022-27435 HIGH POC This Week

An unrestricted file upload at /public/admin/index.php?add_product of Ecommerce-Website v1.1.0 allows attackers to upload a webshell via the Product Image component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Ecommerce Website
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2022-1026 HIGH POC THREAT This Week

Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Net Viewer
NVD
CVSS 3.1
8.6
EPSS
15.1%
CVE-2022-0403 HIGH POC This Week

The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress File Upload Library File Manager
NVD WPScan
CVSS 3.1
8.1
EPSS
1.2%
CVE-2022-27442 HIGH POC This Week

TPCMS v3.2 allows attackers to access the ThinkPHP log directory and obtain sensitive information such as the administrator's user name and password. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Tpcms
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-0709 HIGH POC This Week

The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Booking Package
NVD WPScan
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-0887 HIGH POC This Week

The Easy Social Icons WordPress plugin before 3.1.4 does not sanitize the selected_icons attribute to the cnss_widget before using it in an SQL statement, leading to a SQL injection vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Easy Social Icons
NVD WPScan
CVSS 3.1
7.2
EPSS
1.3%
CVE-2022-0537 HIGH POC This Week

The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress File Upload Mappress
NVD WPScan
CVSS 3.1
7.2
EPSS
1.5%
CVE-2022-0830 MEDIUM POC This Month

The FormBuilder WordPress plugin through 1.08 does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF WordPress Formbuilder
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-0404 MEDIUM POC This Month

The Material Design for Contact Form 7 WordPress plugin through 2.6.4 does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Authentication Bypass WordPress Material Design For Contact Form 7
NVD WPScan
CVSS 3.1
6.5
EPSS
1.0%
CVE-2022-1225 MEDIUM POC PATCH This Month

Incorrect Privilege Assignment in GitHub repository phpipam/phpipam prior to 1.4.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Phpipam
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2022-1224 MEDIUM POC PATCH This Month

Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Phpipam
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2022-1223 MEDIUM POC PATCH This Month

Incorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Phpipam
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2022-1233 MEDIUM POC PATCH This Month

URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Uri Js
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-1175 MEDIUM POC THREAT This Month

Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Gitlab XSS
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
82.0%
CVE-2022-1170 MEDIUM POC This Month

In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Jobmonster
NVD WPScan
CVSS 3.1
6.1
EPSS
1.8%
CVE-2022-1169 MEDIUM POC This Month

There is a XSS vulnerability in Careerfy. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Careerfy
NVD WPScan
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-1168 MEDIUM POC This Month

There is a Cross-Site Scripting vulnerability in the JobSearch WP JobSearch WordPress plugin before 1.5.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Jobsearch Wp Job Board
NVD WPScan
CVSS 3.1
6.1
EPSS
1.8%
CVE-2022-1167 MEDIUM POC This Month

There are unauthenticated reflected Cross-Site Scripting (XSS) vulnerabilities in CareerUp Careerup WordPress theme before 2.3.1, via the filter parameters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Careerup
NVD WPScan
CVSS 3.1
6.1
EPSS
1.1%
CVE-2022-1164 MEDIUM POC This Month

The Wyzi Theme was affected by reflected XSS vulnerabilities in the business search feature. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wyzi
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0901 MEDIUM POC This Month

The Ad Inserter Free and Pro WordPress plugins before 2.7.12 do not sanitise and escape the REQUEST_URI before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Ad Inserter
NVD WPScan
CVSS 3.1
6.1
EPSS
3.5%
CVE-2022-0864 MEDIUM POC This Month

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.22.9 does not sanitise and escape the updraft_interval parameter before outputting it back in an admin page, leading to a Reflected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Updraftplus
NVD WPScan
CVSS 3.1
6.1
EPSS
7.4%
CVE-2022-0431 MEDIUM POC PATCH This Month

The Insights from Google PageSpeed WordPress plugin before 4.0.4 does not sanitise and escape various parameters before outputting them back in attributes in the plugin's settings dashboard, leading. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Google XSS WordPress Insights From Google Pagespeed
NVD WPScan
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-24191 MEDIUM POC This Month

In HTMLDOC 1.9.14, an infinite loop in the gif_read_lzw function can lead to a pointer arbitrarily pointing to heap memory and resulting in a buffer overflow. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Htmldoc Fedora
NVD GitHub
CVSS 3.1
5.5
EPSS
0.7%
CVE-2022-1222 MEDIUM POC PATCH This Month

Inf loop in GitHub repository gpac/gpac prior to 2.1.0-DEV. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Gpac
NVD GitHub
CVSS 3.1
5.5
EPSS
0.8%
CVE-2022-0837 MEDIUM POC This Month

The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Amelia
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-0825 MEDIUM POC PATCH This Month

The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Amelia
NVD WPScan
CVSS 3.1
5.4
EPSS
0.8%
CVE-2022-1166 MEDIUM POC This Month

The JobMonster Theme was vulnerable to Directory Listing in the /wp-content/uploads/jobmonster/ folder, as it did not include a default PHP file, or .htaccess file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Jobmonster
NVD WPScan
CVSS 3.1
5.3
EPSS
1.5%
CVE-2022-28063 MEDIUM POC This Month

Simple Bakery Shop Management System v1.0 contains a file disclosure via /bsms/?page=products. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Simple Bakery Shop Management System
NVD GitHub
CVSS 3.1
4.9
EPSS
1.1%
CVE-2022-27441 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in TPCMS v3.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Phone text box. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Tpcms
NVD
CVSS 3.1
4.8
EPSS
0.4%
CVE-2022-0958 MEDIUM POC PATCH This Month

The Mark Posts WordPress plugin before 2.0.1 does not escape new markers, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Mark Posts
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-0884 MEDIUM POC PATCH This Month

The Profile Builder WordPress plugin before 3.6.8 does not sanitise and escape Form Fields titles and description, which could allow high privilege user such as admin to perform Criss-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Profile Builder
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-27436 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_user at Ecommerce-Website v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Ecommerce Website
NVD GitHub
CVSS 3.1
4.8
EPSS
1.0%
CVE-2022-24801 HIGH PATCH This Week

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Python Request Smuggling Twisted Debian Linux +2
NVD GitHub
CVSS 3.1
8.1
EPSS
2.8%
CVE-2022-23699 HIGH This Week

A local authentication restriction bypass vulnerability was discovered in HPE OneView version(s): Prior to 6.6. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Oneview
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-27650 HIGH PATCH This Week

A flaw was found in crun where containers were incorrectly started with non-empty default permissions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Docker Crun Fedora Openshift Container Platform +1
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-27649 HIGH PATCH This Week

A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Docker Podman Developer Tools Openshift Container Platform +11
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-23698 HIGH This Week

A remote unauthenticated disclosure of information vulnerability was discovered in HPE OneView version(s): Prior to 6.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Oneview
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-1174 HIGH This Week

A potential DoS vulnerability was discovered in Gitlab CE/EE versions 13.7 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-26572 HIGH This Week

Xerox ColorQube 8580 was discovered to contain an access control issue which allows attackers to print, view the status, and obtain sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Colorqube 8580 Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-24787 HIGH PATCH This Week

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Vyper
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-24785 HIGH PATCH This Week

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Path Traversal Moment Tenable Sc Active Iq +2
NVD GitHub
CVSS 3.1
7.5
EPSS
5.7%
CVE-2022-27651 MEDIUM PATCH This Month

A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Docker Buildah Fedora Enterprise Linux
NVD GitHub
CVSS 3.1
6.8
EPSS
1.2%
CVE-2022-1185 MEDIUM This Month

A denial of service vulnerability when rendering RDoc files in GitLab CE/EE versions 10 to 14.7.7, 14.8.0 to 14.8.5, and 14.9.0 to 14.9.2 allows an attacker to crash the GitLab web application with a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Memory Corruption Gitlab Buffer Overflow
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2022-1148 MEDIUM This Month

Improper authorization in GitLab Pages included with GitLab CE/EE affecting all versions from 11.5 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to steal a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
1.1%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy