Skip to main content
CVE-2022-22954 CRITICAL POC KEV THREAT Emergency

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

VMware RCE Code Injection Identity Manager Vrealize Automation +3
NVD
CVSS 3.1
9.8
EPSS
100.0%
CVE-2021-37291 CRITICAL POC Act Now

An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 ivia the input_id POST parameter in index.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi 4St L Bems
NVD VulDB
CVSS 3.1
9.8
EPSS
8.1%
CVE-2022-27115 CRITICAL POC PATCH THREAT Act Now

In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Elfinder
NVD GitHub
CVSS 3.1
9.8
EPSS
28.6%
CVE-2022-0949 CRITICAL POC Act Now

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 6.930 does not properly sanitise and escape the fingerprint parameter before using it in a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Block And Stop Bad Bots
NVD WPScan
CVSS 3.1
9.8
EPSS
7.9%
CVE-2022-1295 CRITICAL POC PATCH Act Now

Prototype Pollution in GitHub repository alvarotrigo/fullpage.js prior to 4.0.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution Information Disclosure Fullpage
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2021-40219 HIGH POC This Week

Bolt CMS <= 4.2 is vulnerable to Remote Code Execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Bolt Cms
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
3.3%
CVE-2022-1297 CRITICAL POC PATCH Act Now

Out-of-bounds Read in r_bin_ne_get_entrypoints function in GitHub repository radareorg/radare2 prior to 5.6.8. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Radare2
NVD GitHub
CVSS 3.1
9.1
EPSS
0.9%
CVE-2022-1296 CRITICAL POC PATCH Act Now

Out-of-bounds read in `r_bin_ne_get_relocs` function in GitHub repository radareorg/radare2 prior to 5.6.8. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Radare2
NVD GitHub
CVSS 3.1
9.1
EPSS
0.8%
CVE-2022-1252 CRITICAL POC Act Now

Use of a Broken or Risky Cryptographic Algorithm in GitHub repository gnuboard/gnuboard5 prior to and including 5.5.5. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Gnuboard
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2021-37292 HIGH POC This Week

An Access Control vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 due to an undocumented backdoor account. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure 4St L Bems
NVD VulDB
CVSS 3.1
7.2
EPSS
6.7%
CVE-2022-24815 HIGH POC PATCH This Week

JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservice architectures. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Java SQLi Generator Jhipster
NVD GitHub
CVSS 3.1
8.1
EPSS
1.4%
CVE-2022-1316 HIGH POC PATCH This Week

Incorrect Permission Assignment for Critical Resource in GitHub repository zerotier/zerotierone prior to 1.8.8. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Privilege Escalation Zerotierone
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2022-1262 HIGH POC This Week

A command injection vulnerability in the protest binary allows an attacker with access to the remote command line interface to execute arbitrary commands as root. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Dir 1360 Firmware Dir 1760 Firmware Dir 1960 Firmware Dir 2640 Firmware +6
NVD
CVSS 3.1
7.8
EPSS
2.2%
CVE-2022-0989 HIGH POC This Week

An unprivileged user could use the functionality of the NS WooCommerce Watermark WordPress plugin through 2.11.3 to load images that hide malware for example from passing malicious domains to hide. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Ns Watermark For Woocommerce
NVD WPScan
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-0920 HIGH POC This Week

The Salon booking system Free and Pro WordPress plugins before 7.6.3 do not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Salon Booking System
NVD WPScan
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-0828 HIGH POC This Week

The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Information Disclosure Download Manager
NVD WPScan
CVSS 3.1
7.5
EPSS
1.5%
CVE-2022-27041 HIGH POC This Week

Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Opensis
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2022-1023 HIGH POC PATCH This Week

The Podcast Importer SecondLine WordPress plugin before 1.3.8 does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi WordPress Podcast Importer Secondline
NVD WPScan
CVSS 3.1
7.2
EPSS
1.5%
CVE-2022-1008 HIGH POC PATCH This Week

The One Click Demo Import WordPress plugin before 3.1.0 does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress File Upload One Click Demo Import
NVD WPScan
CVSS 3.1
7.2
EPSS
1.7%
CVE-2022-1006 HIGH POC PATCH This Week

The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi WordPress Advanced Booking Calendar
NVD WPScan
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-37293 MEDIUM POC This Month

A Directory Traversal vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 via the page GET parameter in index.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal 4St L Bems
NVD VulDB
CVSS 3.1
6.5
EPSS
1.4%
CVE-2022-0914 MEDIUM POC This Month

The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (including private. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Export All Urls
NVD WPScan
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-0447 MEDIUM POC This Month

The Post Grid WordPress plugin before 2.1.16 does not sanitise and escape the post_types parameter before outputting it back in the response of the post_grid_update_taxonomies_terms_by_posttypes AJAX. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Post Grid
NVD WPScan
CVSS 3.1
6.4
EPSS
0.6%
CVE-2022-24833 MEDIUM POC PATCH This Month

PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Privatebin
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2022-1007 MEDIUM POC PATCH This Month

The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS WordPress Advanced Booking Calendar
NVD WPScan
CVSS 3.1
6.1
EPSS
1.6%
CVE-2022-0892 MEDIUM POC This Month

The Export All URLs WordPress plugin before 4.2 does not sanitise and escape the CSV filename before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Export All Urls
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0531 MEDIUM POC This Month

The Migration, Backup, Staging WordPress plugin before 0.9.70 does not sanitise and escape the sub_page parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Migration Backup Staging
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0471 MEDIUM POC PATCH This Month

The Favicon by RealFaviconGenerator WordPress plugin before 1.3.23 does not properly sanitise and escape the json_result_url parameter before outputting it back in the Favicon admin dashboard,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS WordPress Favicon By Realfavicongenerator
NVD WPScan
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-0314 MEDIUM POC This Month

The Nimble Page Builder WordPress plugin before 3.2.2 does not sanitise and escape the preview-level-guid parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Nimble Page Builder
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0271 MEDIUM POC This Month

The LearnPress WordPress plugin before 4.1.6 does not sanitise and escape the lp-dismiss-notice before outputting it back via the lp_background_single_email AJAX action, leading to a Reflected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Learnpress
NVD WPScan
CVSS 3.1
6.1
EPSS
2.3%
CVE-2022-24838 CRITICAL PATCH Act Now

Nextcloud Calendar is a calendar application for the nextcloud framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Command Injection Nextcloud Calendar
NVD GitHub
CVSS 3.1
9.8
EPSS
32.3%
CVE-2022-27572 CRITICAL Act Now

Heap-based buffer overflow vulnerability in parser_ipma function of libsimba library prior to SMR Apr-2022 Release 1 allows code execution by remote attackers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Heap Overflow Android
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-27571 CRITICAL Act Now

Heap-based buffer overflow vulnerability in sheifd_get_info_image function in libsimba library prior to SMR Apr-2022 Release 1 allows code execution by remote attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Heap Overflow Android
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-27570 CRITICAL Act Now

Heap-based buffer overflow vulnerability in parser_single_iref function in libsimba library prior to SMR Apr-2022 Release 1 allows code execution by remote attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Heap Overflow Android
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-27569 CRITICAL Act Now

Heap-based buffer overflow vulnerability in parser_infe function in libsimba library prior to SMR Apr-2022 Release 1 allows code execution by remote attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Heap Overflow Android
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-27568 CRITICAL Act Now

Heap-based buffer overflow vulnerability in parser_iloc function in libsimba library prior to SMR Apr-2022 Release 1 allows code execution by remote attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Heap Overflow Android
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-27567 CRITICAL Act Now

Null pointer dereference vulnerability in parser_hvcC function of libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds write by remote attackers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Null Pointer Dereference Android
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2022-26098 CRITICAL Act Now

Heap-based buffer overflow vulnerability in sheifd_create function of libsimba library prior to SMR Apr-2022 Release 1 allows code execution by remote attackers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Heap Overflow Android
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-26097 CRITICAL Act Now

Null pointer dereference vulnerability in parser_unknown_property function in libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds write by remote attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Null Pointer Dereference Android
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2022-26096 CRITICAL Act Now

Null pointer dereference vulnerability in parser_ispe function in libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds write by remote attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Null Pointer Dereference Android
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2022-26095 CRITICAL Act Now

Null pointer dereference vulnerability in parser_colr function in libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds write by remote attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Null Pointer Dereference Android
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2022-26094 CRITICAL Act Now

Null pointer dereference vulnerability in parser_auxC function in libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds write by remote attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Null Pointer Dereference Android
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2022-26093 CRITICAL Act Now

Null pointer dereference vulnerability in parser_irot function in libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds write by remote attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Null Pointer Dereference Android
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2022-24829 CRITICAL PATCH Act Now

Garden is an automation platform for Kubernetes development and testing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Authentication Bypass Kubernetes Garden
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-22258 CRITICAL Act Now

The Wi-Fi module has an event notification vulnerability.Successful exploitation of this vulnerability may allow third-party applications to intercept event notifications and add information and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Emui Harmonyos Magic Ui
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-1161 CRITICAL Act Now

An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Compactlogix 1768 L43 Firmware Compactlogix 1768 L45 Firmware Compactlogix 1769 L31 Firmware Compactlogix 1769 L32C Firmware +20
NVD
CVSS 3.1
9.8
EPSS
5.0%
CVE-2022-27156 MEDIUM POC This Month

Daylight Studio Fuel CMS 1.5.1 is vulnerable to HTML Injection. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Fuel Cms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-27111 MEDIUM POC This Month

Jfinal_CMS 5.1.0 allows attackers to use the feedback function to send malicious XSS code to the administrator backend and execute it. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Jfinal Cms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-1045 MEDIUM POC PATCH This Month

Stored XSS viva .svg file upload in GitHub repository polonel/trudesk prior to v1.2.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS File Upload Trudesk
NVD GitHub
CVSS 3.1
5.4
EPSS
1.6%
CVE-2022-0936 MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository autolab/autolab prior to 2.8.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Autolab
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy