Skip to main content
CVE-2022-29464 CRITICAL POC KEV THREAT Emergency

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Path Traversal Api Manager Enterprise Integrator +6
NVD GitHub
CVSS 3.1
9.8
EPSS
100.0%
CVE-2022-25226 CRITICAL POC THREAT Act Now

ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via 'http://thin-vnc:8080/cmd?cmd=connect' by obtaining a valid SID without any kind of authentication. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Thinvnc
NVD
CVSS 3.1
10.0
EPSS
11.0%
CVE-2022-1020 CRITICAL POC THREAT Act Now

The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Woo Product Table
NVD WPScan
CVSS 3.1
9.8
EPSS
26.6%
CVE-2022-0785 CRITICAL POC Act Now

The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Daily Prayer Time
NVD WPScan
CVSS 3.1
9.8
EPSS
9.1%
CVE-2022-28810 MEDIUM POC KEV PATCH THREAT This Month

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Zoho Command Injection Manageengine Adselfservice Plus
NVD GitHub
CVSS 3.1
6.8
EPSS
70.5%
CVE-2022-29457 HIGH POC This Week

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Microsoft Information Disclosure Manageengine Adaudit Plus Manageengine Admanager Plus +2
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
7.9%
CVE-2022-1381 HIGH POC PATCH This Week

global heap buffer overflow in skip_range in GitHub repository vim/vim prior to 8.2.4763. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Heap Overflow Vim Fedora macOS
NVD GitHub
CVSS 3.1
7.8
EPSS
3.1%
CVE-2022-1341 HIGH POC PATCH This Week

An issue was discovered in in bwm-ng v0.6.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Null Pointer Dereference Bwm Ng
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-26665 HIGH POC This Week

An Insecure Direct Object Reference issue exists in the Tyler Odyssey Portal platform before 17.1.20. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Odyssey Portal
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2022-1037 HIGH POC This Week

The EXMAGE WordPress plugin before 1.0.7 does to ensure that images added via URLs are external images, which could lead to a blind SSRF issue by using local URLs. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Exmage
NVD WPScan
CVSS 3.1
7.2
EPSS
1.3%
CVE-2022-0661 HIGH POC THREAT This Week

The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Code Injection WordPress PHP +1
NVD WPScan
CVSS 3.1
7.2
EPSS
40.2%
CVE-2022-29458 HIGH POC This Week

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Ncurses macOS Debian Linux
NVD
CVSS 3.1
7.1
EPSS
1.3%
CVE-2022-1091 MEDIUM POC PATCH This Month

The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS WordPress Safe Svg
NVD GitHub WPScan
CVSS 3.1
6.1
EPSS
1.2%
CVE-2022-0879 MEDIUM POC This Month

The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Caldera Forms
NVD WPScan
CVSS 3.1
6.1
EPSS
1.2%
CVE-2022-0780 MEDIUM POC This Month

The SearchIQ WordPress plugin before 3.9 contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siq_ajax AJAX action and allowing them to perform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF WordPress Searchiq
NVD WPScan
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-1383 MEDIUM POC PATCH This Month

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.8. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Heap Overflow Radare2
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2022-26631 CRITICAL PATCH Act Now

Automatic Question Paper Generator v1.0 contains a Time-Based Blind SQL injection vulnerability via the id GET parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Automatic Question Paper Generator
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2022-24859 MEDIUM POC PATCH This Month

PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Python Pypdf2 Debian Linux
NVD GitHub
CVSS 3.1
5.5
EPSS
1.3%
CVE-2022-1382 MEDIUM POC PATCH This Month

NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.8. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Null Pointer Dereference Radare2
NVD GitHub
CVSS 3.1
5.5
EPSS
0.7%
CVE-2022-1112 MEDIUM POC This Month

The Autolinks WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, and does not sanitise as well as escape them, which could allow attackers to perform Stored. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF WordPress Autolinks
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-0765 MEDIUM POC This Month

The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Loco Translate
NVD WPScan
CVSS 3.1
5.4
EPSS
3.9%
CVE-2022-1054 MEDIUM POC This Month

The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting its entries, and has the export function hooked to the init action. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Rsvp And Event Management
NVD WPScan
CVSS 3.1
5.3
EPSS
3.8%
CVE-2022-1090 MEDIUM POC This Month

The Good & Bad Comments WordPress plugin through 1.0.0 does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Good Bad Comments
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-1088 MEDIUM POC This Month

The Page Security & Membership WordPress plugin through 1.5.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Page Security Membership
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-1063 MEDIUM POC This Month

The Thank Me Later WordPress plugin through 3.3.4 does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Thank Me Later
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-1001 MEDIUM POC PATCH This Month

The WP Downgrade WordPress plugin before 1.2.3 only perform client side validation of its "WordPress Target Version" settings, but does not sanitise and escape it server side, allowing high privilege. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Wp Downgrade
NVD WPScan
CVSS 3.1
4.8
EPSS
4.8%
CVE-2022-0994 MEDIUM POC This Month

The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Hummingbird
NVD WPScan
CVSS 3.1
4.8
EPSS
2.8%
CVE-2022-0737 MEDIUM POC This Month

The Text Hover WordPress plugin before 4.2 does not sanitize and escape the text to hover, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Text Hover
NVD WPScan
CVSS 3.1
4.8
EPSS
0.8%
CVE-2022-0706 MEDIUM POC PATCH This Month

The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Easy Digital Downloads
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2022-27908 HIGH PATCH This Week

Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Zoho SQLi Manageengine Opmanager
NVD
CVSS 3.1
8.8
EPSS
37.7%
CVE-2022-0707 MEDIUM POC PATCH This Month

The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF WordPress Easy Digital Downloads
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-24841 HIGH PATCH This Week

fleetdm/fleet is an open source device management, built on osquery. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Fleet
NVD GitHub
CVSS 3.1
8.1
EPSS
0.8%
CVE-2022-23976 HIGH This Week

Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to reset all data (posts / pages / media). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress Access Demo Importer
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2022-27530 HIGH This Week

A maliciously crafted TIF or PICT file in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to write beyond the allocated buffer through Buffer overflow vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Buffer Overflow Advance Steel Autocad +8
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2022-27529 HIGH This Week

A maliciously crafted PICT, BMP, PSD or TIF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 may be used to write beyond the allocated buffer while parsing PICT, BMP, PSD or TIF file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Buffer Overflow Advance Steel Autocad +8
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2022-27526 HIGH This Week

A malicious crafted TGA file when consumed through DesignReview.exe application could lead to memory corruption vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Buffer Overflow Design Review
NVD
CVSS 3.1
7.8
EPSS
1.5%
CVE-2022-27525 HIGH This Week

A malicious crafted .dwf or .pct file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by write access violation. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Buffer Overflow Design Review
NVD
CVSS 3.1
7.8
EPSS
1.6%
CVE-2022-24863 HIGH PATCH This Week

http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Http Swagger
NVD GitHub
CVSS 3.1
7.5
EPSS
2.4%
CVE-2022-23975 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to activate any installed plugin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress Access Demo Importer
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-27652 MEDIUM PATCH This Month

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Docker Cri O Fedora Moby +1
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2022-27853 MEDIUM This Month

Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) in Contest Gallery (WordPress plugin) <= 13.1.0.9. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Contest Gallery
NVD
CVSS 3.1
4.8
EPSS
0.5%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy