Skip to main content
CVE-2022-36067 CRITICAL POC PATCH THREAT Act Now

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Vm2
NVD GitHub
CVSS 3.1
10.0
EPSS
47.9%
CVE-2022-36061 CRITICAL POC PATCH Act Now

Elrond go is the go implementation for the Elrond Network protocol. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Elrond Go
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-31860 CRITICAL POC Act Now

An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Openremote
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2022-2461 MEDIUM POC PATCH THREAT This Month

The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.9.6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 17.8%.

WordPress Authentication Bypass Transposh Wordpress Translation
NVD VulDB
CVSS 3.1
5.3
EPSS
17.8%
CVE-2022-2431 HIGH POC PATCH This Week

The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE WordPress PHP Download Manager
NVD
CVSS 3.1
8.8
EPSS
2.7%
CVE-2022-2633 HIGH POC PATCH THREAT This Week

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side request forgery via the 'dl' parameter found in the ~/public/video.php file in. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF WordPress PHP All In One Video Gallery
NVD
CVSS 3.1
8.2
EPSS
25.9%
CVE-2022-38530 HIGH POC This Week

GPAC v2.1-DEV-rev232-gfcaa01ebb-master was discovered to contain a stack overflow when processing ISOM_IOD. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Gpac
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2022-38529 HIGH POC This Week

tinyexr commit 0647fb3 was discovered to contain a heap-buffer overflow via the component rleUncompress. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Tinyexr
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-3134 HIGH POC PATCH This Week

Use After Free in GitHub repository vim/vim prior to 9.0.0389. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Denial Of Service Use After Free Vim Debian Linux
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2022-25308 HIGH POC This Week

A stack-based buffer overflow flaw was found in the Fribidi package. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Stack Overflow Buffer Overflow Fribidi Enterprise Linux
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2022-36064 HIGH POC PATCH This Week

Shescape is a shell escape package for JavaScript. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Shescape
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-36058 HIGH POC PATCH This Week

Elrond go is the go implementation for the Elrond Network protocol. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Elrond Go
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-31790 HIGH POC This Week

WatchGuard Firebox and XTM appliances allow an unauthenticated remote attacker to retrieve sensitive authentication server settings by sending a malicious request to exposed authentication endpoints. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Watchguard Information Disclosure Fireware
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2022-2901 HIGH POC PATCH This Week

Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Chatwoot
NVD GitHub
CVSS 3.1
7.1
EPSS
0.5%
CVE-2022-3026 MEDIUM POC This Month

The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE WordPress Wp Users Exporter
NVD VulDB
CVSS 3.1
6.5
EPSS
1.1%
CVE-2022-37771 MEDIUM POC This Month

IObit Malware Fighter v9.2 for Microsoft Windows lacks tamper protection, allowing authenticated attackers with Administrator privileges to modify processes within the application and escalate. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation Malware Fighter
NVD
CVSS 3.1
6.7
EPSS
0.4%
CVE-2022-36670 MEDIUM POC This Month

PCProtect Endpoint prior to v5.17.470 for Microsoft Windows lacks tamper protection, allowing authenticated attackers with Administrator privileges to modify processes within the application and. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation Endpoint
NVD
CVSS 3.1
6.7
EPSS
0.3%
CVE-2022-38528 MEDIUM POC This Month

Open Asset Import Library (assimp) commit 3c253ca was discovered to contain a segmentation violation via the component Assimp::XFileImporter::CreateMeshes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Buffer Overflow Assimp
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-2941 MEDIUM POC PATCH This Month

The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Wp Useronline
NVD GitHub Exploit-DB VulDB
CVSS 3.1
5.5
EPSS
4.9%
CVE-2022-2515 MEDIUM POC PATCH This Month

The Simple Banner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `pro_version_activation_code` parameter in versions up to, and including, 2.11.0 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Simple Banner
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.4%
CVE-2022-2462 MEDIUM POC PATCH This Month

The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disclosure to unauthenticated users in versions up to, and including, 1.0.9.6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure WordPress Transposh Wordpress Translation
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
4.7%
CVE-2022-38131 MEDIUM POC This Month

RStudio Connect prior to 2023.01.0 is affected by an Open Redirect issue. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Connect
NVD
CVSS 3.1
6.1
EPSS
1.3%
CVE-2022-37344 CRITICAL Act Now

Missing Access Control vulnerability in PHP Crafts Accommodation System plugin <= 1.0.1 at WordPress. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP Privilege Escalation Accommodation System
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2022-36427 CRITICAL Act Now

Missing Access Control vulnerability in About Rentals. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation About Rentals
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2022-36387 CRITICAL Act Now

Broken Access Control vulnerability in Alessio Caiazza's About Me plugin <= 1.0.12 at WordPress. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation About Me
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-1368 CRITICAL Act Now

The Cognex 3D-A1000 Dimensioning System in firmware version 1.0.3 (3354) and prior is vulnerable to CWE-306: Missing Authentication for Critical Function, which allows unauthorized users to change. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass 3D A1000 Dimensioning System Firmware
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-36663 CRITICAL PATCH Act Now

Gluu Oxauth before v4.4.1 allows attackers to execute blind SSRF (Server-Side Request Forgery) attacks via a crafted request_uri parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Oxauth
NVD GitHub
CVSS 3.1
9.8
EPSS
2.0%
CVE-2022-31789 CRITICAL Act Now

An integer overflow in WatchGuard Firebox and XTM appliances allows an unauthenticated remote attacker to trigger a buffer overflow and potentially execute arbitrary code by sending a malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow Watchguard Buffer Overflow RCE Fireware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-36425 CRITICAL Act Now

Broken Access Control vulnerability in Beaver Builder plugin <= 2.5.4.3 at WordPress. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation Beaver Builder
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-26447 CRITICAL Act Now

In BT firmware, there is a possible out of bounds write due to a missing bounds check. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption RCE Buffer Overflow Android Yocto
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2022-40111 CRITICAL Act Now

In TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 in the shadow.sample file, root is hardcoded in the firmware. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass A3002r Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-40109 CRITICAL Act Now

TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable to Insecure Permissions via binary /bin/boa. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation A3002r Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-37843 CRITICAL Act Now

In TOTOLINK A860R V4.1.2cu.5182_B20201027 in cstecgi.cgi, the acquired parameters are directly put into the system for execution without filtering, resulting in a command injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection A860R Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-37842 CRITICAL Act Now

In TOTOLINK A860R V4.1.2cu.5182_B20201027, the parameters in infostat.cgi are not filtered, causing a buffer overflow vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow A860R Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-37840 CRITICAL Act Now

In TOTOLINK A860R V4.1.2cu.5182_B20201027, the main function in downloadfile.cgi has a buffer overflow vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow A860R Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-37839 CRITICAL Act Now

TOTOLINK A860R V4.1.2cu.5182_B20201027 is vulnerable to Buffer Overflow via Cstecgi.cgi. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow A860R Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-36584 CRITICAL PATCH Act Now

In Tenda G3 US_G3V3.0br_V15.11.0.6(7663)_EN_TDE, the getsinglepppuser function has a buffer overflow caused by sscanf. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.

Tenda Buffer Overflow G3 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-2714 CRITICAL PATCH Act Now

Improper Handling of Length Parameter Inconsistency in GitHub repository francoisjacquet/rosariosis prior to 10.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Rosariosis
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-34747 CRITICAL PATCH Act Now

A format string vulnerability in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0 could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Zyxel Nas326 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-2473 MEDIUM POC PATCH This Month

The WP-UserOnline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘templates[browsingpage][text]' parameter in versions up to, and including, 2.87.6 due to insufficient. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Wp Useronline
NVD Exploit-DB VulDB
CVSS 3.1
5.5
EPSS
1.0%
CVE-2022-2434 HIGH PATCH This Week

The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

WordPress Deserialization PHP String Locator
NVD VulDB
CVSS 3.1
8.8
EPSS
4.2%
CVE-2022-25310 MEDIUM POC PATCH This Month

A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Buffer Overflow Fribidi Enterprise Linux
NVD GitHub
CVSS 3.1
5.5
EPSS
0.5%
CVE-2022-25309 MEDIUM POC PATCH This Month

A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Heap Overflow Denial Of Service Buffer Overflow Fribidi Enterprise Linux
NVD GitHub
CVSS 3.1
5.5
EPSS
0.5%
CVE-2022-2943 MEDIUM POC This Month

The WordPress Infinite Scroll - Ajax Load More plugin for Wordpress is vulnerable to arbitrary file reading in versions up to, and including, 5.5.3 due to insufficient file path validation on the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Path Traversal Ajax Load More
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
1.3%
CVE-2022-1525 CRITICAL Act Now

The Cognex 3D-A1000 Dimensioning System in firmware version 1.0.3 (3354) and prior is vulnerable to CWE-602: Client-Side Enforcement of Server-Side Security, which could allow attackers to bypass web. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass 3D A1000 Dimensioning System Firmware
NVD
CVSS 3.1
9.1
EPSS
0.7%
CVE-2022-2945 MEDIUM POC This Month

The WordPress Infinite Scroll - Ajax Load More plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.5.3 via the 'type' parameter found in the alm_get_layout(). Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal Ajax Load More
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
1.0%
CVE-2022-2436 HIGH PATCH This Week

The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via the 'file[package_dir]' parameter in versions up to, and including 3.2.49. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

PHP Deserialization WordPress Download Manager
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2022-2233 HIGH PATCH This Week

The Banner Cycler plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

PHP WordPress CSRF Banner Cycler
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2022-2541 HIGH PATCH This Week

The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

XSS WordPress PHP CSRF Ucontext For Amazon
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2022-2542 HIGH PATCH This Week

The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

PHP XSS WordPress CSRF Ucontext For Clickbank
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy