Skip to main content
CVE-2022-40471 CRITICAL POC THREAT Emergency

Remote Code Execution in Clinic's Patient Management System v 1.0 allows Attacker to Upload arbitrary php webshell via profile picture upload functionality in users.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Clinic S Patient Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
19.4%
CVE-2022-3254 CRITICAL POC Act Now

The WordPress Classifieds Plugin WordPress plugin before 4.3 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Awp Classifieds
NVD WPScan
CVSS 3.1
9.8
EPSS
5.1%
CVE-2022-37623 CRITICAL POC PATCH Act Now

Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Prototype Pollution Browserify Shim
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-3774 CRITICAL POC Act Now

A vulnerability was found in SourceCodester Train Scheduler App 1.0 and classified as critical. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Train Scheduler App
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
1.1%
CVE-2022-3357 HIGH POC This Week

The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Smart Slider 3
NVD WPScan
CVSS 3.1
8.8
EPSS
1.9%
CVE-2022-3770 HIGH POC This Week

A vulnerability classified as critical was found in Yunjing CMS. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Yunjing Content Management System
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-3360 HIGH POC This Week

The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Deserialization WordPress PHP Learnpress
NVD WPScan
CVSS 3.1
8.1
EPSS
1.8%
CVE-2022-43752 HIGH POC This Week

Oracle Solaris version 10 1/13, when using the Common Desktop Environment (CDE), is vulnerable to a privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Oracle Privilege Escalation Buffer Overflow Common Desktop Environment
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-3785 HIGH POC This Week

A vulnerability, which was classified as critical, has been found in Axiomatic Bento4. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Bento4
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.6%
CVE-2022-3784 HIGH POC This Week

A vulnerability classified as critical was found in Axiomatic Bento4 5e7bb34. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Bento4
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.6%
CVE-2022-3380 HIGH POC This Week

The Customizer Export/Import WordPress plugin before 0.9.5 unserializes the content of an imported file, which could lead to PHP object injection issues when an admin imports (intentionally or not) a. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP WordPress Customizer Export Import
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
0.9%
CVE-2022-3374 HIGH POC This Week

The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Ocean Extra
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
1.1%
CVE-2022-3366 HIGH POC This Week

The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Capabilities
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
1.1%
CVE-2022-3334 HIGH POC This Week

The Easy WP SMTP WordPress plugin before 1.5.0 unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import (intentionally or not) a malicious. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Easy Wp Smtp
NVD WPScan
CVSS 3.1
7.2
EPSS
1.1%
CVE-2022-3419 MEDIUM POC This Month

The Automatic User Roles Switcher WordPress plugin before 1.1.2 does not have authorisation and proper CSRF checks, allowing any authenticated users like subscriber to add any role to themselves,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Privilege Escalation Automatic User Roles Switcher
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-3783 MEDIUM POC PATCH This Month

A vulnerability, which was classified as problematic, has been found in node-red-dashboard.js of the component ui_text Format Handler. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Node Red Dashboard
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-3440 MEDIUM POC This Month

The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Rock Convert
NVD WPScan VulDB
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-2627 MEDIUM POC This Month

The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Newspaper
NVD WPScan
CVSS 3.1
6.1
EPSS
1.0%
CVE-2022-2190 MEDIUM POC This Month

The Gallery Plugin for WordPress plugin before 1.8.4.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Envira Gallery
NVD WPScan
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-2167 MEDIUM POC This Month

The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Newspaper
NVD WPScan
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-3766 MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Phpmyfaq
NVD GitHub Exploit-DB
CVSS 3.1
6.1
EPSS
5.7%
CVE-2022-40296 CRITICAL Act Now

The application was vulnerable to a Server-Side Request Forgery attacks, allowing the backend server to interact with unexpected endpoints, potentially including internal and local services, leading. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Php Point Of Sale
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2022-40293 CRITICAL Act Now

The application was vulnerable to a session fixation that could be used hijack accounts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Php Point Of Sale
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2022-41779 CRITICAL PATCH Act Now

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize network packets without proper verification. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Infrasuite Device Master
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-41772 CRITICAL PATCH Act Now

Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior mishandle .ZIP archives containing characters used in path traversal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Path Traversal Infrasuite Device Master
NVD
CVSS 3.1
9.8
EPSS
24.9%
CVE-2022-41657 CRITICAL PATCH Act Now

Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior allow attacker provided data already serialized into memory to be used in file operation application programmable interfaces. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

RCE Path Traversal Infrasuite Device Master
NVD
CVSS 3.1
9.8
EPSS
20.9%
CVE-2022-40202 CRITICAL PATCH Act Now

The database backup function in Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior lacks proper authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

RCE Authentication Bypass Infrasuite Device Master
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2022-38142 CRITICAL PATCH Act Now

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-Gateway service port without proper verification. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Infrasuite Device Master
NVD
CVSS 3.1
9.8
EPSS
18.2%
CVE-2022-31692 CRITICAL PATCH Act Now

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Java Spring Security Active Iq Unified Manager
NVD
CVSS 3.1
9.8
EPSS
3.4%
CVE-2022-3771 CRITICAL Act Now

A vulnerability, which was classified as critical, has been found in easyii CMS.php of the component File Upload Management. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP File Upload Easyiicms
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2022-40741 CRITICAL Act Now

Mail SQR Expert’s specific function has insufficient filtering for special characters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Mail Sqr Expert
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-40190 CRITICAL Act Now

SAUTER Controls moduWeb firmware version 2.7.1 is vulnerable to reflective cross-site scripting (XSS). Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Moduweb Firmware
NVD
CVSS 3.1
9.6
EPSS
0.7%
CVE-2022-28763 CRITICAL Act Now

The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.12.2 is susceptible to a URL parsing vulnerability. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Google Apple Meetings +2
NVD
CVSS 3.1
9.6
EPSS
1.1%
CVE-2022-44081 MEDIUM POC This Month

Lodepng v20220717 was discovered to contain a segmentation fault via the function pngdetail. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Buffer Overflow Lodepng
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2022-44079 MEDIUM POC This Month

pycdc commit 44a730f3a889503014fec94ae6e62d8401cb75e5 was discovered to contain a stack overflow via the component __sanitizer::StackDepotBase<__sanitizer::StackDepotNode. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Pycdc
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2022-43152 MEDIUM POC This Month

tsMuxer v2.6.16 was discovered to contain a heap overflow via the function BitStreamWriter::flushBits() at /tsMuxer/bitStream.h. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Tsmuxer
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2022-43151 MEDIUM POC This Month

timg v1.4.4 was discovered to contain a memory leak via the function timg::QueryBackgroundColor() at /timg/src/term-query.cc. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Timg
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2022-43148 MEDIUM POC This Month

rtf2html v0.2.0 was discovered to contain a heap overflow in the component /rtf2html/./rtf_tools.h. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Rtf2Html
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2022-3096 MEDIUM POC This Month

The WP Total Hacks WordPress plugin through 4.7.2 does not prevent low privilege users from modifying the plugin's settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Wp Total Hacks
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-3765 MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Phpmyfaq
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-41629 CRITICAL PATCH Act Now

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Authentication Bypass Infrasuite Device Master
NVD
CVSS 3.1
9.1
EPSS
0.6%
CVE-2022-27583 CRITICAL Act Now

A remote unprivileged attacker can interact with the configuration interface of a Flexi-Compact FLX3-CPUC1 or FLX3-CPUC2 running an affected firmware version to potentially impact the availability of. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Flx3 Cpuc1 Firmware Flx3 Cpuc2 Firmware
NVD
CVSS 3.1
9.1
EPSS
0.6%
CVE-2022-40289 CRITICAL Act Now

The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Php Point Of Sale
NVD
CVSS 3.1
9.0
EPSS
0.6%
CVE-2022-40288 CRITICAL Act Now

The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Php Point Of Sale
NVD
CVSS 3.1
9.0
EPSS
0.6%
CVE-2022-40287 CRITICAL Act Now

The application was found to be vulnerable to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in messaging functionality, leading to privilege escalation or a compromise of a. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Privilege Escalation Php Point Of Sale
NVD
CVSS 3.1
9.0
EPSS
0.6%
CVE-2022-40294 HIGH This Week

The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Php Point Of Sale
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-40291 HIGH This Week

The application was vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing an attacker to coerce users into sending malicious requests to the site to delete their account, or in rare. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Php Point Of Sale
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2022-39016 HIGH This Week

Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Hubshare
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-42925 HIGH PATCH This Week

There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload Formalms
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2022-42923 HIGH PATCH This Week

Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Formalms
NVD
CVSS 3.1
8.8
EPSS
0.6%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy