Local privilege escalation in the Windows Common Log File System (CLFS) driver allows authenticated low-privileged attackers to elevate to SYSTEM on Windows 10 (1507 through 22H2) and Windows 11 21H2. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and EPSS places it in the 93rd percentile for exploitation likelihood. Microsoft has released patches via standard monthly updates.
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/task/update. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/task/changeStatus. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection vulnerability in Inventory Management v.1.0 allows a local attacker to execute arbitrary SQL commands via the id paramter in the deleteProduct.php component. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
SQL Injection vulnerability in delete.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary SQL commands via the 'bid' parameter. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
SQL Injection vulnerability in index.php in phpgurukul Teacher Subject Allocation Management System 1.0 allows attackers to run arbitrary SQL commands and obtain sensitive information via the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue in Yasukawa memberscard v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue in Golden v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
DataHub is an open-source metadata platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
vantage6 is a framework to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
Azure DevOps Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Cross-site request forgery in some Intel Unison software may allow an authenticated user to potentially enable escalation of privilege via network access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper access control for some Intel Unison software may allow an authenticated user to potentially enable escalation of privilege via network access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper input validation for some Intel Unison software may allow an authenticated user to potentially enable escalation of privilege via network access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper input validation in firmware for Intel(R) QAT before version QAT20.L.1.0.40-00004 may allow escalation of privilege and denial of service via adjacent access. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper authentication for some Intel Unison software may allow an authenticated user to potentially enable escalation of privilege via network access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.
ASP.NET Security Feature Bypass Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
Microsoft Remote Registry Service Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Windows HMAC Key Derivation Elevation of Privilege Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity.
Windows SmartScreen Security Feature Bypass Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Windows Scripting Engine Memory Corruption Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Access of Resource Using Incompatible Type (Type Confusion) vulnerability could allow attackers to execute arbitrary code by exploiting type confusion in the application.
An improper access control vulnerability [CWE-284] in FortiADC automation feature 7.1.0 through 7.1.2, 7.0 all versions, 6.2 all versions, 6.1 all versions may allow an authenticated low-privileged. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
SQL injection vulnerability in OSS Calendar versions prior to v.2.0.3 allows a remote authenticated attacker to execute arbitrary code or obtain and/or alter the information stored in the database by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Azure CLI REST Command Information Disclosure Vulnerability. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V7.2.2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V7.2.2), SCALANCE. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is an arbitrary file deletion vulnerability in the RSSI service accessed by PAPI (Aruba's access point management protocol). Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
There are arbitrary file deletion vulnerabilities in the AirWave client service accessed by PAPI (Aruba's access point management protocol). Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
There are arbitrary file deletion vulnerabilities in the CLI service accessed by PAPI (Aruba's access point management protocol). Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A race condition in System Management Mode (SMM) code may allow an attacker using a compromised user space to leverage CVE-2018-8897 potentially resulting in privilege escalation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability has been identified in Mendix Applications using Mendix 10 (All versions < V10.4.0), Mendix Applications using Mendix 7 (All versions < V7.23.37), Mendix Applications using Mendix 8. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Out-of-bounds read in the BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via adjacent access. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Windows Distributed File System (DFS) Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable.
Microsoft Exchange Server Spoofing Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Microsoft Exchange Server Spoofing Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Microsoft Exchange Server Spoofing Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity.
A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.