Skip to main content
CVE-2023-40600 MEDIUM POC THREAT This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Exactly WWW EWWW Image Optimizer. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 60.2%.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
60.2%
Threat
4.4
CVE-2023-40211 HIGH POC THREAT Act Now

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PickPlugins Post Grid Combo - 36+ Gutenberg Blocks.2.50. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 31.5%.

Information Disclosure Post Grid Combo
NVD
CVSS 3.1
7.5
EPSS
31.5%
CVE-2023-48812 CRITICAL POC Act Now

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function creates. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection X6000r Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-48811 CRITICAL POC Act Now

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection X6000r Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-48810 CRITICAL POC Act Now

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection X6000r Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-48808 CRITICAL POC Act Now

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection X6000r Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-48807 CRITICAL POC Act Now

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection X6000r Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-48806 CRITICAL POC Act Now

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection X6000r Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-48805 CRITICAL POC Act Now

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection X6000r Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-48804 CRITICAL POC Act Now

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection X6000r Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-48803 CRITICAL POC Act Now

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection X6000r Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-48802 CRITICAL POC Act Now

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection X6000r Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-6360 CRITICAL POC THREAT Act Now

The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi My Calendar
NVD
CVSS 3.1
9.8
EPSS
63.1%
CVE-2023-47418 CRITICAL POC Act Now

Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 and before, allows attackers to create a new interface in the service management function to execute JavaScript. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE O2oa
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2023-46326 HIGH POC This Week

ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Zstack
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-6402 HIGH POC This Week

A vulnerability, which was classified as critical, was found in PHPGurukul Nipah Virus Testing Management System 1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Nipah Virus Testing Management System
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.8%
CVE-2023-48914 HIGH POC This Week

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/archives/add. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Dreamer Cms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2023-48913 HIGH POC This Week

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/archives/delete. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Dreamer Cms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2023-48912 HIGH POC This Week

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/archives/edit. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Dreamer Cms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2023-49052 HIGH POC This Week

File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Microweber
NVD GitHub
CVSS 3.1
8.8
EPSS
2.4%
CVE-2023-49097 HIGH POC PATCH This Week

ZITADEL is an identity infrastructure system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Zitadel
NVD GitHub
CVSS 3.1
8.8
EPSS
0.8%
CVE-2023-47464 HIGH POC THREAT This Week

Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via the upload API function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Gl Ax1800 Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
22.6%
CVE-2023-47454 HIGH POC This Week

An Untrusted search path vulnerability in NetEase CloudMusic 2.10.4 for Windows allows local users to gain escalated privileges through the urlmon.dll file in the current working directory. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Microsoft Cloudmusic
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2023-47453 HIGH POC This Week

An Untrusted search path vulnerability in Sohu Video Player 7.0.15.0 allows local users to gain escalated privileges through the version.dll file in the current working directory. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Video Player
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2023-47452 HIGH POC This Week

An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msimg32.dll file in the current working directory. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Notepad
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2023-47307 HIGH POC This Week

Buffer Overflow vulnerability in /apply.cgi in Shenzhen Libituo Technology Co., Ltd LBT-T300-T310 v2.2.2.6 allows attackers to cause a denial of service via the ApCliAuthMode parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Denial Of Service Lbt T300 T310 Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-6376 HIGH POC This Week

Henschen & Associates court document management software does not sufficiently randomize file names of cached documents, allowing a remote, unauthenticated attacker to access restricted documents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Court Document Management
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-48964 HIGH POC This Week

Tenda i6 V1.0.0.8(3856) is vulnerable to Buffer Overflow via /goform/WifiMacFilterSet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Tenda I6 Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-48963 HIGH POC This Week

Tenda i6 V1.0.0.8(3856) is vulnerable to Buffer Overflow via /goform/wifiSSIDget. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Tenda I6 Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-49087 HIGH POC PATCH This Week

xml-security is a library that implements XML signatures and encryption. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Saml2 Xml Security
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2023-47505 MEDIUM POC This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor.Com Elementor allows Cross-Site Scripting (XSS).16.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Website Builder Elementor
NVD
CVSS 3.1
6.5
EPSS
4.8%
CVE-2023-46956 HIGH POC This Week

SQL injection vulnerability in Packers and Movers Management System v.1.0 allows a remote attacker to execute arbitrary code via crafted payload to the /mpms/admin/?page=user/manage_user&id file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE SQLi Packers And Movers Management System
NVD GitHub
CVSS 3.1
7.2
EPSS
1.2%
CVE-2023-47844 HIGH POC This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lim Kai Yang Grab & Save allows Reflected XSS.0.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Grab Save
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2023-47777 MEDIUM POC This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.1.1; WooCommerce Blocks:. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Woocommerce Woocommerce Blocks
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-45050 MEDIUM POC This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Jetpack - WP Security, Backup, Speed, & Growth allows Stored XSS.8-a.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Jetpack
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2023-48894 MEDIUM POC This Month

Incorrect Access Control vulnerability in jshERP V3.3 allows attackers to obtain sensitive information via the doFilter function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jsherp
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-49076 MEDIUM POC PATCH This Month

Customer-data-framework allows management of customer data within Pimcore. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Pimcore
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2023-6439 MEDIUM POC This Month

A vulnerability classified as problematic was found in ZenTao PMS 18.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zentao
NVD VulDB
CVSS 3.1
6.1
EPSS
0.7%
CVE-2023-47207 CRITICAL Act Now

In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute code with local administrator privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Infrasuite Device Master
NVD
CVSS 3.1
9.8
EPSS
16.6%
CVE-2023-39226 CRITICAL Act Now

In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute arbitrary code through a single UDP packet. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Infrasuite Device Master
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2023-6342 CRITICAL Act Now

Tyler Technologies Court Case Management Plus allows a remote attacker to authenticate as any user by manipulating at least the 'CmWebSearchPfp/Login.aspx?xyzldk=' and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Court Case Management Plus
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-34388 CRITICAL Act Now

An Improper Authentication vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote unauthenticated attacker to potentially perform session hijacking attack and bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Sel 451 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2023-31176 CRITICAL Act Now

An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Sel 451 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2023-49733 CRITICAL PATCH Act Now

Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.2.0 before 2.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Cocoon
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-49701 CRITICAL Act Now

Memory Corruption in SIM management while USIMPhase2init. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Asr1803 Firmware Asr1806 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2023-47463 CRITICAL Act Now

Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the gl_nas_sys authentication function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Gl Ax1800 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-4474 CRITICAL PATCH Act Now

The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Zyxel Nas326 Firmware Nas542 Firmware
NVD
CVSS 3.1
9.8
EPSS
29.7%
CVE-2023-4473 CRITICAL PATCH Act Now

A command injection vulnerability in the web server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Zyxel Nas326 Firmware Nas542 Firmware
NVD
CVSS 3.1
9.8
EPSS
41.3%
CVE-2023-35138 CRITICAL PATCH Act Now

A command injection vulnerability in the “show_zysync_server_contents” function of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Zyxel Nas326 Firmware Nas542 Firmware
NVD
CVSS 3.1
9.8
EPSS
40.0%
CVE-2023-3741 CRITICAL Act Now

An OS Command injection vulnerability in NEC Platforms DT900 and DT900S Series all versions allows an attacker to execute any command on the device. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Itk 6Dgs 1 Bk Tel Firmware Itk 32Lcgs 1 Bk Tel Firmware Itk 32Tcgs 1 Bk Tel Firmware Itk 6D 1 Bk Tel Firmware +18
NVD
CVSS 3.1
9.8
EPSS
1.5%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy