XWiki Platform prior to specific patched versions contains a CVSS 10.0 remote code execution vulnerability through the user registration form. Attackers inject Groovy code into the first name or last name fields, which is executed server-side when the user profile page is rendered.
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 81.6%.
The Duplicator WordPress plugin before 1.3.0 does not properly escape values when its installer script replaces values in WordPress configuration files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stud.IP 5.x through 5.3.3 allows XSS with resultant upload of executable files, because upload_action and edit_action in Admin_SmileysController do not check the file extension. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Insecure deserialization in Tagbox UGC Galleries WordPress plugin. CVSS 10.0.
Insecure deserialization in WooCommerce Tranzila Payment Gateway plugin. CVSS 10.0.
Insecure deserialization in Gecka Terms Thumbnails WordPress plugin through 1.1.
Blind SQL Injection vulnerability in PrestaShow Google Integrator (PrestaShop addon) allows for data extraction and modification. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CSRF + deserialization chain in ARMember WordPress membership plugin.
SQL injection in Simple Inventory Management WordPress plugin by UkrSolution.
Deserialization in HTML5 MP3 Player with Folder Feedburner Playlist Free WordPress plugin.
Insecure deserialization in HTML5 SoundCloud Player with Playlist Free WordPress plugin.
Insecure deserialization in HTML5 MP3 Player with Playlist Free WordPress plugin by SVNLabs.
Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In default installations of Microchip maxView Storage Manager (for Adaptec Smart Storage Controllers) where Redfish server is configured for remote system management, unauthorized access can occur,. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.