THREAT ALERT

ACT NOW CVE-2024-21650 10.0 XWiki Platform prior to specific patched versions contains a CVSS 10.0 remote code execution vulnerability through the user registration form. Attackers inject Groovy code into the first name or last name fields, which is executed server-side when the user profile page is rendered. | ACT NOW CVE-2024-22087 9.8 route in main.c in Pico HTTP Server in C through f3b69a6 has an sprintf stack-based buffer overflow via a long URI, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 10.8%. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — January 11, 2024

40 CVEs tracked today. 8 Critical, 10 High, 17 Medium, 4 Low.

CVE-2024-23061 CRITICAL CVSS 9.8
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the minute parameter in the setScheduleCfg function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A3300R Firmware
CVE-2024-23060 CRITICAL CVSS 9.8
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the ip parameter in the setDmzCfg function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A3300R Firmware
CVE-2024-23059 CRITICAL CVSS 9.8
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the username parameter in the setDdnsCfg function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A3300R Firmware
CVE-2024-23058 CRITICAL CVSS 9.8
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the pass parameter in the setTr069Cfg function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A3300R Firmware
CVE-2024-23057 CRITICAL CVSS 9.8
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the tz parameter in the setNtpCfg function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A3300R Firmware
CVE-2024-22942 CRITICAL CVSS 9.8
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the hostName parameter in the setWanCfg function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A3300R Firmware
CVE-2024-21669 CRITICAL CVSS 9.9
Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python Jwt Attack Information Disclosure Aries Cloud Agent
CVE-2024-22199 CRITICAL CVSS 9.3
This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Django
CVE-2024-22198 HIGH CVSS 7.1
Nginx-UI is a web interface to manage Nginx configurations. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 16.0%.

Privilege Escalation Command Injection Information Disclosure Nginx RCE
CVE-2024-22197 HIGH CVSS 7.7
Nginx-ui is online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Privilege Escalation Command Injection Information Disclosure Nginx RCE
CVE-2024-22196 HIGH CVSS 7.0
Nginx-UI is an online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Nginx SQLi Nginx Ui
CVE-2024-22190 HIGH CVSS 7.8
GitPython is a python library used to interact with Git repositories. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Microsoft Information Disclosure Python Gitpython Windows
CVE-2024-21833 HIGH CVSS 8.8
Multiple TP-LINK products allow a network-adjacent unauthenticated attacker with access to the product to execute arbitrary OS commands. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

TP-Link Command Injection Archer Ax3000 Firmware Archer Ax5400 Firmware Deco X50 Firmware
CVE-2024-21821 HIGH CVSS 8.0
Multiple TP-LINK products allow a network-adjacent authenticated attacker with access to the product from the LAN port or Wi-Fi to execute arbitrary OS commands. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

TP-Link Command Injection Archer Ax3000 Firmware Archer Ax5400 Firmware Archer Axe75 Firmware
CVE-2024-21773 HIGH CVSS 8.8
Multiple TP-LINK products allow a network-adjacent unauthenticated attacker with access to the product from the LAN port or Wi-Fi to execute arbitrary OS commands on the product that has. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

TP-Link Command Injection Archer Ax3000 Firmware Archer Ax5400 Firmware Deco X50 Firmware
CVE-2024-21637 HIGH CVSS 7.6
Authentik is an open-source Identity Provider. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Privilege Escalation Authentik
CVE-2024-0429 HIGH CVSS 7.3
A denial service vulnerability has been found on Hex Workshop affecting version 6.7, an attacker could send a command line file arguments and control the Structured Exception Handler (SEH) records. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Hex Workshop
CVE-2024-0252 HIGH CVSS 8.8
ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 29.1% and no vendor patch available.

RCE Code Injection Manageengine Adselfservice Plus
CVE-2024-22195 MEDIUM CVSS 5.4
Jinja is an extensible templating engine. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Python Jinja
CVE-2024-21667 MEDIUM CVSS 6.5
pimcore/customer-data-framework is the Customer Management Framework for management of customer data within Pimcore. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Information Disclosure Customer Management Framework
CVE-2024-21666 MEDIUM CVSS 6.5
The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Customer Management Framework
CVE-2024-21665 MEDIUM CVSS 4.3
ecommerce-framework-bundle is the Pimcore Ecommerce Framework Bundle. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Microsoft E Commerce Framework
CVE-2024-21337 MEDIUM CVSS 5.2
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. Rated medium severity (CVSS 5.2), this vulnerability is no authentication required.

Buffer Overflow Google Heap Overflow Microsoft Edge Chromium
CVE-2024-20675 MEDIUM CVSS 6.3
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Google Microsoft Edge Chromium Chrome
CVE-2024-0426 MEDIUM CVSS 6.3
A vulnerability, which was classified as critical, has been found in ForU CMS up to 2020-06-23.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Foru Cms
CVE-2024-0425 MEDIUM CVSS 5.3
A vulnerability classified as critical was found in ForU CMS up to 2020-06-23. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Foru Cms
CVE-2024-0419 MEDIUM CVSS 5.3
A vulnerability was found in Jasper httpdx up to 1.5.4 and classified as problematic. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Httpdx
CVE-2024-0418 MEDIUM CVSS 5.3
A vulnerability has been found in iSharer and upRedSun File Sharing Wizard up to 1.5.0 and classified as problematic. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service File Sharing Wizard
CVE-2024-0417 MEDIUM CVSS 5.4
A vulnerability, which was classified as critical, was found in DeShang DSShop up to 2.1.5. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Dsshop
CVE-2024-0416 MEDIUM CVSS 5.4
A vulnerability, which was classified as critical, has been found in DeShang DSMall up to 5.0.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Path Traversal Dsmall
CVE-2024-0415 MEDIUM CVSS 6.3
A vulnerability classified as critical was found in DeShang DSMall up to 6.1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass PHP Dsmall
CVE-2024-0414 MEDIUM CVSS 5.3
A vulnerability classified as problematic has been found in DeShang DSCMS up to 3.1.2/7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass PHP Dscms
CVE-2024-0413 MEDIUM CVSS 5.3
A vulnerability was found in DeShang DSKMS up to 3.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass PHP Dskms
CVE-2024-0412 MEDIUM CVSS 5.3
A vulnerability was found in DeShang DSShop up to 3.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass PHP Dsshop
CVE-2024-0411 MEDIUM CVSS 5.3
A vulnerability was found in DeShang DSMall up to 6.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass PHP Dsmall
CVE-2024-22194 LOW CVSS 2.2
cdo-local-uuid project provides a specialized UUID-generating function that can, on user request, cause a program to generate deterministic UUIDs. Rated low severity (CVSS 2.2). Public exploit code available.

Python Information Disclosure Case Python Utilities Cdo Local Uuid Utility
CVE-2024-0424 LOW CVSS 3.5
A vulnerability classified as problematic has been found in CodeAstro Simple Banking System 1.0. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Simple Banking System
CVE-2024-0423 LOW CVSS 3.5
A vulnerability was found in CodeAstro Online Food Ordering System 1.0. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Online Food Ordering System
CVE-2024-0422 LOW CVSS 3.5
A vulnerability was found in CodeAstro POS and Inventory Management System 1.0. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pos And Inventory Management System
CVE-2024-0227 None
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure

Today's Vulnerabilities Vulnerabilities