Path traversal in ConnectWise ScreenConnect 23.9.7 and earlier enables attackers with administrative privileges to write files outside intended directories, leading to remote code execution or direct compromise of confidential data and critical systems. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, and the EPSS score of 53.66% (98th percentile) reflects extremely high real-world exploitation activity. It was disclosed alongside the more severe CVE-2024-1709 authentication bypass, which together formed a widely abused exploit chain against ScreenConnect on-premises servers in early 2024.
Insufficient policy enforcement in Download in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Use after free in Accessibility in Google Chrome prior to 122.0.6261.57 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via specific UI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Out of bounds memory access in Blink in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL Injection (Time-based) via the familyId GET parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. Rated high severity (CVSS 8.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
ChurchCRM 5.5.0 FRBidSheets.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HackMD CodiMD <2.5.2 is vulnerable to Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Inappropriate implementation in Navigation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in Shopwind up to 4.6. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: net: tls: fix use-after-free with partial reads and async decrypt tls_decrypt_sg doesn't take a reference on the pages from. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Helm is a package manager for Charts for Kubernetes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Directory Traversal vulnerability in Terrasoft, Creatio Terrasoft CRM v.7.18.4.1532 allows a remote attacker to obtain sensitive information via a crafted request to the terrasoft.axd component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Buffer Overflow in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the wsutil/to_str.c, and format_fractional_part_nsecs components. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.
A buffer overflow in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the pan/addr_resolv.c, and ws_manuf_lookup_str(), size components. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.
An issue in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the packet-bgp.c, dissect_bgp_open(tvbuff_t*tvb, proto_tree*tree, packet_info*pinfo), optlen components. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
discourse-ai is the AI plugin for the open-source discussion platform Discourse. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.
Cross-Site Request Forgery (CSRF) vulnerability in PowerPack Addons for Elementor PowerPack Pro for Elementor.10.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Live Data server of Cisco Unified Intelligence Center could allow an unauthenticated, local attacker to read and modify data in a repository that belongs to an internal service. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.
An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.