THREAT ALERT

ACT NOW CVE-2024-1709 10.0 ConnectWise ScreenConnect contains a critical authentication bypass (CVSS 10.0) that allows direct access to the administrative interface, mass-exploited within hours of disclosure for ransomware deployment. | ACT NOW CVE-2024-1708 8.4 Path traversal in ConnectWise ScreenConnect 23.9.7 and earlier enables attackers with administrative privileges to write files outside intended directories, leading to remote code execution or direct compromise of confidential data and critical systems. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, and the EPSS score of 53.66% (98th percentile) reflects extremely high real-world exploitation activity. It was disclosed alongside the more severe CVE-2024-1709 authentication bypass, which together formed a widely abused exploit chain against ScreenConnect on-premises servers in early 2024. | ACT NOW CVE-2023-6933 8.8 PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote unauthenticated attackers to inject arbitrary PHP objects through deserialization of untrusted input. While the plugin itself contains no POP chain, the presence of any additional plugin or theme on the same WordPress instance that introduces a usable POP gadget can escalate the bug to arbitrary file deletion, sensitive data disclosure, or remote code execution. Publicly available exploit code exists and the EPSS score of 93.40% (100th percentile) signals very high real-world exploitation probability. | ACT NOW CVE-2023-6846 8.8 Remote code execution in the WordPress File Manager Pro plugin (versions up to and including 8.3.4) allows authenticated attackers with subscriber-level access to upload arbitrary files via the mk_check_filemanager_php_syntax AJAX endpoint, leading to full server compromise. Publicly available exploit code exists, and the high EPSS score of 13.31% (94th percentile) indicates significant real-world exploitation likelihood. The flaw is patched in version 8.3.5, which introduces a missing capability check. | ACT NOW CVE-2024-21893 8.2 Ivanti Connect Secure and Policy Secure contain an SSRF vulnerability in the SAML component allowing unauthenticated access to restricted resources, used as an additional exploitation vector during the January 2024 Ivanti crisis. | ACT NOW CVE-2023-6246 8.4 Local privilege escalation in GNU glibc 2.36 and newer arises from a heap-based buffer overflow in __vsyslog_internal, reachable via the syslog/vsyslog interfaces when openlog was not called (or called with a NULL ident) and argv[0]'s basename exceeds 1024 bytes. Any setuid/setgid binary on affected Linux distributions (including Fedora 38 and 39) that invokes syslog can be leveraged by a local attacker to crash the process or escalate privileges to root. Publicly available exploit code exists and EPSS sits at the 96th percentile, signaling meaningful real-world risk despite the local attack vector. | ACT NOW CVE-2024-23222 8.8 Arbitrary code execution in Apple WebKit affects Safari and the system browser engine across iOS, iPadOS, macOS, tvOS, and visionOS, where a type confusion flaw allows attackers to execute code via maliciously crafted web content. The vulnerability is confirmed actively exploited (CISA KEV) and was used in the Coruna exploit chain against older iOS devices before being backported to legacy versions. EPSS sits at 0.62% (70th percentile), consistent with targeted exploitation rather than mass scanning. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — February 22, 2024

0 CVEs tracked today. 0 Critical, 0 High, 0 Medium, 0 Low.

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities