An issue in WuKongOpenSource WukongCRM v.72crm_9.0.1_20191202 allows a remote attacker to execute arbitrary code via the parseObject() function in the fastjson component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue discovered in pdfmake 0.2.9 allows remote attackers to run arbitrary code via crafted POST request to the /pdf endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Deskfiler v1.2.3 allows attackers to execute arbitrary code via uploading a crafted plugin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
F-logic DataCube3 v1.0 is vulnerable to unauthenticated SQL injection, which could allow an unauthenticated malicious actor to execute arbitrary SQL queries in database. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A vulnerability classified as critical was found in SourceCodester Web-Based Student Clearance System 1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) vulnerability in RenderTune v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Upload Title parameter. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to SQL Injection via the 'table_prefix' parameter in version 0.9.68 due to insufficient escaping on the user supplied. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue in vivotek Network Camera v.FD8166A-VVTK-0204j allows a remote attacker to execute arbitrary code via a crafted payload to the upload_file.cgi component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Enabling Simple Ajax Uploader plugin included in Laragon open-source software allows for a remote code execution (RCE) attack via an improper input validation in a file_upload.php file which serves. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in EpointWebBuilder 5.1.0-sp1, 5.2.1-sp1, 5.4.1 and 5.4.2 allows a remote attacker to execute arbitrary code via the infoid parameter of the URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Server-Side Template Injection (SSTI) vulnerability in livehelperchat before 4.34v, allows remote attackers to execute arbitrary code and obtain sensitive information via the search parameter in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.
A vulnerability has been found in Surya2Developer Online Shopping System 1.0 and classified as critical. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unrestricted Upload of File with Dangerous Type vulnerability in Mollie Mollie Payments for WooCommerce.3.11. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Flask-AppBuilder is an application development framework, built on top of Flask. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
Possible path traversal in Apache OFBiz allowing authentication bypass. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.