Skip to main content
CVE-2024-31819 CRITICAL POC PATCH THREAT Act Now

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE Avideo
NVD GitHub
CVSS 3.1
9.8
EPSS
15.6%
CVE-2024-31214 CRITICAL POC PATCH THREAT Act Now

Traccar is an open source GPS tracking system. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE XSS File Upload Traccar
NVD GitHub
CVSS 3.1
9.6
EPSS
17.6%
CVE-2024-3566 CRITICAL POC Act Now

Command injection via Windows CreateProcess argument parsing affects multiple language runtimes and tooling (Node.js, PHP, Rust, Haskell process library, yt-dlp) that wrap the API without compensating for its quirks. Remote attackers can smuggle additional commands through arguments passed to child processes when applications spawn batch files or otherwise rely on CreateProcess's implicit cmd.exe handling. Publicly available exploit code exists and EPSS of 7.09% (92nd percentile) signals elevated, though not confirmed in-the-wild, exploitation interest; this CVE is not listed in CISA KEV.

Command Injection Microsoft Process Library Node Js PHP +2
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
7.1%
CVE-2024-3025 CRITICAL POC PATCH Act Now

mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Anythingllm
NVD GitHub
CVSS 3.0
9.9
EPSS
1.0%
CVE-2024-31996 CRITICAL POC PATCH Act Now

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection RCE Xwiki
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2024-31982 CRITICAL POC PATCH THREAT Act Now

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection RCE Xwiki
NVD GitHub
CVSS 3.1
9.8
EPSS
34.3%
CVE-2024-29500 CRITICAL POC Act Now

An issue in the kiosk mode of Secure Lockdown Multi Application Edition v2.00.219 allows attackers to execute arbitrary code via running a ClickOnce application instance. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Secure Lockdown
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-2952 CRITICAL POC PATCH MAL Act Now

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Litellm
NVD GitHub
CVSS 3.0
9.8
EPSS
1.3%
CVE-2024-2221 CRITICAL POC PATCH Act Now

{COLLECTION}/snapshots/upload` endpoint, specifically through the `snapshot` parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass RCE Path Traversal File Upload Qdrant
NVD GitHub
CVSS 3.0
9.8
EPSS
1.8%
CVE-2024-2195 CRITICAL POC Act Now

A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Aim
NVD
CVSS 3.0
9.8
EPSS
1.8%
CVE-2024-2029 CRITICAL POC PATCH Act Now

A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Command Injection Localai
NVD GitHub
CVSS 3.0
9.8
EPSS
2.9%
CVE-2024-1520 CRITICAL POC PATCH THREAT Act Now

An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussion_id'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Command Injection Lollms Web Ui
NVD GitHub
CVSS 3.0
9.8
EPSS
48.2%
CVE-2024-1511 CRITICAL POC Act Now

The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplied file paths. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Lollms Web Ui
NVD
CVSS 3.0
9.8
EPSS
1.0%
CVE-2024-3535 CRITICAL POC Act Now

A vulnerability, which was classified as critical, was found in Campcodes Church Management System 1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Church Management System
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-3534 CRITICAL POC Act Now

A vulnerability, which was classified as critical, has been found in Campcodes Church Management System 1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Church Management System
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-3568 CRITICAL POC PATCH Act Now

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()`. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Checkpoint Transformers
NVD GitHub
CVSS 3.1
9.6
EPSS
2.1%
CVE-2024-1600 CRITICAL POC PATCH THREAT Act Now

A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

LFI PHP Path Traversal Lollms Web Ui
NVD GitHub
CVSS 3.0
9.3
EPSS
31.1%
CVE-2024-1741 CRITICAL POC PATCH Act Now

lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2024-1740 CRITICAL POC PATCH Act Now

In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2024-3098 CRITICAL PATCH Act Now

A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
CVSS 3.0
9.8
EPSS
1.0%
CVE-2024-3120 CRITICAL PATCH Act Now

A stack-buffer overflow vulnerability exists in all versions of sngrep since v1.4.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.

Buffer Overflow RCE Denial Of Service Sngrep
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2024-3119 CRITICAL PATCH Act Now

A buffer overflow vulnerability exists in all versions of sngrep since v0.4.2, due to improper handling of 'Call-ID' and 'X-Call-ID' SIP headers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.

Buffer Overflow RCE Denial Of Service Sngrep
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2024-23080 CRITICAL Act Now

Joda Time v2.12.5 was discovered to contain a NullPointerException via the component org.joda.time.format.PeriodFormat::wordBased(Locale). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Null Pointer Dereference
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
1.0%
CVE-2024-31461 CRITICAL Act Now

Plane, an open-source project management tool, has a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 0.17-dev. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.7%
CVE-2024-3383 CRITICAL Act Now

A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Paloalto Information Disclosure Pan Os
NVD
CVSS 3.1
9.1
EPSS
0.6%
CVE-2024-1643 CRITICAL Act Now

By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that organization. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.0
9.1
EPSS
0.7%
CVE-2024-20758 CRITICAL PATCH Act Now

Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution on the. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Adobe Commerce Magento
NVD
CVSS 3.1
9.0
EPSS
1.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy