Skip to main content
CVE-2023-40000 HIGH POC THREAT Act Now

Stored cross-site scripting in LiteSpeed Cache for WordPress (versions up to and including 5.7) allows remote unauthenticated attackers to inject persistent malicious scripts that execute in the context of any user - including administrators - visiting affected pages. Publicly available exploit code exists and EPSS scores this at 82.03% (99th percentile), indicating very high probability of opportunistic exploitation across the millions of WordPress sites running this plugin. No CISA KEV listing at time of analysis, but the combination of high EPSS, public POC, and massive install base makes this a priority for WordPress operators.

XSS Litespeed Cache
NVD GitHub
CVSS 3.1
8.3
EPSS
82.0%
Threat
5.6
CVE-2024-2083 CRITICAL POC PATCH THREAT Act Now

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Zenml
NVD GitHub
CVSS 3.1
9.9
EPSS
39.1%
CVE-2024-32027 CRITICAL POC PATCH Act Now

Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Kohya Ss
NVD GitHub
CVSS 3.1
9.8
EPSS
3.0%
CVE-2024-32026 CRITICAL POC PATCH Act Now

Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Kohya Ss
NVD GitHub
CVSS 3.1
9.8
EPSS
3.0%
CVE-2024-32022 CRITICAL POC PATCH Act Now

Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Kohya Ss
NVD GitHub
CVSS 3.1
9.8
EPSS
3.1%
CVE-2024-3271 CRITICAL POC PATCH Act Now

A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Command Injection Llamaindex
NVD GitHub
CVSS 3.0
9.8
EPSS
2.9%
CVE-2024-1601 CRITICAL POC PATCH THREAT Act Now

An SQL injection vulnerability exists in the `delete_discussion()` function of the parisneo/lollms-webui application, allowing an attacker to delete all discussions and message data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Lollms Webui
NVD GitHub
CVSS 3.1
9.8
EPSS
40.4%
CVE-2024-3573 CRITICAL POC PATCH Act Now

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Mlflow
NVD GitHub
CVSS 3.1
9.3
EPSS
0.7%
CVE-2024-32025 CRITICAL POC PATCH Act Now

Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Kohya Ss
NVD GitHub
CVSS 3.1
9.1
EPSS
2.5%
CVE-2024-1739 CRITICAL POC PATCH Act Now

lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addresses during the signup process. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Lunary
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2024-0404 CRITICAL POC PATCH Act Now

A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Anythingllm
NVD GitHub
CVSS 3.0
9.1
EPSS
0.8%
CVE-2024-31759 HIGH POC This Week

An issue in sanluan PublicCMS v.4.0.202302.e allows an attacker to escalate privileges via the change password function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Publiccms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-3878 HIGH POC This Week

A vulnerability, which was classified as critical, has been found in Tenda F1202 1.2.0.20(408). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Stack Overflow F1202 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-3877 HIGH POC This Week

A vulnerability classified as critical was found in Tenda F1202 1.2.0.20(408). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Stack Overflow F1202 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
1.8%
CVE-2024-3876 HIGH POC This Week

A vulnerability classified as critical has been found in Tenda F1202 1.2.0.20(408). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Stack Overflow F1202 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-3875 HIGH POC This Week

A vulnerability was found in Tenda F1202 1.2.0.20(408). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Stack Overflow F1202 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
1.6%
CVE-2024-32254 HIGH POC This Week

Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via tms/admin/create-package.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Tourism Management System
NVD GitHub
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-3571 HIGH POC PATCH This Week

langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Path Traversal Information Disclosure Langchain
NVD GitHub
CVSS 3.1
8.8
EPSS
1.9%
CVE-2024-1646 HIGH POC PATCH This Week

parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sensitive endpoints. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Denial Of Service Lollms Webui
NVD GitHub
CVSS 3.0
8.2
EPSS
0.7%
CVE-2024-32256 HIGH POC This Week

Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via /tms/admin/change-image.php. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Tourism Management System
NVD GitHub Exploit-DB
CVSS 3.1
8.1
EPSS
0.7%
CVE-2024-1626 HIGH POC PATCH This Week

An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-1560 HIGH POC This Week

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Mlflow
NVD
CVSS 3.1
8.1
EPSS
0.9%
CVE-2024-0549 HIGH POC PATCH This Week

mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Anythingllm
NVD GitHub
CVSS 3.0
8.1
EPSS
0.8%
CVE-2024-3029 HIGH POC PATCH This Week

In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the '/system/enable-multi-user' endpoint. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Anythingllm
NVD GitHub
CVSS 3.1
8.0
EPSS
0.7%
CVE-2024-21111 HIGH POC This Week

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Oracle Microsoft Vm Virtualbox
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
1.8%
CVE-2024-3574 HIGH POC PATCH This Week

In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Scrapy
NVD GitHub
CVSS 3.0
7.5
EPSS
0.6%
CVE-2024-3572 HIGH POC PATCH This Week

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Denial Of Service Scrapy
NVD GitHub
CVSS 3.0
7.5
EPSS
0.8%
CVE-2024-1738 HIGH POC PATCH This Week

An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-1594 HIGH POC This Week

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Mlflow
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-1593 HIGH POC This Week

A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Path Traversal Information Disclosure Mlflow
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-1569 HIGH POC PATCH This Week

parisneo/lollms-webui is vulnerable to a denial of service (DoS) attack due to uncontrolled resource consumption. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Lollms Webui
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-1561 HIGH POC PATCH This Week

An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Gradio
NVD GitHub
CVSS 3.0
7.5
EPSS
9.2%
CVE-2024-1558 HIGH POC PATCH This Week

A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Mlflow
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-1483 HIGH POC PATCH This Week

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Mlflow
NVD
CVSS 3.1
7.5
EPSS
2.7%
CVE-2024-3028 HIGH POC PATCH This Week

mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Anythingllm
NVD GitHub
CVSS 3.0
7.2
EPSS
0.8%
CVE-2024-1456 HIGH POC This Week

An S3 bucket takeover vulnerability was identified in the h2oai/h2o-3 repository. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass H2O
NVD
CVSS 3.0
7.1
EPSS
0.2%
CVE-2024-32024 MEDIUM POC PATCH This Month

Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Kohya Ss
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-1183 MEDIUM POC PATCH This Month

An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Open Redirect Gradio
NVD GitHub
CVSS 3.0
6.5
EPSS
1.8%
CVE-2024-30256 MEDIUM POC This Month

Open WebUI is a user-friendly WebUI for LLMs. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Open Webui
NVD GitHub
CVSS 3.1
6.4
EPSS
0.4%
CVE-2024-31784 MEDIUM POC This Month

An issue in Typora v.1.8.10 and before, allows a local attacker to obtain sensitive information and execute arbitrary code via a crafted payload to the src component. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass RCE Typora
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-31783 MEDIUM POC This Month

Cross Site Scripting (XSS) vulnerability in Typora v.1.6.7 and before, allows a local attacker to obtain sensitive information via a crafted script during markdown file creation. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Typora
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-31634 MEDIUM POC This Month

Cross Site Scripting (XSS) vulnerability in Xunruicms versions 4.6.3 and before, allows remote attacker to execute arbitrary code via the Security.php file in the catalog. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP XSS Xunruicms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-3575 MEDIUM POC This Month

Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Mindsdb
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-2912 CRITICAL PATCH Act Now

An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass RCE Deserialization
NVD GitHub
CVSS 3.1
10.0
EPSS
1.5%
CVE-2024-21010 CRITICAL Act Now

Vulnerability in the Oracle Hospitality Simphony product of Oracle Food and Beverage Applications (component: Simphony Enterprise Server). Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Oracle Hospitality Simphony
NVD
CVSS 3.1
9.9
EPSS
0.7%
CVE-2024-20997 CRITICAL Act Now

Vulnerability in the Oracle Hospitality Simphony product of Oracle Food and Beverage Applications (component: Simphony Enterprise Server). Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Oracle Hospitality Simphony
NVD
CVSS 3.1
9.9
EPSS
0.8%
CVE-2024-3867 MEDIUM This Month

The archive-tainacan-collection theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in version 2.7.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 18.6% and no vendor patch available.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
18.6%
CVE-2024-31452 CRITICAL PATCH Act Now

OpenFGA is a high-performance and flexible authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Openfga
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-21082 CRITICAL Act Now

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Oracle Bi Publisher
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-21014 CRITICAL Act Now

Vulnerability in the Oracle Hospitality Simphony product of Oracle Food and Beverage Applications (component: Simphony Enterprise Server). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Oracle Hospitality Simphony
NVD
CVSS 3.1
9.8
EPSS
0.8%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy