Skip to main content
CVE-2024-33559 CRITICAL POC Act Now

SQL injection in 8theme XStore WordPress theme versions up to and including 9.3.5 allows remote unauthenticated attackers to manipulate backend database queries by injecting crafted SQL syntax through user-controllable input. The flaw carries a CVSS 9.3 rating with scope change, and publicly available exploit code exists, while EPSS places exploitation probability at 5.82% (91st percentile), indicating elevated but not yet confirmed widespread abuse. No CISA KEV listing has been recorded for this issue at time of analysis.

SQLi
NVD Exploit-DB
CVSS 3.1
9.3
EPSS
5.8%
CVE-2024-33350 CRITICAL POC Act Now

Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a remote attacker to execute arbitrary code and obtain sensitive information via the include/model/file.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal PHP Taocms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2024-31822 CRITICAL POC PATCH Act Now

An issue in Ecommerce-CodeIgniter-Bootstrap commit v. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection PHP RCE Ecommerce Codeigniter Bootstrap
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2024-31820 CRITICAL POC PATCH Act Now

An issue in Ecommerce-CodeIgniter-Bootstrap commit v. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PHP RCE Ecommerce Codeigniter Bootstrap
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2024-31705 CRITICAL POC Act Now

An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2024-33445 CRITICAL POC Act Now

An issue in hisiphp v2.0.111 allows a remote attacker to execute arbitrary code via a crafted script to the SystemPlugins::mkInfo parameter in the SystemPlugins.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE Hisiphp
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-33444 CRITICAL POC Act Now

SQL injection vulnerability in onethink v.1.1 allows a remote attacker to escalate privileges via a crafted script to the ModelModel.class.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Onethink
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-3191 CRITICAL POC Act Now

A vulnerability, which was classified as critical, has been found in MailCleaner up to 2023.03.14. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Mailcleaner
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
5.2%
CVE-2024-3192 CRITICAL POC Act Now

A vulnerability, which was classified as problematic, was found in MailCleaner up to 2023.03.14. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Mailcleaner
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
1.0%
CVE-2024-31823 HIGH POC PATCH This Week

An issue in Ecommerce-CodeIgniter-Bootstrap commit v. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection PHP RCE Ecommerce Codeigniter Bootstrap
NVD GitHub
CVSS 3.1
8.8
EPSS
1.6%
CVE-2024-3193 HIGH POC This Week

A vulnerability has been found in MailCleaner up to 2023.03.14 and classified as critical. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Mailcleaner
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
4.2%
CVE-2024-2505 HIGH POC This Week

The GamiPress WordPress plugin before 6.8.9's access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Gamipress
NVD WPScan
CVSS 3.1
8.1
EPSS
0.6%
CVE-2024-33438 HIGH POC PATCH This Week

File Upload vulnerability in CubeCart before 6.5.5 allows an authenticated user to execute arbitrary code via a crafted .phar file. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE File Upload Cubecart
NVD GitHub
CVSS 3.1
8.0
EPSS
1.1%
CVE-2024-31821 HIGH POC PATCH This Week

SQL Injection vulnerability in Ecommerce-CodeIgniter-Bootstrap commit v. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi PHP RCE Ecommerce Codeigniter Bootstrap
NVD GitHub
CVSS 3.1
8.0
EPSS
1.1%
CVE-2024-28320 HIGH POC This Week

Insecure Direct Object References (IDOR) vulnerability in Hospital Management System 1.0 allows attackers to manipulate user parameters for unauthorized access and modifications via crafted POST. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Hospital Management System
NVD
CVSS 3.1
7.6
EPSS
0.5%
CVE-2024-31621 HIGH POC PATCH THREAT This Week

An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Flowise
NVD Exploit-DB
CVSS 3.1
7.6
EPSS
59.9%
CVE-2024-33338 HIGH POC This Week

Cross Site Scripting vulnerability in jizhicms v.2.5.4 allows a remote attacker to obtain sensitive information via a crafted article publication request. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Jizhicms
NVD GitHub
CVSS 3.1
7.3
EPSS
1.0%
CVE-2024-3195 HIGH POC This Week

A vulnerability was found in MailCleaner up to 2023.03.14. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Mailcleaner
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
1.0%
CVE-2024-33443 HIGH POC This Week

An issue in onethink v.1.1 allows a remote attacker to execute arbitrary code via a crafted script to the AddonsController.class.php component. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE Onethink
NVD GitHub
CVSS 3.1
7.1
EPSS
0.7%
CVE-2024-33899 HIGH POC This Week

RARLAB WinRAR before 7.00, on Linux and UNIX platforms, allows attackers to spoof the screen output, or cause a denial of service, via ANSI escape sequences. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Denial Of Service Winrar
NVD
CVSS 3.1
7.1
EPSS
0.8%
CVE-2024-3196 MEDIUM POC This Month

A vulnerability was found in MailCleaner up to 2023.03.14. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Mailcleaner
NVD GitHub VulDB
CVSS 3.1
6.7
EPSS
1.7%
CVE-2024-28294 MEDIUM POC This Month

Limbas up to v5.2.14 was discovered to contain a SQL injection vulnerability via the ftid parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Limbas
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-33345 MEDIUM POC This Month

D-Link DIR-823G A1V1.0.2B05 was found to contain a Null-pointer dereference in the main function of upload_firmware.cgi, which allows remote attackers to cause a Denial of Service (DoS) via a crafted. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference D-Link Denial Of Service Dir 823G Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2024-33566 CRITICAL Act Now

Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.4. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Authentication Bypass
NVD
CVSS 3.1
10.0
EPSS
1.2%
CVE-2024-33575 MEDIUM POC This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in User Meta user-meta.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
4.7%
CVE-2024-23995 MEDIUM POC This Month

Cross Site Scripting (XSS) in Beekeeper Studio 4.1.13 and earlier allows remote attackers to execute arbitrary code in the column name of a database table in tabulator-popup-container. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2024-3194 MEDIUM POC This Month

A vulnerability was found in MailCleaner up to 2023.03.14 and classified as problematic. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Mailcleaner
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.7%
CVE-2024-1905 MEDIUM POC This Month

The Smart Forms WordPress plugin before 2.6.96 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Smart Forms
NVD WPScan
CVSS 3.1
5.9
EPSS
0.5%
CVE-2024-33435 CRITICAL Act Now

Insecure Permissions vulnerability in Guangzhou Yingshi Electronic Technology Co. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-33276 CRITICAL Act Now

SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-33269 CRITICAL Act Now

SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before allows an attacker to run arbitrary SQL commands via the FsModel::getFlashSales method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-33268 CRITICAL Act Now

SQL Injection vulnerability in Digincube mdgiftproduct before 1.4.1 allows an attacker to run arbitrary SQL commands via the MdGiftRule::addGiftToCart method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-33266 CRITICAL Act Now

SQL Injection vulnerability in Helloshop deliveryorderautoupdate v.2.8.1 and before allows an attacker to run arbitrary SQL commands via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-33449 CRITICAL Act Now

An SSRF issue in the PDFMyURL service allows a remote attacker to obtain sensitive information and execute arbitrary code via a POST request in the url parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF RCE CSRF
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-32491 CRITICAL Act Now

An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Znuny
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-4300 CRITICAL Act Now

E-WEBInformationCo. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-33546 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team WZone allows SQL Injection.0.10. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2024-3375 CRITICAL Act Now

Incorrect Permission Assignment for Critical Resource vulnerability in Havelsan Inc. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD VulDB
CVSS 3.1
9.4
EPSS
0.2%
CVE-2024-33551 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore Core allows SQL Injection.3.5. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Xstore Core
NVD
CVSS 3.1
9.3
EPSS
0.6%
CVE-2024-33544 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team WZone allows SQL Injection.0.10. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2024-33553 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in 8theme XStore Core.3.5. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Xstore Core
NVD
CVSS 3.1
9.0
EPSS
0.7%
CVE-2024-0840 HIGH This Week

The Grandstream UCM Series IP PBX before firmware version 1.0.20.52 is affected by a parameter injection vulnerability in the HTTP interface. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-32493 HIGH This Week

An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Znuny
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-27322 HIGH This Week

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD
CVSS 3.1
8.8
EPSS
23.6%
CVE-2024-4306 HIGH This Week

Critical unrestricted file upload vulnerability in HubBank affecting version 1.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Hubbank
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-4303 HIGH This Week

ArmorX Android APP's multi-factor authentication (MFA) for the login function is not properly implemented. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Google
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-4301 HIGH This Week

N-Reporter and N-Cloud, products of the N-Partner, have an OS Command Injection vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-33401 MEDIUM POC This Month

Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a remote attacker to run arbitrary code via the mnum parameter. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Dedecms
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2024-34010 HIGH This Week

Local privilege escalation due to unquoted search path vulnerability. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Privilege Escalation
NVD VulDB
CVSS 3.0
8.2
EPSS
0.1%
CVE-2024-1969 HIGH This Week

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Secomea GateManager (webserver modules) allows crash of GateManager.7 before 11.2.624095033. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow
NVD
CVSS 3.1
8.2
EPSS
0.5%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy