Skip to main content
CVE-2023-50224 MEDIUM KEV THREAT This Month

TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability.

NVD
CVSS 3.0
6.5
EPSS
1.7%
CVE-2024-31673 CRITICAL POC Act Now

Kliqqi-CMS 2.0.2 is vulnerable to SQL Injection in load_data.php via the userid parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Kliqqi Cms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-33792 CRITICAL POC Act Now

netis-systems MEX605 v2.00.06 allows attackers to execute arbitrary OS commands via a crafted payload to the tracert page. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Mex605 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-33789 CRITICAL POC Act Now

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability via the ipurl parameter at /API/info form endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Linksys Command Injection E5600 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
2.4%
CVE-2024-27453 HIGH POC This Week

In Extreme XOS through 22.6.1.4, a read-only user can escalate privileges to root via a crafted HTTP POST request to the python method of the Machine-to-Machine Interface (MMI). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Python Extremexos
NVD
CVSS 3.1
8.6
EPSS
0.7%
CVE-2024-33398 HIGH POC This Week

There is a ClusterRole in piraeus-operator v2.5.0 and earlier which has been granted list secrets permission, which allows an attacker to impersonate the service account bound to this ClusterRole and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-50186 HIGH This Week

A stack-based buffer overflow vulnerability exists in GStreamer's AV1 video parsing functionality that allows remote attackers to execute arbitrary code when processing specially crafted AV1 video files. The vulnerability affects all versions of GStreamer prior to the patched release and requires user interaction to exploit, though attack vectors may vary depending on implementation. With an EPSS score of 9.18% (93rd percentile), this vulnerability has a higher-than-average likelihood of exploitation in the wild, though it is not currently listed in CISA's KEV catalog.

RCE Buffer Overflow Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
9.2%
CVE-2024-30851 MEDIUM POC This Month

Directory Traversal vulnerability in codesiddhant Jasmin Ransomware v.1.0.1 allows an attacker to obtain sensitive information via the download_file.php component. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Jasmin Ransomware
NVD GitHub
CVSS 3.1
6.5
EPSS
4.6%
CVE-2023-37328 HIGH This Week

A heap-based buffer overflow vulnerability in GStreamer's PGS (Presentation Graphic Stream) subtitle file parser allows remote attackers to execute arbitrary code when processing malicious subtitle files. The vulnerability affects all GStreamer installations and requires user interaction to exploit, typically by opening a media file with crafted PGS subtitles. With an EPSS score of 7.71% (92nd percentile), this vulnerability represents a significant exploitation risk in the wild.

RCE Buffer Overflow Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
7.7%
CVE-2024-34075 MEDIUM POC PATCH This Month

kurwov is a fast, dependency-free library for creating Markov Chains. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization
NVD GitHub
CVSS 3.1
6.2
EPSS
0.3%
CVE-2023-40474 HIGH PATCH This Week

A critical integer overflow vulnerability in GStreamer's MXF (Material eXchange Format) video file parser allows remote attackers to execute arbitrary code when processing specially crafted media files. The vulnerability affects all versions of GStreamer prior to the patched releases and requires user interaction (such as opening a malicious video file) to exploit, with an EPSS score of 6.53% indicating moderate real-world exploitation likelihood. While not currently listed in CISA's KEV catalog, the vulnerability has a high CVSS score of 8.8 and patches are available from the vendor.

RCE Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
6.5%
CVE-2024-34449 MEDIUM POC This Month

Vditor 3.10.3 allows XSS via an attribute of an A element. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Vditor
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-4439 MEDIUM POC PATCH THREAT This Month

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
70.8%
CVE-2024-3692 MEDIUM POC This Month

The Gutenverse WordPress plugin before 1.9.1 does not validate the htmlTag option in various of its block before outputting it back in a page/post where the block is embed, which could allow users. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Gutenverse
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-3637 MEDIUM POC This Month

The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Contact Form Lead Form Elementor Builder
NVD WPScan
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-34401 MEDIUM POC This Month

Savsoft Quiz 6.0 allows stored XSS via the index.php/quiz/insert_quiz/ quiz_name parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Savsoft Quiz
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-40476 HIGH PATCH This Week

A stack-based buffer overflow vulnerability in GStreamer's H265 video parsing functionality allows remote attackers to execute arbitrary code when processing maliciously crafted H265 encoded video files. The vulnerability affects all GStreamer installations and requires user interaction (such as opening a malicious video file) but can lead to full system compromise in the context of the running application. With an EPSS score of 6.22% (91st percentile), this vulnerability has a higher-than-average likelihood of exploitation in the wild, and patches are available from the vendor.

RCE Buffer Overflow Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
6.2%
CVE-2023-44429 HIGH PATCH This Week

A heap-based buffer overflow vulnerability exists in GStreamer's AV1 codec parsing functionality that allows remote attackers to execute arbitrary code. The vulnerability affects all versions of GStreamer prior to the patched release and requires user interaction to exploit, such as opening a malicious AV1 video file. With a CVSS score of 8.8 and patches available since the disclosure, this represents a high-risk vulnerability for applications using GStreamer for media processing.

RCE Buffer Overflow Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
6.0%
CVE-2023-37327 HIGH PATCH This Week

A critical integer overflow vulnerability in GStreamer's FLAC file parsing functionality allows remote attackers to execute arbitrary code when processing malicious FLAC audio files. The vulnerability affects all versions of GStreamer prior to the patched release and requires user interaction (opening/processing a malicious file) to exploit. With an EPSS score of 5.34% (90th percentile), this vulnerability poses a significant real-world risk, though no active exploitation has been reported in KEV.

RCE Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
5.3%
CVE-2024-33786 CRITICAL Act Now

An arbitrary file upload vulnerability in Zhongcheng Kexin Ticketing Management Platform 20.04 allows attackers to execute arbitrary code via uploading a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-2410 CRITICAL Act Now

The JsonToBinaryStream() function is part of the protocol buffers C++ implementation and is used to parse JSON from a stream. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Information Disclosure Memory Corruption Protobuf
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-4466 CRITICAL Act Now

SQL injection vulnerability in Gescen on the centrosdigitales.net platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2023-38104 HIGH PATCH This Week

An integer overflow vulnerability in GStreamer's RealMedia file parsing functionality allows remote attackers to execute arbitrary code when processing malicious MDPR chunks. The vulnerability affects GStreamer version 1.22.3 and potentially earlier versions, requiring user interaction to trigger but potentially exploitable through various attack vectors depending on implementation. With an EPSS score of 4.97% (90th percentile), this vulnerability poses a significant exploitation risk and has patches available from the vendor.

RCE Gstreamer
NVD
CVSS 3.1
8.8
EPSS
5.0%
CVE-2023-37329 HIGH PATCH This Week

A heap-based buffer overflow vulnerability in GStreamer's SRT subtitle file parsing functionality allows remote attackers to execute arbitrary code when processing maliciously crafted SRT files. The vulnerability affects all versions of GStreamer and requires user interaction (such as opening a malicious subtitle file), making it particularly dangerous for media players and applications that use GStreamer for subtitle processing. With an EPSS score of 4.74% (89th percentile), this vulnerability has a higher-than-average likelihood of exploitation in the wild.

RCE Buffer Overflow Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
4.7%
CVE-2023-38103 HIGH PATCH This Week

A critical integer overflow vulnerability exists in GStreamer's RealMedia file parser that allows remote code execution when processing specially crafted MDPR chunks. The vulnerability affects GStreamer version 1.22.3 and potentially earlier versions, enabling attackers to execute arbitrary code in the context of the current process through maliciously crafted RealMedia files. With an EPSS score of 4.54% (89th percentile), this vulnerability has a higher-than-average likelihood of exploitation in the wild, though it requires user interaction to trigger.

RCE Gstreamer
NVD
CVSS 3.1
8.8
EPSS
4.5%
CVE-2023-40475 HIGH PATCH This Week

A critical integer overflow vulnerability in GStreamer's MXF (Material Exchange Format) video file parser allows remote attackers to execute arbitrary code on affected systems. The vulnerability affects all versions of GStreamer prior to the patched releases and requires user interaction (opening a malicious MXF file) to exploit, with an EPSS score of 4.28% indicating moderate real-world exploitation likelihood. While not currently listed in CISA's Known Exploited Vulnerabilities catalog, the vulnerability has a high CVSS score of 8.8 and patches are available from the vendor.

RCE Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
4.3%
CVE-2023-44446 HIGH PATCH This Week

A use-after-free vulnerability in GStreamer's MXF (Material Exchange Format) video file parser allows remote attackers to execute arbitrary code when processing specially crafted MXF files. The vulnerability affects all GStreamer installations and requires user interaction such as opening a malicious video file, with an EPSS score of 4.17% indicating moderate real-world exploitation likelihood. While not currently in CISA's KEV catalog, the vulnerability has a patch available and was discovered through responsible disclosure by the Zero Day Initiative.

RCE Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
4.2%
CVE-2024-32986 CRITICAL Act Now

PWAsForFirefox is a tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple RCE Mozilla Microsoft
NVD GitHub
CVSS 3.1
9.6
EPSS
0.7%
CVE-2024-33793 MEDIUM POC This Month

netis-systems MEX605 v2.00.06 allows attackers to execute arbitrary OS commands via a crafted payload to the ping test page. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Mex605 Firmware
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-34408 MEDIUM POC PATCH This Month

Tencent libpag through 4.3.51 has an integer overflow in DecodeStream::checkEndOfFile() in codec/utils/DecodeStream.cpp via a crafted PAG (Portable Animated Graphics) file. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. Public exploit code available.

Heap Overflow Buffer Overflow Libpag
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2024-34033 HIGH This Week

Delta Electronics DIAEnergie has insufficient input validation which makes it possible to perform a path traversal attack and write outside of the intended directory. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Diaenergie
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2024-34032 HIGH This Week

Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the GetDIACloudList endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Diaenergie
NVD
CVSS 3.1
8.8
EPSS
8.7%
CVE-2024-34031 HIGH This Week

Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the script Handler_CFG.ashx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Diaenergie
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-3703 MEDIUM POC This Month

The Carousel Slider WordPress plugin before 2.2.10 does not validate and escape some of its Slide options before outputting them back in the page/post where the related Slide shortcode is embed,. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Carousel Slider
NVD WPScan
CVSS 3.1
4.7
EPSS
0.5%
CVE-2024-33791 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in netis-systems MEX605 v2.00.06 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the getTimeZone function. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Mex605 Firmware
NVD GitHub
CVSS 3.1
4.6
EPSS
0.4%
CVE-2024-34066 HIGH PATCH This Week

Pterodactyl wings is the server control plane for Pterodactyl Panel. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity.

Path Traversal Information Disclosure Wings
NVD GitHub
CVSS 3.1
8.4
EPSS
0.5%
CVE-2024-29417 HIGH This Week

Insecure Permissions vulnerability in e-trust Horacius 1.0, 1.1, and 1.2 allows a local attacker to escalate privileges via the password reset function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
8.4
EPSS
0.2%
CVE-2024-33787 HIGH This Week

Hengan Weighing Management Information Query Platform 2019-2021 53.25 was discovered to contain a SQL injection vulnerability via the tuser_Number parameter at search_user.aspx. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD GitHub
CVSS 3.1
8.2
EPSS
0.4%
CVE-2024-31636 LOW POC PATCH Monitor

An issue in LIEF v.0.14.1 allows a local attacker to obtain sensitive information via the name parameter of the machd_reader.c component. Rated low severity (CVSS 3.9), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Lief
NVD GitHub VulDB
CVSS 3.1
3.9
EPSS
0.3%
CVE-2024-28519 HIGH This Week

A kernel handle leak issue in ProcObsrvesx.sys 4.0.0.49 in MicroWorld Technologies Inc eScan Antivirus could allow privilege escalation for low-privileged users. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-4461 HIGH This Week

Unquoted path or search item vulnerability in SugarSync versions prior to 4.1.3 for Windows. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Microsoft
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-34073 HIGH PATCH This Week

sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Python Command Injection Denial Of Service
NVD GitHub
CVSS 3.1
7.8
EPSS
1.1%
CVE-2024-34072 HIGH PATCH This Week

sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Python Denial Of Service
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2024-33844 HIGH This Week

The 'control' in Parrot ANAFI USA firmware 1.10.4 does not check the MAV_MISSION_TYPE(0, 1, 2, 255), which allows attacker to cut off the connection between a controller and the drone by sending. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Anafi Firmware
NVD VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-32810 HIGH This Week

Missing Authorization vulnerability in ShortPixel ShortPixel Critical CSS shortpixel-critical-css.0.2. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2024-34455 HIGH This Week

Buildroot before 0b2967e lacks the sticky bit for the /dev/shm directory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-34447 HIGH PATCH This Week

An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-34446 HIGH This Week

Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state (after a hard failure to create a tunnel), and thus DNS traffic can leave the device. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-1067 HIGH This Week

Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

Use After Free Linux Denial Of Service Memory Corruption 5th Gen Gpu Architecture Kernel Driver +2
NVD
CVSS 3.1
7.4
EPSS
0.2%
CVE-2024-33928 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeBard CodeBard's Patron Button and Widgets for Patreon allows Reflected XSS.2.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Codebard S Patron Button And Widgets For Patreon
NVD
CVSS 3.1
7.1
EPSS
0.2%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy