Skip to main content
CVE-2024-27453 HIGH POC This Week

In Extreme XOS through 22.6.1.4, a read-only user can escalate privileges to root via a crafted HTTP POST request to the python method of the Machine-to-Machine Interface (MMI). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Python Extremexos
NVD
CVSS 3.1
8.6
EPSS
0.7%
CVE-2024-33398 HIGH POC This Week

There is a ClusterRole in piraeus-operator v2.5.0 and earlier which has been granted list secrets permission, which allows an attacker to impersonate the service account bound to this ClusterRole and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-50186 HIGH This Week

A stack-based buffer overflow vulnerability exists in GStreamer's AV1 video parsing functionality that allows remote attackers to execute arbitrary code when processing specially crafted AV1 video files. The vulnerability affects all versions of GStreamer prior to the patched release and requires user interaction to exploit, though attack vectors may vary depending on implementation. With an EPSS score of 9.18% (93rd percentile), this vulnerability has a higher-than-average likelihood of exploitation in the wild, though it is not currently listed in CISA's KEV catalog.

RCE Buffer Overflow Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
9.2%
CVE-2023-37328 HIGH This Week

A heap-based buffer overflow vulnerability in GStreamer's PGS (Presentation Graphic Stream) subtitle file parser allows remote attackers to execute arbitrary code when processing malicious subtitle files. The vulnerability affects all GStreamer installations and requires user interaction to exploit, typically by opening a media file with crafted PGS subtitles. With an EPSS score of 7.71% (92nd percentile), this vulnerability represents a significant exploitation risk in the wild.

RCE Buffer Overflow Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
7.7%
CVE-2023-40474 HIGH PATCH This Week

A critical integer overflow vulnerability in GStreamer's MXF (Material eXchange Format) video file parser allows remote attackers to execute arbitrary code when processing specially crafted media files. The vulnerability affects all versions of GStreamer prior to the patched releases and requires user interaction (such as opening a malicious video file) to exploit, with an EPSS score of 6.53% indicating moderate real-world exploitation likelihood. While not currently listed in CISA's KEV catalog, the vulnerability has a high CVSS score of 8.8 and patches are available from the vendor.

RCE Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
6.5%
CVE-2023-40476 HIGH PATCH This Week

A stack-based buffer overflow vulnerability in GStreamer's H265 video parsing functionality allows remote attackers to execute arbitrary code when processing maliciously crafted H265 encoded video files. The vulnerability affects all GStreamer installations and requires user interaction (such as opening a malicious video file) but can lead to full system compromise in the context of the running application. With an EPSS score of 6.22% (91st percentile), this vulnerability has a higher-than-average likelihood of exploitation in the wild, and patches are available from the vendor.

RCE Buffer Overflow Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
6.2%
CVE-2023-44429 HIGH PATCH This Week

A heap-based buffer overflow vulnerability exists in GStreamer's AV1 codec parsing functionality that allows remote attackers to execute arbitrary code. The vulnerability affects all versions of GStreamer prior to the patched release and requires user interaction to exploit, such as opening a malicious AV1 video file. With a CVSS score of 8.8 and patches available since the disclosure, this represents a high-risk vulnerability for applications using GStreamer for media processing.

RCE Buffer Overflow Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
6.0%
CVE-2023-37327 HIGH PATCH This Week

A critical integer overflow vulnerability in GStreamer's FLAC file parsing functionality allows remote attackers to execute arbitrary code when processing malicious FLAC audio files. The vulnerability affects all versions of GStreamer prior to the patched release and requires user interaction (opening/processing a malicious file) to exploit. With an EPSS score of 5.34% (90th percentile), this vulnerability poses a significant real-world risk, though no active exploitation has been reported in KEV.

RCE Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
5.3%
CVE-2023-38104 HIGH PATCH This Week

An integer overflow vulnerability in GStreamer's RealMedia file parsing functionality allows remote attackers to execute arbitrary code when processing malicious MDPR chunks. The vulnerability affects GStreamer version 1.22.3 and potentially earlier versions, requiring user interaction to trigger but potentially exploitable through various attack vectors depending on implementation. With an EPSS score of 4.97% (90th percentile), this vulnerability poses a significant exploitation risk and has patches available from the vendor.

RCE Gstreamer
NVD
CVSS 3.1
8.8
EPSS
5.0%
CVE-2023-37329 HIGH PATCH This Week

A heap-based buffer overflow vulnerability in GStreamer's SRT subtitle file parsing functionality allows remote attackers to execute arbitrary code when processing maliciously crafted SRT files. The vulnerability affects all versions of GStreamer and requires user interaction (such as opening a malicious subtitle file), making it particularly dangerous for media players and applications that use GStreamer for subtitle processing. With an EPSS score of 4.74% (89th percentile), this vulnerability has a higher-than-average likelihood of exploitation in the wild.

RCE Buffer Overflow Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
4.7%
CVE-2023-38103 HIGH PATCH This Week

A critical integer overflow vulnerability exists in GStreamer's RealMedia file parser that allows remote code execution when processing specially crafted MDPR chunks. The vulnerability affects GStreamer version 1.22.3 and potentially earlier versions, enabling attackers to execute arbitrary code in the context of the current process through maliciously crafted RealMedia files. With an EPSS score of 4.54% (89th percentile), this vulnerability has a higher-than-average likelihood of exploitation in the wild, though it requires user interaction to trigger.

RCE Gstreamer
NVD
CVSS 3.1
8.8
EPSS
4.5%
CVE-2023-40475 HIGH PATCH This Week

A critical integer overflow vulnerability in GStreamer's MXF (Material Exchange Format) video file parser allows remote attackers to execute arbitrary code on affected systems. The vulnerability affects all versions of GStreamer prior to the patched releases and requires user interaction (opening a malicious MXF file) to exploit, with an EPSS score of 4.28% indicating moderate real-world exploitation likelihood. While not currently listed in CISA's Known Exploited Vulnerabilities catalog, the vulnerability has a high CVSS score of 8.8 and patches are available from the vendor.

RCE Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
4.3%
CVE-2023-44446 HIGH PATCH This Week

A use-after-free vulnerability in GStreamer's MXF (Material Exchange Format) video file parser allows remote attackers to execute arbitrary code when processing specially crafted MXF files. The vulnerability affects all GStreamer installations and requires user interaction such as opening a malicious video file, with an EPSS score of 4.17% indicating moderate real-world exploitation likelihood. While not currently in CISA's KEV catalog, the vulnerability has a patch available and was discovered through responsible disclosure by the Zero Day Initiative.

RCE Gstreamer
NVD VulDB
CVSS 3.1
8.8
EPSS
4.2%
CVE-2024-34033 HIGH This Week

Delta Electronics DIAEnergie has insufficient input validation which makes it possible to perform a path traversal attack and write outside of the intended directory. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Diaenergie
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2024-34032 HIGH This Week

Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the GetDIACloudList endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Diaenergie
NVD
CVSS 3.1
8.8
EPSS
8.7%
CVE-2024-34031 HIGH This Week

Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the script Handler_CFG.ashx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Diaenergie
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-34066 HIGH PATCH This Week

Pterodactyl wings is the server control plane for Pterodactyl Panel. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity.

Path Traversal Information Disclosure Wings
NVD GitHub
CVSS 3.1
8.4
EPSS
0.5%
CVE-2024-29417 HIGH This Week

Insecure Permissions vulnerability in e-trust Horacius 1.0, 1.1, and 1.2 allows a local attacker to escalate privileges via the password reset function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
8.4
EPSS
0.2%
CVE-2024-33787 HIGH This Week

Hengan Weighing Management Information Query Platform 2019-2021 53.25 was discovered to contain a SQL injection vulnerability via the tuser_Number parameter at search_user.aspx. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD GitHub
CVSS 3.1
8.2
EPSS
0.4%
CVE-2024-28519 HIGH This Week

A kernel handle leak issue in ProcObsrvesx.sys 4.0.0.49 in MicroWorld Technologies Inc eScan Antivirus could allow privilege escalation for low-privileged users. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-4461 HIGH This Week

Unquoted path or search item vulnerability in SugarSync versions prior to 4.1.3 for Windows. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Microsoft
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-34073 HIGH PATCH This Week

sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Python Command Injection Denial Of Service
NVD GitHub
CVSS 3.1
7.8
EPSS
1.1%
CVE-2024-34072 HIGH PATCH This Week

sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Python Denial Of Service
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2024-33844 HIGH This Week

The 'control' in Parrot ANAFI USA firmware 1.10.4 does not check the MAV_MISSION_TYPE(0, 1, 2, 255), which allows attacker to cut off the connection between a controller and the drone by sending. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Anafi Firmware
NVD VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-32810 HIGH This Week

Missing Authorization vulnerability in ShortPixel ShortPixel Critical CSS shortpixel-critical-css.0.2. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2024-34455 HIGH This Week

Buildroot before 0b2967e lacks the sticky bit for the /dev/shm directory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-34447 HIGH PATCH This Week

An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-34446 HIGH This Week

Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state (after a hard failure to create a tunnel), and thus DNS traffic can leave the device. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-1067 HIGH This Week

Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

Use After Free Linux Denial Of Service Memory Corruption 5th Gen Gpu Architecture Kernel Driver +2
NVD
CVSS 3.1
7.4
EPSS
0.2%
CVE-2024-33928 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeBard CodeBard's Patron Button and Widgets for Patreon allows Reflected XSS.2.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Codebard S Patron Button And Widgets For Patreon
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-33947 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic allows Reflected XSS.3.2.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Registrationmagic
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2024-33924 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Realtyna Realtyna Organic IDX plugin allows Reflected XSS.14.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2024-33946 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPify s.R.O. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy