Skip to main content
CVE-2024-25600 CRITICAL POC THREAT Emergency

Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection.9.6. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE
NVD GitHub Exploit-DB
CVSS 3.1
10.0
EPSS
88.2%
CVE-2024-37273 CRITICAL POC Act Now

An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Jan
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-36858 CRITICAL POC Act Now

An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Jan
NVD GitHub
CVSS 3.1
9.8
EPSS
3.1%
CVE-2024-36604 CRITICAL POC Act Now

Tenda O3V2 v1.0.0.12(3880) was discovered to contain a Blind Command Injection via stpEn parameter in the SetStp function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Command Injection O3 Firmware
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2024-36400 CRITICAL POC PATCH Act Now

nano-id is a unique string ID generator for Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Nano Id
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-29974 CRITICAL POC THREAT Act Now

** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zyxel RCE File Upload Nas326 Firmware Nas542 Firmware
NVD
CVSS 3.1
9.8
EPSS
22.8%
CVE-2024-29973 CRITICAL POC THREAT Act Now

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zyxel Command Injection Nas326 Firmware Nas542 Firmware
NVD
CVSS 3.1
9.8
EPSS
86.1%
CVE-2024-29972 CRITICAL POC THREAT Act Now

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zyxel Command Injection Nas326 Firmware Nas542 Firmware
NVD
CVSS 3.1
9.8
EPSS
89.2%
CVE-2024-36675 CRITICAL POC Act Now

LyLme_spage v1.9.5 is vulnerable to Server-Side Request Forgery (SSRF) via the get_head function. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Lylme Spage
NVD GitHub
CVSS 3.1
9.1
EPSS
1.4%
CVE-2024-36121 CRITICAL POC PATCH Act Now

netty-incubator-codec-ohttp is the OHTTP implementation for netty. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Integer Overflow Buffer Overflow Netty Incubator Codec Ohttp
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2024-4253 CRITICAL POC PATCH Act Now

A command injection vulnerability exists in the gradio-app/gradio repository, specifically within the 'test-functional.yml' workflow. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Gradio
NVD GitHub
CVSS 3.1
9.1
EPSS
1.7%
CVE-2024-36104 CRITICAL POC THREAT Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.12.14. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Ofbiz
NVD
CVSS 3.1
9.1
EPSS
87.9%
CVE-2024-4180 CRITICAL POC Act Now

The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS The Events Calendar
NVD WPScan
CVSS 3.1
9.1
EPSS
1.8%
CVE-2024-35700 CRITICAL Act Now

Incorrect Privilege Assignment vulnerability in DeluxeThemes Userpro userpro.1.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-4552 CRITICAL Act Now

The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-28103 CRITICAL PATCH Act Now

Action Pack is a framework for handling and responding to web requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Rails
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-35672 CRITICAL Act Now

Missing Authorization vulnerability in Netgsm.9.19. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Netgsm
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-35670 CRITICAL Act Now

Broken Authentication vulnerability in SoftLab Integrate Google Drive.3.93. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Google Integrate Google Drive
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-35629 CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads - Recent Purchases allows PHP Remote File. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure Easy Digital Downloads
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-34551 CRITICAL Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Select-Themes Stockholm allows PHP Local File Inclusion.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal PHP Stockholm
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-4219 CRITICAL Act Now

Prior to 23.2, it is possible to perform arbitrary Server-Side requests via HTTP-based connectors within BeyondInsight, resulting in a server-side request forgery vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Beyondinsight
NVD
CVSS 3.1
9.1
EPSS
0.2%
CVE-2024-33560 CRITICAL Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 8theme XStore allows PHP Local File Inclusion.3.8. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Path Traversal PHP
NVD
CVSS 3.1
9.0
EPSS
0.6%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy