Skip to main content
CVE-2024-5324 HIGH PATCH Act Now

Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 43.7%.

WordPress Authentication Bypass Login Signup Popup Otp Login Woocommerce Gravity Forms Side Cart Woocommerce +1
NVD
CVSS 3.1
8.8
EPSS
43.7%
CVE-2024-3408 CRITICAL POC THREAT Emergency

man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass RCE Python D Tale
NVD GitHub
CVSS 3.1
9.8
EPSS
78.0%
CVE-2024-4320 CRITICAL POC THREAT Act Now

A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post("/install_extension")` route. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Lollms Web Ui
NVD
CVSS 3.1
9.8
EPSS
34.4%
CVE-2024-3429 CRITICAL POC PATCH THREAT Act Now

A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\lollms\security.py`. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Microsoft Authentication Bypass Information Disclosure Denial Of Service +1
NVD GitHub
CVSS 3.1
9.8
EPSS
28.3%
CVE-2024-3322 CRITICAL POC PATCH Act Now

A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Information Disclosure Lollms Web Ui
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-3234 CRITICAL POC PATCH Act Now

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Chuanhuchatgpt
NVD GitHub
CVSS 3.1
9.8
EPSS
3.8%
CVE-2024-2624 CRITICAL POC PATCH Act Now

A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_personal_path")` endpoint in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Path Traversal Information Disclosure File Upload Lollms Web Ui
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-2360 CRITICAL POC Act Now

parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Lollms Web Ui
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2024-2359 CRITICAL POC Act Now

A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection Lollms Web Ui
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2024-5482 CRITICAL POC Act Now

A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application, affecting the latest version. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Information Disclosure Lollms Web Ui
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-5452 CRITICAL POC PATCH THREAT MAL Act Now

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Pytorch Lightning
NVD GitHub
CVSS 3.1
9.8
EPSS
26.5%
CVE-2024-3104 CRITICAL POC PATCH Act Now

A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Command Injection Denial Of Service Anythingllm
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-34832 CRITICAL POC Act Now

Directory Traversal vulnerability in CubeCart v.6.5.5 and before allows an attacker to execute arbitrary code via a crafted file uploaded to the _g and node parameters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Cubecart
NVD GitHub
CVSS 3.1
9.8
EPSS
5.0%
CVE-2024-36779 CRITICAL POC Act Now

Sourcecodester Stock Management System v1.0 is vulnerable to SQL Injection via editCategories.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Stock Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-3166 CRITICAL POC PATCH Act Now

A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE XSS Anythingllm Desktop Anythingllm Docker
NVD GitHub
CVSS 3.1
9.6
EPSS
1.0%
CVE-2024-3033 CRITICAL POC PATCH Act Now

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Anythingllm
NVD GitHub
CVSS 3.1
9.4
EPSS
0.6%
CVE-2024-5328 CRITICAL POC Act Now

A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Lunary
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2024-2362 CRITICAL POC Act Now

A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Microsoft Lollms Web Ui
NVD
CVSS 3.1
9.1
EPSS
1.1%
CVE-2024-5187 HIGH POC PATCH This Week

A vulnerability in the `download_model_with_test_data` function of the onnx/onnx framework, version 1.16.0, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Onnx
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2024-5128 HIGH POC PATCH This Week

An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-3150 HIGH POC PATCH This Week

In mintplex-labs/anything-llm, a vulnerability exists in the thread update process that allows users with Default or Manager roles to escalate their privileges to Administrator. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation Anythingllm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-3149 HIGH POC PATCH This Week

A Server-Side Request Forgery (SSRF) vulnerability exists in the upload link feature of mintplex-labs/anything-llm. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Nginx Anythingllm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-0520 HIGH POC PATCH This Week

A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Path Traversal Command Injection Mlflow
NVD GitHub
CVSS 3.1
8.8
EPSS
2.4%
CVE-2024-3152 HIGH POC PATCH This Week

mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Anythingllm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-2914 HIGH POC PATCH This Week

A TarSlip vulnerability exists in the deepjavalibrary/djl, affecting version 0.26.0 and fixed in version 0.27.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Privilege Escalation RCE Denial Of Service Deep Java Library
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-1879 HIGH POC PATCH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Autogpt Classic
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-3110 HIGH POC PATCH This Week

A stored Cross-Site Scripting (XSS) vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Anythingllm
NVD GitHub
CVSS 3.1
8.7
EPSS
0.7%
CVE-2024-4325 HIGH POC THREAT This Week

A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Authentication Bypass Gradio
NVD
CVSS 3.1
8.6
EPSS
37.4%
CVE-2024-2288 HIGH POC PATCH This Week

A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS CSRF Denial Of Service Lollms Web Ui
NVD GitHub
CVSS 3.1
8.3
EPSS
0.3%
CVE-2024-5129 HIGH POC PATCH This Week

A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Privilege Escalation Lunary
NVD GitHub
CVSS 3.1
8.2
EPSS
0.4%
CVE-2024-5133 HIGH POC This Week

In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Lunary
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-4888 HIGH POC PATCH MAL This Week

BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` endpoint. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Litellm
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2024-5657 HIGH POC PATCH This Week

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Two Factor Authentication
NVD GitHub
CVSS 3.1
8.1
EPSS
0.8%
CVE-2024-1880 HIGH POC PATCH This Week

An OS command injection vulnerability exists in the MacOS Text-To-Speech class MacOSTTS of the significant-gravitas/autogpt project, affecting versions up to v0.5.0. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Apple Command Injection RCE Autogpt Classic
NVD GitHub
CVSS 3.1
7.8
EPSS
1.0%
CVE-2024-4851 HIGH POC This Week

A Server-Side Request Forgery (SSRF) vulnerability exists in the stangirard/quivr application, version 0.0.204, which allows attackers to access internal networks. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Quivr
NVD
CVSS 3.1
7.7
EPSS
0.6%
CVE-2024-3095 HIGH POC PATCH This Week

A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF RCE Langchain
NVD
CVSS 3.1
7.7
EPSS
0.7%
CVE-2024-5552 HIGH POC This Week

kubeflow/kubeflow is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to inefficient regular expression complexity in its email validation mechanism. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Kubeflow
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-5130 HIGH POC PATCH This Week

An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-5124 HIGH POC This Week

A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Chuanhuchatgpt
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2024-4881 HIGH POC PATCH This Week

A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in version 5.9.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Microsoft Lollms
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-37153 HIGH POC PATCH This Week

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Evmos
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-2928 HIGH POC PATCH THREAT This Week

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Mlflow
NVD GitHub
CVSS 3.1
7.5
EPSS
21.8%
CVE-2024-2548 HIGH POC PATCH This Week

A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `lollms_core/lollms/server/endpoints/lollms_binding_files_server.py` and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Microsoft Lollms Web Ui
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-5277 HIGH POC This Week

In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Lunary
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-4941 HIGH POC PATCH This Week

A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Gradio
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-37152 HIGH POC PATCH This Week

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Kubernetes Argo Cd
NVD GitHub
CVSS 3.1
7.5
EPSS
2.3%
CVE-2024-28995 HIGH POC KEV THREAT This Week

SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Serv U
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
99.6%
CVE-2024-36774 HIGH POC This Week

An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PHP file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Monstra
NVD GitHub
CVSS 3.1
7.2
EPSS
0.7%
CVE-2024-5225 HIGH POC PATCH MAL This Week

An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` endpoint. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass SQLi Denial Of Service Litellm
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2024-5186 HIGH POC This Week

A Server-Side Request Forgery (SSRF) vulnerability exists in the file upload section of imartinez/privategpt version 0.5.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Information Disclosure Authentication Bypass File Upload Privategpt
NVD
CVSS 3.1
7.2
EPSS
0.3%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy