Skip to main content
CVE-2024-39932 CRITICAL POC PATCH THREAT Act Now

Gogs through 0.13.0 allows argument injection during the previewing of changes. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Gogs
NVD GitHub
CVSS 3.1
9.9
EPSS
17.2%
CVE-2024-39930 CRITICAL POC PATCH Act Now

The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Microsoft Gogs
NVD GitHub Exploit-DB
CVSS 3.1
9.9
EPSS
7.3%
CVE-2024-39933 HIGH POC PATCH This Week

Gogs through 0.13.0 allows argument injection during the tagging of a new release. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Gogs
NVD GitHub
CVSS 3.1
7.7
EPSS
0.7%
CVE-2024-6319 HIGH PATCH Act Now

The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 2.3.10. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 10.9%.

File Upload WordPress RCE Imgspider
NVD
CVSS 3.1
8.8
EPSS
10.9%
CVE-2024-6318 HIGH PATCH Act Now

The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_img_file' function in all versions up to, and including, 2.3.10. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 10.9%.

File Upload RCE WordPress Imgspider
NVD
CVSS 3.1
8.8
EPSS
10.9%
CVE-2024-39931 CRITICAL PATCH Act Now

Gogs through 0.13.0 allows deletion of internal files. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Gogs
NVD GitHub
CVSS 3.1
9.9
EPSS
50.7%
CVE-2024-39165 CRITICAL Act Now

QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP RCE
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-6511 MEDIUM POC This Month

A vulnerability classified as problematic was found in y_project RuoYi up to 4.7.9. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ruoyi
NVD VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2024-5943 HIGH PATCH This Week

The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

PHP WordPress CSRF Nested Pages
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-2385 HIGH This Week

The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.4 via several of the plugin's widgets through the 'style'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure Path Traversal RCE WordPress +2
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-39943 HIGH PATCH This Week

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Apple Command Injection Node.js Http File Server
NVD GitHub
CVSS 3.1
8.8
EPSS
48.5%
CVE-2024-39935 HIGH PATCH This Week

jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated user (with certificate management privileges) via untrusted input to the DNS. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Command Injection Nginx Nginx Proxy Manager
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-3904 HIGH This Week

Incorrect Default Permissions vulnerability in Smart Device Communication Gateway preinstalled on MELIPC Series MI5122-VW firmware versions "05" to "07" allows a local attacker to execute arbitrary. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-6506 HIGH This Week

Information exposure vulnerability in the MRW plugin, in its 5.4.3 version, affecting the "mrw_log" functionality. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
8.2
EPSS
0.5%
CVE-2024-6507 HIGH This Week

Command injection when ingesting a remote Kaggle dataset due to a lack of input sanitization in the ingest_kaggle() API. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Command Injection
NVD GitHub
CVSS 3.1
8.1
EPSS
1.1%
CVE-2024-38345 HIGH This Week

A cross-site request forgery vulnerability exists in Sola Testimonials versions prior to 3.0.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-39934 HIGH This Week

Robotmk before 2.0.1 allows a local user to escalate privileges (e.g., to SYSTEM) if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to edit. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-39937 HIGH This Week

supOS 5.0 allows api/image/download?fileName=../ directory traversal for reading files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Supos
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-37472 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice.4.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-1182 HIGH This Week

Uncontrolled Search Path Element vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Hyper. Rated high severity (CVSS 7.0). No vendor patch available.

Information Disclosure
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2024-38471 MEDIUM This Month

Multiple TP-LINK products allow a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by restoring a crafted backup file. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

TP-Link Command Injection
NVD
CVSS 3.1
6.8
EPSS
0.4%
CVE-2024-1574 MEDIUM This Month

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in the licensing feature of Mitsubishi Electric GENESIS64 versions 10.97.2 and prior, Mitsubishi. Rated medium severity (CVSS 6.7). No vendor patch available.

Information Disclosure
NVD VulDB
CVSS 3.1
6.7
EPSS
0.1%
CVE-2024-2926 MEDIUM This Month

The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 8.3.7 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Addons For Elementor Elementor
NVD
CVSS 3.1
6.4
EPSS
0.5%
CVE-2024-3638 MEDIUM This Month

The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Marquee Text Widget, Testimonials Widget, and Testimonial Slider widgets in all. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Addons For Elementor Elementor
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-3639 MEDIUM This Month

The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Posts Grid widget in all versions up to, and including, 8.3.7 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Addons For Elementor Elementor
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-5641 MEDIUM PATCH This Month

The One Click Order Re-Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ced_ocor_save_general_setting' function in all versions. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass XSS WordPress One Click Order Re Order
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-37471 MEDIUM This Month

Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice Core allows Reflected XSS.4.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Woffice
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-1573 MEDIUM This Month

Missing Authentication for Critical Function vulnerability in the mobile monitoring feature of Mitsubishi Electric GENESIS64 versions 10.97.2 and prior, Mitsubishi Electric ICONICS Suite versions. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2024-37474 MEDIUM This Month

Cross Site Scripting (XSS) vulnerability in Automattic Newspack Ads allows Stored XSS.47.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Newspack Ads
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-37476 MEDIUM This Month

Cross Site Scripting (XSS) vulnerability in Automattic Newspack Campaigns allows Stored XSS.31.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Newspack Popups
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-22277 MEDIUM This Month

VMware Cloud Director Availability contains an HTML injection vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS VMware Cloud Director
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-38344 MEDIUM This Month

A cross-site request forgery vulnerability exists in WP Tweet Walls versions prior to 1.0.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-39211 MEDIUM This Month

Kaiten 57.128.8 allows remote attackers to enumerate user accounts via a crafted POST request, because a login response contains a user_email field only if the user account exists. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
1.1%
CVE-2024-6434 LOW PATCH Monitor

The Premium Addons for Elementor plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 4.10.35. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service WordPress Premium Addons For Elementor Elementor
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2024-32754 LOW Monitor

Under certain circumstances, when the controller is in factory reset mode waiting for initial setup, it will broadcast its MAC address, serial number, and firmware version. Rated low severity (CVSS 3.1), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
3.1
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy