Skip to main content
CVE-2024-50526 CRITICAL POC Act Now

Unrestricted file upload in the Multi Purpose Mail Form WordPress plugin (versions through 1.0.2) by Lindeni Mahlalela allows unauthenticated remote attackers to upload arbitrary files including web shells, yielding full server compromise. CVSS is 10.0 with scope change, and publicly available exploit code exists; EPSS sits at 1.14% (78th percentile), indicating moderate but not yet widespread automated exploitation interest.

File Upload
NVD GitHub
CVSS 3.1
10.0
EPSS
1.1%
CVE-2024-48061 CRITICAL POC Act Now

langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Langflow
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-48050 CRITICAL POC PATCH Act Now

In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Agentscope
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-51327 CRITICAL POC Act Now

SQL Injection in loginform.php in ProjectWorld's Travel Management System v1.0 allows remote attackers to bypass authentication via SQL Injection in the 'username' and 'password' fields. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Travel Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-51136 CRITICAL POC Act Now

An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XXE Openimaj
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2024-50525 CRITICAL Act Now

Unrestricted file upload in the Helloprint WordPress plugin (versions through 2.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects network-reachable, no-auth exploitation with scope change and full CIA impact, though no public exploit has been identified at time of analysis and EPSS remains modest at 1.23% (79th percentile).

File Upload
NVD
CVSS 3.1
10.0
EPSS
1.2%
CVE-2024-50531 CRITICAL Act Now

Unrestricted file upload in the RSVPMaker for Toastmasters WordPress plugin (versions through 6.2.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects scope change with complete confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and EPSS remains modest at 0.89% (75th percentile).

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.9%
CVE-2024-50527 CRITICAL Act Now

Unrestricted file upload in the Stacks Mobile App Builder WordPress plugin (versions up to and including 5.2.3) permits remote unauthenticated attackers to upload arbitrary files, including web shells, to vulnerable WordPress sites. The CVSS 10.0 score with a scope-changed vector reflects full compromise potential of the underlying web server, though no public exploit has been identified at time of analysis and the EPSS score of 0.89% (75th percentile) suggests no widespread exploitation observed yet.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.9%
CVE-2024-50523 CRITICAL Act Now

Unrestricted file upload in the RainbowLink All Post Contact Form WordPress plugin (versions up to and including 1.8.2) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score with scope change (S:C) indicates the impact extends beyond the vulnerable component to the underlying WordPress host. No public exploit identified at time of analysis, and EPSS of 0.89% (75th percentile) suggests moderate but not yet widespread exploitation interest.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.9%
CVE-2024-50530 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutionz Stars SMTP Mailer stars-smtp-mailer allows Upload a Web Shell to a Web Server.2.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.9%
CVE-2024-50529 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in rudrainn Training - Courses training allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.9%
CVE-2024-51501 CRITICAL PATCH Act Now

Refit is an automatic type-safe REST library for .NET Core, Xamarin and .NET The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF
NVD GitHub
CVSS 4.0
10.0
EPSS
0.5%
CVE-2024-51661 CRITICAL Act Now

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Command Injection.19. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection
NVD
CVSS 3.1
9.1
EPSS
2.8%
CVE-2024-10035 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an. Rated critical severity (CVSS 9.2), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Command Injection Coslat
NVD VulDB
CVSS 4.0
9.2
EPSS
1.1%
CVE-2024-51561 CRITICAL Act Now

This vulnerability exists in Aero due to improper implementation of OTP validation mechanism in certain API endpoints. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Aero Wave 2 0
NVD
CVSS 4.0
9.3
EPSS
0.5%
CVE-2024-51558 CRITICAL Act Now

This vulnerability exists in the Wave 2.0 due to missing restrictions for excessive failed authentication attempts on its API based login. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Aero Wave 2 0
NVD
CVSS 4.0
9.3
EPSS
0.5%
CVE-2024-38408 CRITICAL PATCH Act Now

Cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wsa8845h Firmware Wsa8845 Firmware Wsa8840 Firmware Wsa8835 Firmware +225
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2024-23590 CRITICAL PATCH Act Now

Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Session Fixation Information Disclosure Kylin
NVD
CVSS 3.1
9.1
EPSS
0.6%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy