Skip to main content
CVE-2024-51793 CRITICAL POC THREAT Emergency

Unrestricted file upload in Ateeq Rafeeq's RepairBuddy (computer-repair-shop) WordPress plugin versions up to and including 3.8115 allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full server compromise. Publicly available exploit code exists, and the EPSS score of 45.04% (98th percentile) indicates a high likelihood of exploitation activity. The maximum CVSS score of 10.0 reflects scope change and complete confidentiality, integrity, and availability impact.

File Upload
NVD GitHub
CVSS 3.1
10.0
EPSS
45.0%
Threat
4.9
CVE-2024-51788 CRITICAL Emergency

Unrestricted file upload in Joshua Wolfe's The Novel Design Store Directory plugin (versions up to and including 4.3.0) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. With a maximum CVSS of 10.0, scope change, and an EPSS of 56.19% (98th percentile), this is among the highest-risk WordPress plugin issues; no public exploit is identified at time of analysis but exploitation probability is extremely elevated. Reported by Patchstack, the flaw enables direct arbitrary code execution against any site running the affected plugin.

File Upload
NVD
CVSS 3.1
10.0
EPSS
56.2%
CVE-2024-51791 CRITICAL POC Act Now

Unrestricted file upload in the Made I.T. Forms WordPress plugin (forms-by-made-it) through version 2.8.0 enables remote unauthenticated attackers to upload arbitrary files, including PHP web shells, leading to full server compromise. With a maximum CVSS score of 10.0 and changed scope, the issue affects all installations up to and including 2.8.0; publicly available exploit code exists, though EPSS sits at 0.75% (73rd percentile) indicating moderate observed activity rather than mass exploitation.

File Upload
NVD GitHub
CVSS 3.1
10.0
EPSS
0.8%
CVE-2024-52533 CRITICAL POC Act Now

gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Glib Debian Linux Active Iq Unified Manager Ontap Tools
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-50667 CRITICAL POC Act Now

The boa httpd of Trendnet TEW-820AP 1.01.B01 has a stack overflow vulnerability in /boafrm/formIPv6Addr, /boafrm/formIpv6Setup, /boafrm/formDnsv6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tew 820Ap Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
6.5%
CVE-2024-50989 CRITICAL POC Act Now

A SQL injection vulnerability in /omrs/admin/search.php in PHPGurukul Online Marriage Registration System v1.0 allows an attacker to execute arbitrary SQL commands via the "searchdata " parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Marriage Registration System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-51490 CRITICAL POC Act Now

Ampache is a web based audio/video streaming application and file manager. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ampache
NVD GitHub
CVSS 3.1
9.0
EPSS
0.5%
CVE-2024-51792 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Dang Ngoc Binh Audio Record audio-record allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2024-51790 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in HB WEBSOL HB AUDIO GALLERY hb-audio-gallery allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2024-51789 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in UjW0L Image Classify image-classify allows Upload a Web Shell to a Web Server.0.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2024-50636 CRITICAL Act Now

PyMOL 2.5.0 contains a vulnerability in its "Run Script" function, which allows the execution of arbitrary Python code embedded within .PYM files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Python RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2024-25255 CRITICAL Act Now

Sublime Text 4 was discovered to contain a command injection vulnerability via the New Build System module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2024-25254 CRITICAL Act Now

SuperScan v4.1 was discovered to contain a buffer overflow via the Hostname/IP parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Superscan
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-44546 CRITICAL Act Now

Powerjob >= 3.20 is vulnerable to SQL injection via the version parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Powerjob
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-36061 CRITICAL Act Now

EnGenius EWS356-FIT devices through 1.1.30 allow blind OS command injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Ews356 Fit Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-51135 CRITICAL Act Now

An XML External Entity (XXE) vulnerability in the component DocumentBuilderFactory of powertac-server v1.9.0 allows attackers to access sensitive information or execute arbitrary code via supplying a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS XXE
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-11068 CRITICAL Act Now

The D-Link DSL6740C modem has an Incorrect Use of Privileged APIs vulnerability, allowing unauthenticated remote attackers to modify any user’s password by leveraging the API, thereby granting access. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

D-Link Information Disclosure Dsl6740C Firmware
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2024-11020 CRITICAL Act Now

Webopac from Grand Vice info has a SQL Injection vulnerability, allowing unauthenticated remote attacks to inject arbitrary SQL commands to read, modify, and delete database contents. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Webopac
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-11018 CRITICAL Act Now

Webopac from Grand Vice info does not properly validate uploaded file types, allowing unauthenticated remote attackers to upload and execute webshells, which could lead to arbitrary code execution on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Webopac
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-11016 CRITICAL Act Now

Webopac from Grand Vice info has a SQL Injection vulnerability, allowing unauthenticated remote attacks to inject arbitrary SQL commands to read, modify, and delete database contents. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Webopac
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-46962 CRITICAL Act Now

The SYQ com.downloader.video.fast (aka Master Video Downloader) application through 2.0 for Android allows an attacker to execute arbitrary JavaScript code via the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Google
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy