Skip to main content
CVE-2024-52433 CRITICAL POC THREAT Emergency

Unauthenticated PHP object injection in the Mindstien Technologies 'My Geo Posts Free' WordPress plugin (versions up to and including 1.2) allows remote attackers to deserialize attacker-controlled data, potentially leading to full site compromise. The flaw is rated CVSS 9.8 and carries an EPSS of 80.62% (99th percentile), indicating very high probability of near-term exploitation, though no public exploit identified at time of analysis.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
80.6%
Threat
5.9
CVE-2024-52429 CRITICAL Emergency

Web shell upload via the AntonHoelstad WP Quick Setup WordPress plugin (versions up to and including 2.0) allows authenticated remote attackers to upload files of dangerous types and achieve code execution on the underlying web server. EPSS rates exploitation probability at 34.73% (97th percentile), and no public exploit identified at time of analysis, though the CWE-434 pattern and low attacker requirements make this a high-priority issue for WordPress operators running the plugin.

File Upload
NVD
CVSS 3.1
9.9
EPSS
34.7%
CVE-2024-0012 CRITICAL POC KEV THREAT Emergency

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Paloalto Privilege Escalation Pan Os
NVD
CVSS 4.0
9.3
EPSS
99.7%
CVE-2024-52430 CRITICAL Emergency

Untrusted data deserialization in the Lis Video Gallery WordPress plugin (versions through 0.2.1) by bublick allows remote attackers to perform PHP object injection, potentially leading to arbitrary code execution depending on gadget chains available in the WordPress instance. The CVSS 9.8 score and EPSS of 31.81% (97th percentile) signal elevated exploitation likelihood, though no public exploit identified at time of analysis. The flaw was disclosed via Patchstack and affects WordPress sites running this plugin.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
31.8%
CVE-2024-9474 MEDIUM POC KEV THREAT This Month

A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Paloalto Command Injection Pan Os
NVD GitHub
CVSS 4.0
6.9
EPSS
94.8%
CVE-2024-50919 CRITICAL POC Act Now

Jpress until v5.1.1 has arbitrary file uploads on the windows platform, and the construction of non-standard file formats such as .jsp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Microsoft Jpress
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-47533 CRITICAL POC PATCH Act Now

Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
3.9%
CVE-2024-11303 HIGH POC This Week

The pathname of the root directory to a Restricted Directory ('Path Traversal') vulnerability in Korenix JetPort 5601 allows Path Traversal.2. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD
CVSS 4.0
8.7
EPSS
1.8%
CVE-2024-52427 CRITICAL Act Now

Deserialization of untrusted data in the Vollstart Event Tickets with Ticket Scanner WordPress plugin (versions up to and including 2.3.11) enables Server-Side Include (SSI) Injection, allowing authenticated low-privilege attackers to execute arbitrary code with scope-changing impact across the affected WordPress instance. With an EPSS score of 12.22% (94th percentile) and CVSS 9.9, this represents a high-priority issue, though no public exploit identified at time of analysis. The vulnerability was disclosed by Patchstack and impacts WordPress sites running this plugin.

Deserialization
NVD
CVSS 3.1
9.9
EPSS
12.2%
CVE-2024-48917 HIGH POC PATCH This Week

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XXE Phpspreadsheet
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-47873 HIGH POC PATCH This Week

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XXE Phpspreadsheet
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-52506 HIGH POC PATCH This Week

Graylog is a free and open log management platform. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Graylog
NVD GitHub
CVSS 4.0
7.1
EPSS
0.6%
CVE-2024-52432 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in NIX Solutions Ltd NIX Anti-Spam Light nix-anti-spam-light allows Object Injection.0.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-51051 CRITICAL Act Now

AVSCMS v8.2.0 was discovered to contain weak default credentials for the Administrator account. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-51053 CRITICAL Act Now

An arbitrary file upload vulnerability in the component /main/fileupload.php of AVSCMS v8.2.0 allows attackers to execute arbitrary code via uploading a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PHP XSS File Upload
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-44756 CRITICAL Act Now

NUS-M9 ERP Management Software v3.0.0 was discovered to contain a SQL injection vulnerability via the usercode parameter at /UserWH/checkLogin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Nus M9 Erp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-52316 CRITICAL PATCH Act Now

Unchecked Error Condition vulnerability in Apache Tomcat. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Authentication Bypass Debian Linux
NVD
CVSS 3.1
9.8
EPSS
6.3%
CVE-2024-42383 CRITICAL Act Now

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Memory Corruption Mongoose
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-47208 CRITICAL Act Now

Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.12.17. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Code Injection Apache RCE Ofbiz
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2024-11315 CRITICAL Act Now

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Dvc
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-11314 CRITICAL Act Now

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Dvc
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-11313 CRITICAL Act Now

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Dvc
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-11312 CRITICAL Act Now

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Dvc
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-11311 CRITICAL Act Now

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Dvc
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-52431 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pressaholic WordPress Video Robot - The Ultimate Video Importer wp-video-robot allows SQL. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2024-52434 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Command Injection.10.29. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Deserialization
NVD
CVSS 3.1
9.1
EPSS
1.4%
CVE-2024-10486 MEDIUM POC This Month

The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google WordPress PHP Authentication Bypass Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2024-11305 MEDIUM POC This Month

A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
3.7%
CVE-2024-52428 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Peter Ads Booster by Ads Pro free-wp-booster-by-ads-pro allows PHP Local File. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.1
EPSS
4.8%
CVE-2024-11319 MEDIUM POC PATCH This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django-cms allows Cross-Site Scripting (XSS).11.7, 3.11.8, 4.1.2,. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python XSS Django Cms
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.6%
CVE-2024-48962 HIGH This Week

Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection Apache CSRF RCE Ofbiz
NVD
CVSS 4.0
8.9
EPSS
0.6%
CVE-2024-3370 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Egebilgi Software Website Template allows SQL Injection.04.2024. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2024-48292 HIGH This Week

An issue in the wssrvc.exe service of QuickHeal Antivirus Pro Version v24.0 and Quick Heal Total Security v24.0 allows authenticated attackers to escalate privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-45505 HIGH This Week

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Command Injection Hertzbeat
NVD
CVSS 3.1
8.8
EPSS
2.1%
CVE-2024-41969 HIGH This Week

A low privileged remote attacker may modify the configuration of the CODESYS V3 service through a missing authentication vulnerability which could lead to full system access and/or DoS. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-41151 HIGH This Week

Deserialization of Untrusted Data vulnerability in Apache HertzBeat. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Apache Hertzbeat
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2024-49574 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-22067 HIGH This Week

ZTE NH8091 product has an improper permission control vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Zte Nh8091 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-52946 HIGH This Week

An issue was discovered in LemonLDAP::NG before 2.20.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-8781 HIGH This Week

Execution with Unnecessary Privileges, : Improper Protection of Alternate Path vulnerability in TR7 Application Security Platform (ASP) allows Privilege Escalation, -Privilege Abuse.4.25.188. Rated high severity (CVSS 8.7). No vendor patch available.

Privilege Escalation
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2024-52303 HIGH PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Aiohttp
NVD GitHub
CVSS 4.0
8.7
EPSS
0.6%
CVE-2024-43704 HIGH This Week

Software installed and run as a non-privileged user may conduct improper GPU system calls to gain access to the graphics buffers of a parent process. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
8.4
EPSS
0.2%
CVE-2024-52583 HIGH This Week

The WesHacks GitHub repository provides the official Hackathon competition website source code for the Muweilah Wesgreen Hackathon. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
CVSS 3.1
8.2
EPSS
0.2%
CVE-2024-41973 HIGH This Week

A low privileged remote attacker can specify an arbitrary file on the filesystem which may lead to an arbitrary file writes with root privileges. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2024-41971 HIGH This Week

A low privileged remote attacker can overwrite an arbitrary file on the filesystem leading to a DoS and data loss. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2024-41967 HIGH This Week

A low privileged remote attacker may modify the boot mode configuration setup of the device, leading to modification of the firmware upgrade process or a denial-of-service attack. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2024-50804 HIGH This Week

Insecure Permissions vulnerability in Micro-star International MSI Center Pro 2.1.37.0 allows a local attacker to execute arbitrary code via the Device_DeviceID.dat.bak file within the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE
NVD
CVSS 3.1
7.8
EPSS
0.6%
CVE-2024-5030 LOW POC Monitor

The CM Table Of Contents WordPress plugin before 1.2.3 does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin perform such action via a. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Cm Table Of Contents
NVD WPScan
CVSS 3.1
3.8
EPSS
0.2%
CVE-2024-52945 HIGH This Week

An issue was discovered in Veritas NetBackup before 10.5. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Microsoft Netbackup
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-52435 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada WPDM - Premium Packages wpdm-premium-packages.0.5. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.3%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy