Skip to main content
CVE-2024-55556 CRITICAL POC THREAT Emergency

Crater Invoice application allows unauthenticated remote command execution through Laravel session cookie deserialization when the APP_KEY is known. Attackers who obtain the application key can forge session cookies containing serialized PHP objects that execute arbitrary commands on the server.

Deserialization
NVD GitHub
CVSS 3.1
9.8
EPSS
79.4%
Threat
5.8
CVE-2024-56278 CRITICAL Emergency

Improper Control of Generation of Code ('Code Injection') vulnerability in Smackcoders WP Ultimate Exporter allows PHP Remote File Inclusion.9.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 42.6% and no vendor patch available.

RCE Code Injection PHP
NVD
CVSS 3.1
9.1
EPSS
42.6%
CVE-2022-41573 CRITICAL POC Act Now

An issue was discovered in Ovidentia 8.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
10.0%
CVE-2025-0247 CRITICAL PATCH Act Now

Memory safety bugs present in Firefox 133 and Thunderbird 133. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 15.1% and no vendor patch available.

RCE Memory Corruption Buffer Overflow Mozilla
NVD VulDB
CVSS 3.1
9.8
EPSS
15.1%
CVE-2024-49649 CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Abdul Hakeem Build App Online allows PHP Local File Inclusion.0.23. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
9.8
EPSS
4.6%
CVE-2024-50658 CRITICAL Act Now

Server-Side Template Injection (SSTI) was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the shippingAsBilling and firstname parameters in updateuserinfo.html file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Adportal
NVD
CVSS 3.1
9.8
EPSS
2.6%
CVE-2024-43243 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGlow JobBoard Job listing allows Upload a Web Shell to a Web Server.2.6. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.9%
CVE-2024-50660 CRITICAL Act Now

File Upload Bypass was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the file upload functionality. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Code Injection Adportal
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-49222 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Amento Tech Pvt ltd WPGuppy allows Object Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-12264 CRITICAL Act Now

The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-12402 CRITICAL Act Now

The Themes Coder - Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google WordPress Apple Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2022-41572 CRITICAL Act Now

An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Eyesofnetwork
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-56290 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows SQL Injection.2. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2024-56284 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SSL Wireless SSL Wireless SMS Notification allows SQL Injection.5.0. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2025-22133 CRITICAL POC PATCH Act Now

WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection PHP Wegia
NVD GitHub
CVSS 3.1
9.9
EPSS
0.4%
CVE-2024-54819 CRITICAL This Week

I, Librarian before and including 5.11.1 is vulnerable to Server-Side Request Forgery (SSRF) due to improper input validation in classes/security/validation.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 42.5% and no vendor patch available.

SSRF PHP
NVD GitHub
CVSS 3.1
9.1
EPSS
42.5%
CVE-2024-35532 CRITICAL This Week

An XML External Entity (XXE) injection vulnerability in Intersec Geosafe-ea 2022.12, 2022.13, and 2022.14 allows attackers to perform arbitrary file reading under the privileges of the running. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Buffer Overflow Denial Of Service Information Disclosure SSRF
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2024-55414 CRITICAL This Week

A vulnerability exits in driver SmSerl64.sys in Motorola SM56 Modem WDM Driver v6.12.23.0, which allows low-privileged users to mapping physical memory via specially crafted IOCTL requests . Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Command Injection Information Disclosure RCE Microsoft
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-21624 CRITICAL POC PATCH THREAT Act Now

ClipBucket V5 provides open source video hosting with PHP. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 24.9%.

File Upload PHP Clipbucket
NVD GitHub
CVSS 3.1
9.8
EPSS
24.9%
CVE-2024-8855 CRITICAL POC Act Now

The WordPress Auction Plugin WordPress plugin through 3.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing editors and above to perform SQL injection attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Wordpress Auction
NVD WPScan
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-12470 CRITICAL This Week

The School Management System - SakolaWP plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-12252 CRITICAL Act Now

The SEO LAT Auto Post plugin for WordPress is vulnerable to file overwrite due to a missing capability check on the remote_update AJAX action in all versions up to, and including, 2.2.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 68.1% and no vendor patch available.

RCE Code Injection WordPress PHP
NVD
CVSS 3.1
9.8
EPSS
68.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy