Skip to main content
CVE-2017-20215 HIGH POC This Week

FLIR Thermal Camera FC-S/PT firmware version 8.0.0.64 contains an authenticated OS command injection vulnerability that allows attackers to execute shell commands with root privileges. [CVSS 8.8 HIGH]

Command Injection
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2019-25289 HIGH POC This Week

SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. [CVSS 8.8 HIGH]

Command Injection
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-21869 HIGH POC This Week

Llama.cpp server endpoints fail to validate the n_discard parameter from JSON input, allowing negative values that trigger out-of-bounds memory writes when the context buffer fills. This memory corruption vulnerability affects LLM inference operations and can be exploited remotely without authentication to crash the service or achieve code execution; public exploit code exists and no patch is currently available.

RCE Memory Corruption Denial Of Service AI / ML Llama.Cpp +2
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-68719 HIGH POC This Week

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. [CVSS 8.8 HIGH]

Information Disclosure Ks Wr3600 Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22255 HIGH POC This Week

Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color profiles, affecting applications using the iccDEV library to handle color management data. Public exploit code exists for this vulnerability, and no patches are currently available. An attacker can trigger memory corruption through a crafted ICC profile to achieve arbitrary code execution without user interaction beyond opening the malicious file.

Code Injection Iccdev
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22042 HIGH POC PATCH This Week

Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permissions to execute import operations, enabling unauthorized modification of users, groups, policies, and service accounts. Public exploit code exists for this vulnerability, and authenticated attackers can escalate privileges through malicious IAM imports. The issue affects all pre-1.0.0-alpha.79 versions with no patch currently available.

Privilege Escalation Rustfs
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-22257 HIGH POC PATCH This Week

Salvo is a Rust web backend framework. [CVSS 8.8 HIGH]

XSS Salvo
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-22256 HIGH POC PATCH This Week

Salvo is a Rust web backend framework. [CVSS 8.8 HIGH]

XSS Salvo
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2017-20212 HIGH POC This Week

FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains an information disclosure vulnerability that allows unauthenticated attackers to read arbitrary files through unverified input parameters. [CVSS 6.2 MEDIUM]

PHP Information Disclosure Path Traversal
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-63611 HIGH POC This Week

Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=<id>). [CVSS 8.7 HIGH]

PHP XSS Hostel Management System
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-67089 HIGH POC This Week

A command injection vulnerability exists in the GL-iNet GL-AXT1800 router firmware v4.6.8. The vulnerability is present in the `plugins.install_package` RPC method, which fails to properly sanitize user input in package names. [CVSS 8.1 HIGH]

Command Injection Gl Axt1800 Firmware
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-22035 HIGH POC PATCH This Week

Arbitrary command execution in Greenshot 1.3.310 and earlier stems from insufficient input validation in filename processing, where unsanitized user-supplied filenames are passed directly to shell commands. An attacker can exploit this through a malicious filename containing shell metacharacters to achieve local code execution with user privileges. Public exploit code exists for this vulnerability; users should upgrade to version 1.3.311 or later.

Windows Command Injection Greenshot
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-69259 HIGH POC This Week

A message unchecked NULL return value vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability.. [CVSS 7.5 HIGH]

Trend Micro Apex Central
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2025-69260 HIGH POC This Week

A message out-of-bounds read vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability. [CVSS 7.5 HIGH]

Trend Micro Apex Central
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2025-56424 HIGH POC This Week

An issue in Insiders Technologies GmbH e-invoice pro before release 1 Service Pack 2 allows a remote attacker to cause a denial of service via a crafted script [CVSS 7.5 HIGH]

Denial Of Service E Invoice Pro
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2017-20213 HIGH POC This Week

FLIR Thermal Camera F/FC/PT/D Stream firmware version 8.0.0.64 contains an unauthenticated vulnerability that allows remote attackers to access live camera streams without credentials. [CVSS 7.5 HIGH]

Authentication Bypass
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-50334 HIGH POC PATCH This Week

An issue in Technitium DNS Server v.13.5 allows a remote attacker to cause a denial of service via the rate-limiting component [CVSS 7.5 HIGH]

Denial Of Service Dnsserver
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2019-25279 HIGH POC This Week

Facesentry Access Control System Firmware versions up to 5.7.0 is affected by cleartext storage of sensitive information (CVSS 7.5).

SQLi Facesentry Access Control System Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2017-20214 HIGH POC This Week

FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system. [CVSS 7.5 HIGH]

SSH
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2019-25291 HIGH POC This Week

INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. [CVSS 7.5 HIGH]

Linux Industrial
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-15464 HIGH POC This Week

Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls. [CVSS 7.5 HIGH]

Authentication Bypass Fun Print
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22244 HIGH POC PATCH This Week

Remote code execution in OpenMetadata versions before 1.11.4 through Server-Side Template Injection in FreeMarker email templates allows authenticated administrators to execute arbitrary code on the affected system. Public exploit code exists for this vulnerability, and attackers with admin-level access can leverage unsafe template processing to compromise the metadata platform. A patch is available in version 1.11.4 and should be applied immediately.

RCE Openmetadata
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-22241 HIGH POC PATCH This Week

Openeclass versions up to 4.2 is affected by unrestricted upload of file with dangerous type (CVSS 7.2).

RCE Openeclass
NVD GitHub Exploit-DB VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-21873 HIGH POC PATCH This Week

NiceGUI versions 2.22.0 through 3.4.1 contain a cross-site DOM-based XSS vulnerability in the pushstate event listener for ui.sub_pages that allows attackers to manipulate URL fragment identifiers via iframe injection. Public exploit code exists for this vulnerability, and affected users should upgrade to version 3.5.0 or later as no patch is currently available for vulnerable versions.

Python Nicegui
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-21638 HIGH This Week

Remote code execution in Ubiquiti airMAX wireless devices (UBB, UBB-XG, UDB-Pro/UDB-Pro-Sector) allows adjacent network attackers to execute arbitrary code by exploiting a protocol vulnerability without authentication. Affected versions include UBB-XG 1.2.2 and earlier, UDB-Pro/UDB-Pro-Sector 1.4.1 and earlier, and UBB 3.1.5 and earlier. No patch is currently available, though vendors have released mitigation versions.

RCE Udb Pro Sector Firmware Udb Pro Firmware Ubb Xg Firmware Ubb Firmware
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-67915 HIGH This Week

Timetics WordPress plugin (through 1.0.46) allows authentication bypass via alternate path, enabling unauthenticated admin access to the booking system.

Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-66001 HIGH PATCH This Week

NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. [CVSS 8.8 HIGH]

TLS Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-0719 HIGH PATCH This Week

Libsoup's NTLM authentication handler crashes when processing exceptionally long passwords due to a signed integer overflow in memory allocation calculations, affecting GNOME and applications relying on this library for network operations. An unauthenticated remote attacker can trigger a denial-of-service condition by sending specially crafted authentication requests. No patch is currently available.

Stack Overflow Buffer Overflow
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-67921 HIGH This Week

Lobo WordPress theme (before 2.8.6) has blind SQL injection enabling unauthenticated database extraction.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-22728 HIGH This Week

Workreap WordPress plugin (through 3.3.6) has SQL injection enabling unauthenticated database extraction. A freelance marketplace plugin likely containing user PII and financial data.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-22713 HIGH This Week

WooCommerce Orders & Customers Exporter (through 5.4) has SQL injection enabling unauthenticated extraction of all order and customer data including payment details and personal information.

WordPress SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-14025 HIGH PATCH This Week

A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. [CVSS 8.5 HIGH]

Information Disclosure Red Hat
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2019-25231 HIGH This Week

devolo dLAN Cockpit 4.3.1 contains an unquoted service path vulnerability in the 'DevoloNetworkService' that allows local non-privileged users to potentially execute arbitrary code. [CVSS 8.4 HIGH]

RCE
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-68716 HIGH This Week

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. [CVSS 8.4 HIGH]

SSH Ks Wr3600 Firmware
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-67920 HIGH This Week

Neo Ocular WordPress theme (before 1.2) allows PHP Local File Inclusion through improper filename control in include/require statements.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-22712 HIGH This Week

Typify WordPress theme (through 3.0.2) allows PHP Local File Inclusion via improper filename control.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-22708 HIGH This Week

Mitech WordPress theme (through 2.3.4) allows PHP Local File Inclusion through improper filename control in include/require statements.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-22707 HIGH This Week

Moody WordPress theme (through 2.7.3) allows PHP Local File Inclusion through improper filename control.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-22509 HIGH This Week

Atlas WordPress theme (through 2.1.0) allows PHP Local File Inclusion through improper filename control in PHP include statements.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-14431 HIGH This Week

Navian WordPress theme (through 1.5.4) allows PHP Local File Inclusion through improper filename control.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-14430 HIGH This Week

Brook WordPress theme (through 2.8.9) allows PHP Local File Inclusion via improper filename control in PHP include statements.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-14429 HIGH This Week

AeroLand WordPress theme (through 1.6.6) allows PHP Local File Inclusion through improper filename control. Unauthenticated RCE possible via include chain.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-14359 HIGH This Week

Oshine WordPress theme (through 7.2.7) allows PHP Local File Inclusion via improper filename control in include/require statements.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-12550 HIGH This Week

OchaHouse WordPress theme (through 2.2.8) allows PHP Local File Inclusion via improper filename control. Same vulnerability class as CVE-2025-12549.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-12549 HIGH This Week

Rozy Flower Shop WordPress theme (through 1.2.25) allows PHP Local File Inclusion through improper filename control in include/require statements. Unauthenticated RCE possible.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-67937 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7. [CVSS 8.1 HIGH]

PHP LFI Hendon
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-67936 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3. [CVSS 8.1 HIGH]

PHP LFI Curly
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-67935 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4. [CVSS 8.1 HIGH]

PHP LFI Optimize
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-67934 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-55125 HIGH This Week

This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file. [CVSS 7.8 HIGH]

RCE Veeam Backup Replication
NVD
CVSS 3.1
7.8
EPSS
0.1%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy