Skip to main content
CVE-2021-47758 HIGH POC This Week

Patient Management System versions up to 2.0.2 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP RCE Patient Management System
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2021-47757 HIGH POC This Week

Patient Management System versions up to 2.0.2 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP RCE Patient Management System
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-23527 HIGH POC PATCH GHSA This Week

HTTP request smuggling in H3 framework versions before 1.15.5 allows remote attackers to bypass security controls by exploiting improper case-sensitive validation of the Transfer-Encoding header. The vulnerability enables attackers to inject malicious requests that diverge between client and server parsing, potentially leading to cache poisoning, session hijacking, or other attacks. Public exploit code exists for this vulnerability.

Request Smuggling Information Disclosure H3
NVD GitHub
CVSS 3.1
8.9
EPSS
0.0%
CVE-2025-70893 HIGH POC This Week

A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. [CVSS 8.8 HIGH]

PHP SQLi Cyber Cafe Management System
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2021-47775 HIGH POC This Week

YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. [CVSS 8.4 HIGH]

DNS Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2021-47777 HIGH POC This Week

Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-70298 HIGH POC This Week

GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function. [CVSS 8.2 HIGH]

Buffer Overflow Information Disclosure Gpac
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2021-47763 HIGH POC This Week

Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-66292 HIGH POC PATCH This Week

DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. [CVSS 8.1 HIGH]

Golang Path Traversal Dpanel Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22864 HIGH POC PATCH This Week

Arbitrary code execution in Deno runtime versions before 2.5.6 allows unauthenticated attackers to bypass shell script execution restrictions by using alternate casing in batch file extensions (e.g., .BAT, .Bat instead of .bat). The case-sensitive validation flaw enables attackers to spawn blocked Windows batch and command files, achieving remote code execution. Public exploit code exists and no patch is currently available for affected systems.

Windows Deno Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2021-47762 HIGH POC This Week

HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2021-47761 HIGH POC This Week

MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts. [CVSS 7.8 HIGH]

MySQL MariaDB Privilege Escalation
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2021-47773 HIGH POC This Week

Dynojet Power Core 2.3.0 contains an unquoted service path vulnerability in the DJ.UpdateService that allows local authenticated users to potentially execute code with elevated privileges. [CVSS 7.8 HIGH]

Information Disclosure Power Core
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2021-47767 HIGH POC This Week

10-Strike Network Inventory Explorer Pro 9.31 contains an unquoted service path vulnerability in the srvInventoryWebServer service running with LocalSystem privileges. [CVSS 7.8 HIGH]

Privilege Escalation Network Inventory Explorer
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2021-47752 HIGH POC This Week

Awebserver versions up to 18 is affected by allocation of resources without limits or throttling (CVSS 7.5).

MySQL Denial Of Service Awebserver
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-22265 HIGH POC PATCH This Week

Authenticated command injection in Roxy-WI versions prior to 8.2.8.2 enables attackers to execute arbitrary system commands through improper sanitization of the grep parameter in log viewing functionality. Public exploit code exists for this vulnerability, affecting users managing HAProxy, Nginx, Apache, and Keepalived servers through the web interface. A patch is available in version 8.2.8.2 and later.

Apache Nginx Command Injection Roxy Wi
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-70308 HIGH POC This Week

An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file. [CVSS 7.5 HIGH]

Denial Of Service Gpac
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-70656 HIGH POC This Week

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the mac parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]

Stack Overflow Denial Of Service Ax1806 Firmware Tenda
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-71019 HIGH POC This Week

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the wanSpeed parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]

Stack Overflow Denial Of Service Ax1806 Firmware Tenda
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-70744 HIGH POC This Week

Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the cloneType parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]

Stack Overflow Denial Of Service Ax1806 Firmware Tenda
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2021-47755 HIGH POC This Week

Oliver Library Server v5 contains a file download vulnerability that allows unauthenticated attackers to access arbitrary system files through unsanitized input in the FileServlet endpoint. [CVSS 7.5 HIGH]

Path Traversal Oliver V5 Library
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2021-47784 HIGH POC This Week

Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash. [CVSS 7.5 HIGH]

Denial Of Service
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-70304 HIGH POC This Week

A buffer overflow in the vobsub_get_subpic_duration() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. [CVSS 7.5 HIGH]

Buffer Overflow Denial Of Service Gpac
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-70307 HIGH POC This Week

A stack overflow in the dump_ttxt_sample function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. [CVSS 7.5 HIGH]

Stack Overflow Denial Of Service Gpac
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22863 HIGH POC PATCH This Week

Deno versions up to 2.6.0 contains a vulnerability that allows attackers to have infinite encryptions (CVSS 7.5).

Information Disclosure Deno Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23622 HIGH POC This Week

Cross-Site Request Forgery (CSRF) in Easy!Appointments 1.5.2 and earlier allows remote attackers to perform administrative actions including admin account creation, credential modification, and full account takeover by tricking authenticated administrators into visiting a malicious page. The vulnerability stems from incomplete CSRF protection that only validates POST requests while state-changing operations accept GET parameters. A publicly available exploit exists (GitHub Security Advisory GHSA-54v4-4685-vwrj), though EPSS exploitation probability is low (0.01%, 1st percentile) and the vulnerability is not listed in CISA KEV, suggesting limited real-world exploitation to date.

PHP CSRF
NVD GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2025-67246 HIGH POC This Week

A local information disclosure vulnerability exists in the Ludashi driver before 5.1025 due to a lack of access control in the IOCTL handler. This driver exposes a device interface accessible to a normal user and handles attacker-controlled structures containing the lower 4GB of physical addresses. [CVSS 7.3 HIGH]

Privilege Escalation Information Disclosure Ludashi Driver
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-22249 HIGH POC PATCH This Week

Docmost versions 0.21.0 through 0.23.x contain a path traversal vulnerability in the zip import feature that allows authenticated attackers to write arbitrary files to the system due to insufficient filename validation. Public exploit code exists for this vulnerability, which could enable attackers to overwrite critical application files or achieve code execution. The vulnerability is patched in version 0.24.0 and affects all installations using the vulnerable import functionality.

Path Traversal Docmost
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2021-47766 HIGH POC This Week

Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-36911 HIGH POC This Week

Android versions up to - contains a vulnerability that allows attackers to remote (proximal/adjacent) information disclosure of user's conversations and lo (CVSS 7.1).

Information Disclosure Android Google
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-13062 HIGH This Week

Supreme Modules Lite (WordPress plugin) versions up to 2.5.62. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

WordPress RCE PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-67077 HIGH This Week

Agora-Project versions up to 25.10 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

File Upload Agora Project
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-61973 HIGH This Week

A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges. [CVSS 8.8 HIGH]

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-22867 HIGH PATCH This Week

Stored XSS in LaSuite Doc versions 3.8.0 through 4.3.0 allows authenticated users with document editing privileges to inject malicious JavaScript URLs into the Interlinking feature, which execute when other users click the crafted links. This vulnerability affects the collaborative documentation platform's security model by enabling arbitrary code execution in victims' browsers. A patch is available in version 4.4.0.

XSS Docs
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-23493 HIGH PATCH This Week

Pimcore versions up to 12.3.1 is affected by insertion of sensitive information into log file (CVSS 8.6).

Information Disclosure Pimcore
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-13845 HIGH This Week

CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody.

RCE Use After Free Denial Of Service Memory Corruption Ecostruxure Power Build Rapsody
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-67823 HIGH This Week

A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. [CVSS 8.2 HIGH]

XSS Micontact Center Business Cx
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-1010 HIGH This Week

Stored XSS in Altium Workflow Engine allows authenticated users to inject malicious scripts into workflow forms that execute with administrator privileges when viewed. An attacker can exploit this to escalate privileges, create new admin accounts, steal session tokens, and perform arbitrary administrative actions. No patch is currently available for the on-premises enterprise server deployment.

XSS Privilege Escalation On Prem Enterprise Server
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-1008 HIGH This Week

Stored XSS in Altium Live user profile fields allows authenticated attackers to inject malicious scripts that execute when other users view the compromised profile, potentially enabling session hijacking or phishing attacks. The vulnerability stems from inadequate server-side input validation that fails to properly sanitize whitespace-based attribute injection techniques. Exploitation requires a valid user account and victim interaction but carries high risk due to cross-site impact affecting other platform users.

XSS Altium Live
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-67076 HIGH This Week

Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read. [CVSS 7.5 HIGH]

Path Traversal Agora Project
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-9014 HIGH PATCH This Week

A Null Pointer Dereference vulnerability exists in the referer header check of the web portal of TP-Link TL-WR841N v14, caused by improper input validation. [CVSS 7.5 HIGH]

TP-Link Null Pointer Dereference Denial Of Service Tl Wr841n Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-64516 HIGH PATCH This Week

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). [CVSS 7.5 HIGH]

Authentication Bypass Glpi
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66417 HIGH This Week

GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. [CVSS 7.5 HIGH]

SQLi Glpi
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21917 HIGH This Week

Malformed SSL packets can trigger a Denial-of-Service condition in Juniper SRX devices running Junos OS with UTM Web-Filtering enabled, causing Forwarding Processor Card (FPC) crashes and restarts without requiring authentication. An unauthenticated network-based attacker can exploit this input validation flaw in the Web-Filtering module to disrupt device availability across affected Junos versions (23.2R2-S2 through 24.4R2). No patches are currently available for earlier Junos versions, and affected systems remain vulnerable until updates are applied.

Juniper TLS Denial Of Service Junos
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-0227 HIGH CERT-EU This Week

Unauthenticated remote attackers can crash Palo Alto Networks PAN-OS firewalls through repeated requests, forcing the devices into maintenance mode and causing denial of service. This vulnerability affects Palo Alto firewalls and Prisma Access deployments with no available patch, creating ongoing operational risk. The attack requires no authentication or user interaction and can be exploited over the network.

Paloalto Denial Of Service Pan Os Prisma Access
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22909 HIGH This Week

TDC X401gl devices with unpatched firmware lack proper authorization controls for critical system functions, enabling unauthenticated remote attackers to arbitrarily start, stop, or delete applications and cause denial of service. This network-accessible vulnerability requires no user interaction and affects all default configurations. No patch is currently available.

Authentication Bypass Tdc X401gl Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-0915 HIGH PATCH This Week

Stack memory disclosure in GNU C Library versions 2.0-2.42 allows unauthenticated remote attackers to leak sensitive stack contents via crafted DNS queries when getnetbyaddr functions are configured to use the DNS backend for network lookups. This vulnerability affects systems running vulnerable Glibc and DNS resolver combinations, with no available patch currently released.

DNS Glibc Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22803 HIGH PATCH This Week

SvelteKit versions 2.49.0 through 2.49.4 are vulnerable to denial-of-service attacks through the experimental form remote function, which fails to properly validate binary-encoded form payloads and can be exploited to exhaust server memory. An unauthenticated remote attacker can craft a malicious payload to trigger excessive memory allocation, rendering affected applications unavailable. The vulnerability is resolved in version 2.49.5.

Denial Of Service Kit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22910 HIGH This Week

TDC X401GL firmware contains hardcoded default credentials for privileged user accounts, enabling unauthenticated attackers to gain unauthorized administrative access over the network. This vulnerability affects all deployments using default configurations and could allow attackers to compromise system integrity and perform unauthorized operations. No patch is currently available.

Authentication Bypass Tdc X401gl Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21906 HIGH This Week

Juniper Junos OS SRX Series suffers a denial of service vulnerability in the packet forwarding engine when PowerMode IPsec and GRE performance acceleration are both enabled, allowing remote attackers to crash the device by sending a specially crafted ICMP packet through a GRE tunnel. The crash results in immediate traffic loss and device restart, affecting systems with both features active on vulnerable SRX platforms. No patch is currently available.

Juniper Denial Of Service Junos
NVD
CVSS 3.1
7.5
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy