Skip to main content
CVE-2026-1699 CRITICAL POC Act Now

Supply chain vulnerability in Eclipse Theia GitHub Actions workflow. The preview.yml workflow uses pull_request_target with checkout, enabling malicious PRs to steal secrets. CVSS 10.0, PoC available.

Github Theia Website
NVD
CVSS 3.1
10.0
EPSS
0.0%
CVE-2020-37027 CRITICAL POC Act Now

Unauthenticated command injection in Sickbeard alpha media management application. EPSS 0.70% with PoC available.

Command Injection
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2020-37052 CRITICAL POC Act Now

Pre-authentication RCE in AirControl 1.4.2 network management allows unauthenticated system command execution. PoC available.

Java RCE
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2020-37050 CRITICAL POC Act Now

Buffer overflow in Quick Player 1.3 via crafted .m3l playlist file allows arbitrary code execution. PoC available.

RCE Buffer Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37043 CRITICAL POC Act Now

Buffer overflow in 10-Strike Bandwidth Monitor 3.9 bypasses SafeSEH, ASLR, and DEP protections. PoC available.

RCE Buffer Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2020-37056 CRITICAL POC Act Now

IP spoofing vulnerability in Crystal Shard http-protection 0.2.0 allows attackers to bypass protection middleware by manipulating request headers. PoC available.

Authentication Bypass
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2019-25232 CRITICAL POC Act Now

Buffer overflow in NetPCLinker 1.0.0.0 DNS/IP field allows shell command execution. PoC available.

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2020-37032 HIGH POC This Week

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. [CVSS 8.8 HIGH]

RCE Wing Ftp Server
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-1686 HIGH POC This Week

Buffer overflow in Totolink A3600R firmware version 5.9c.4959 allows authenticated remote attackers to execute arbitrary code through the setAppEasyWizardConfig function via a malformed apcliSsid parameter. Public exploit code exists for this vulnerability and no patch is currently available. Affected devices are at high risk given the lack of mitigation options and active exploitation potential.

Buffer Overflow A3600r Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2020-37023 HIGH POC This Week

Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. [CVSS 8.8 HIGH]

PHP
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-24854 HIGH POC PATCH This Week

Authenticated SQL injection in ChurchCRM's PaddleNumEditor.php endpoint prior to version 6.7.2 allows any logged-in user to execute arbitrary database queries regardless of their assigned permissions. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete sensitive church data. Update to version 6.7.2 or later to remediate.

PHP SQLi Churchcrm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-69662 HIGH POC PATCH GHSA This Week

SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. [CVSS 8.6 HIGH]

PostgreSQL SQLi pandas
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2020-37031 HIGH POC This Week

Simple Startup Manager 1.17 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory through the 'File' input parameter. [CVSS 8.4 HIGH]

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37029 HIGH POC This Week

FTPDummy 4.80 contains a local buffer overflow vulnerability in its preference file handling that allows attackers to execute arbitrary code. [CVSS 8.4 HIGH]

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37028 HIGH POC This Week

Socusoft Photo to Video Converter Professional 8.07 contains a local buffer overflow vulnerability in the 'Output Folder' input field that allows attackers to execute arbitrary code. [CVSS 8.4 HIGH]

Buffer Overflow Stack Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37025 HIGH POC This Week

Port Forwarding Wizard 4.8.0 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code through a long request in the Register feature. [CVSS 8.4 HIGH]

Windows Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37024 HIGH POC This Week

Nidesoft DVD Ripper 5.2.18 contains a local buffer overflow vulnerability in the License Code registration parameter that allows attackers to execute arbitrary code. [CVSS 8.4 HIGH]

Buffer Overflow Stack Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37036 HIGH POC This Week

RM Downloader 2.50.60 contains a local buffer overflow vulnerability in the 'Load' parameter that allows attackers to execute arbitrary code by overwriting memory. [CVSS 8.4 HIGH]

Buffer Overflow
NVD GitHub Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37049 HIGH POC This Week

Frigate 3.36.0.9 contains a local buffer overflow vulnerability in the Command Line input field that allows attackers to execute arbitrary code. [CVSS 8.4 HIGH]

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37042 HIGH POC This Week

Frigate Professional 3.36.0.9 contains a local buffer overflow vulnerability in the 'Find Computer' feature that allows attackers to execute arbitrary code by overflowing the computer name input field. [CVSS 8.4 HIGH]

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37040 HIGH POC This Week

Code Blocks 17.12 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious file name with Unicode characters. [CVSS 8.4 HIGH]

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37057 HIGH POC This Week

Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious SQL code into the 'fid' parameter to potentially extract, modify, or delete database information. [CVSS 8.2 HIGH]

SQLi Online Exam System
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37051 HIGH POC This Week

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. [CVSS 8.2 HIGH]

PHP SQLi Online Exam System
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37035 HIGH POC This Week

e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. [CVSS 8.2 HIGH]

PHP SQLi
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37033 HIGH POC This Week

Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37060 HIGH POC This Week

its service configuration contains a vulnerability that allows attackers to execute arbitrary code with SYSTEM privileges (CVSS 7.8).

Privilege Escalation
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37058 HIGH POC This Week

its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code contains a security vulnerability (CVSS 7.8).

Windows
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37059 HIGH POC This Week

Popcorn Time 6.2.1.14 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. [CVSS 7.8 HIGH]

Information Disclosure
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37030 HIGH POC This Week

Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-1680 HIGH POC This Week

Local Admin Service versions up to 1.2.7.23180 is affected by execution with unnecessary privileges (CVSS 7.8).

Windows Local Admin Service
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37041 HIGH POC This Week

OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. [CVSS 7.5 HIGH]

Linux Windows Path Traversal Opencti
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2020-37034 HIGH POC This Week

HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files. [CVSS 7.5 HIGH]

Path Traversal
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-25128 HIGH POC PATCH This Week

Fast-xml-parser versions 5.0.9 through 5.3.3 crash when processing XML containing out-of-range numeric entity code points, allowing remote attackers to cause denial of service against applications parsing untrusted XML input. Public exploit code exists for this vulnerability. Applications should upgrade to version 5.3.4 or later to remediate.

Denial Of Service Fast Xml Parser Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2020-37039 HIGH POC This Week

Frigate 2.02 contains a denial of service vulnerability that allows attackers to crash the application by sending oversized input to the command line interface. [CVSS 7.5 HIGH]

Denial Of Service
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2020-37038 HIGH POC This Week

Code Blocks 20.03 contains a denial of service vulnerability that allows attackers to crash the application by manipulating input in the FSymbols search field. Attackers can paste a large payload of 5000 repeated characters into the search field to trigger an application crash. [CVSS 7.5 HIGH]

Denial Of Service
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2020-37053 HIGH POC This Week

Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. [CVSS 7.1 HIGH]

SQLi Navigate Cms
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25129 MEDIUM POC PATCH This Month

PsySH versions prior to 0.11.23 and 0.12.19 automatically execute a `.psysh.php` file from the current working directory during startup, allowing local attackers with write access to a directory to achieve arbitrary code execution when a user launches PsySH from that location. When a privileged user such as root or a CI runner executes PsySH in an attacker-controlled directory, this results in local privilege escalation. Public exploit code exists for this vulnerability and no patch is currently available.

PHP Laravel Privilege Escalation Psysh
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-1687 MEDIUM POC This Month

Hg10 Firmware versions up to - contains a vulnerability that allows attackers to command injection (CVSS 7.3).

Command Injection Tenda
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
5.3%
CVE-2020-37019 MEDIUM POC This Month

Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. [CVSS 6.4 MEDIUM]

XSS
NVD GitHub Exploit-DB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2020-37014 MEDIUM POC This Month

Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]

XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2020-36996 MEDIUM POC This Month

PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. [CVSS 6.4 MEDIUM]

PHP XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-1689 MEDIUM POC This Month

Command injection in Tenda HG10 firmware's login interface allows unauthenticated remote attackers to execute arbitrary commands by manipulating the Host parameter in the checkUserFromLanOrWan function. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can fully compromise affected devices through remote code execution.

Command Injection Tenda
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
4.5%
CVE-2020-37022 MEDIUM POC This Month

OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules. [CVSS 6.4 MEDIUM]

XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2020-37003 MEDIUM POC This Month

Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]

XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2020-36998 MEDIUM POC This Month

Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. [CVSS 6.4 MEDIUM]

XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2020-36966 MEDIUM POC This Month

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. [CVSS 6.4 MEDIUM]

PHP LDAP XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-25154 MEDIUM POC PATCH This Month

Cross-site scripting (XSS) in LocalSend up to version 1.17.0 allows unauthenticated attackers to inject malicious scripts through the "Share via Link" web interface, which fails to properly sanitize file names in the file list display. An attacker can craft a malicious file name that executes arbitrary JavaScript in the context of a victim's browser when they access the shared link, potentially leading to session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c.

XSS Localsend
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0963 CRITICAL Act Now

Path traversal in Crafty Controller game server management allows authenticated attackers to read/write files outside the intended directory. CVSS 9.9 with scope change.

RCE Path Traversal Crafty Controller
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-51958 CRITICAL Act Now

Unauthenticated command injection in DokuWiki runcommand plugin via lib/plugins/runcommand. Allows arbitrary system command execution.

PHP Runcommand
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25141 CRITICAL PATCH Act Now

Code injection in Orval TypeScript API client generator versions 7.19.0 to before 7.22.0. Generated client code may be vulnerable to injection through crafted OpenAPI specifications.

Code Injection Orval
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy