Skip to main content
CVE-2020-37032 HIGH POC This Week

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. [CVSS 8.8 HIGH]

RCE Wing Ftp Server
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-1686 HIGH POC This Week

Buffer overflow in Totolink A3600R firmware version 5.9c.4959 allows authenticated remote attackers to execute arbitrary code through the setAppEasyWizardConfig function via a malformed apcliSsid parameter. Public exploit code exists for this vulnerability and no patch is currently available. Affected devices are at high risk given the lack of mitigation options and active exploitation potential.

Buffer Overflow A3600r Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2020-37023 HIGH POC This Week

Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. [CVSS 8.8 HIGH]

PHP
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-24854 HIGH POC PATCH This Week

Authenticated SQL injection in ChurchCRM's PaddleNumEditor.php endpoint prior to version 6.7.2 allows any logged-in user to execute arbitrary database queries regardless of their assigned permissions. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete sensitive church data. Update to version 6.7.2 or later to remediate.

PHP SQLi Churchcrm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-69662 HIGH POC PATCH GHSA This Week

SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. [CVSS 8.6 HIGH]

PostgreSQL SQLi pandas
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2020-37031 HIGH POC This Week

Simple Startup Manager 1.17 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory through the 'File' input parameter. [CVSS 8.4 HIGH]

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37029 HIGH POC This Week

FTPDummy 4.80 contains a local buffer overflow vulnerability in its preference file handling that allows attackers to execute arbitrary code. [CVSS 8.4 HIGH]

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37028 HIGH POC This Week

Socusoft Photo to Video Converter Professional 8.07 contains a local buffer overflow vulnerability in the 'Output Folder' input field that allows attackers to execute arbitrary code. [CVSS 8.4 HIGH]

Buffer Overflow Stack Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37025 HIGH POC This Week

Port Forwarding Wizard 4.8.0 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code through a long request in the Register feature. [CVSS 8.4 HIGH]

Windows Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37024 HIGH POC This Week

Nidesoft DVD Ripper 5.2.18 contains a local buffer overflow vulnerability in the License Code registration parameter that allows attackers to execute arbitrary code. [CVSS 8.4 HIGH]

Buffer Overflow Stack Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37036 HIGH POC This Week

RM Downloader 2.50.60 contains a local buffer overflow vulnerability in the 'Load' parameter that allows attackers to execute arbitrary code by overwriting memory. [CVSS 8.4 HIGH]

Buffer Overflow
NVD GitHub Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37049 HIGH POC This Week

Frigate 3.36.0.9 contains a local buffer overflow vulnerability in the Command Line input field that allows attackers to execute arbitrary code. [CVSS 8.4 HIGH]

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37042 HIGH POC This Week

Frigate Professional 3.36.0.9 contains a local buffer overflow vulnerability in the 'Find Computer' feature that allows attackers to execute arbitrary code by overflowing the computer name input field. [CVSS 8.4 HIGH]

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37040 HIGH POC This Week

Code Blocks 17.12 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious file name with Unicode characters. [CVSS 8.4 HIGH]

Buffer Overflow
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2020-37057 HIGH POC This Week

Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious SQL code into the 'fid' parameter to potentially extract, modify, or delete database information. [CVSS 8.2 HIGH]

SQLi Online Exam System
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37051 HIGH POC This Week

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. [CVSS 8.2 HIGH]

PHP SQLi Online Exam System
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37035 HIGH POC This Week

e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. [CVSS 8.2 HIGH]

PHP SQLi
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37033 HIGH POC This Week

Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37060 HIGH POC This Week

its service configuration contains a vulnerability that allows attackers to execute arbitrary code with SYSTEM privileges (CVSS 7.8).

Privilege Escalation
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37058 HIGH POC This Week

its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code contains a security vulnerability (CVSS 7.8).

Windows
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37059 HIGH POC This Week

Popcorn Time 6.2.1.14 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. [CVSS 7.8 HIGH]

Information Disclosure
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37030 HIGH POC This Week

Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-1680 HIGH POC This Week

Local Admin Service versions up to 1.2.7.23180 is affected by execution with unnecessary privileges (CVSS 7.8).

Windows Local Admin Service
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37041 HIGH POC This Week

OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. [CVSS 7.5 HIGH]

Linux Windows Path Traversal Opencti
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2020-37034 HIGH POC This Week

HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files. [CVSS 7.5 HIGH]

Path Traversal
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-25128 HIGH POC PATCH This Week

Fast-xml-parser versions 5.0.9 through 5.3.3 crash when processing XML containing out-of-range numeric entity code points, allowing remote attackers to cause denial of service against applications parsing untrusted XML input. Public exploit code exists for this vulnerability. Applications should upgrade to version 5.3.4 or later to remediate.

Denial Of Service Fast Xml Parser Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2020-37039 HIGH POC This Week

Frigate 2.02 contains a denial of service vulnerability that allows attackers to crash the application by sending oversized input to the command line interface. [CVSS 7.5 HIGH]

Denial Of Service
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2020-37038 HIGH POC This Week

Code Blocks 20.03 contains a denial of service vulnerability that allows attackers to crash the application by manipulating input in the FSymbols search field. Attackers can paste a large payload of 5000 repeated characters into the search field to trigger an application crash. [CVSS 7.5 HIGH]

Denial Of Service
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2020-37053 HIGH POC This Week

Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. [CVSS 7.1 HIGH]

SQLi Navigate Cms
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25153 HIGH PATCH This Week

Arbitrary Python code execution in Backstage's @backstage/plugin-techdocs-node (versions < 1.13.11 and = 1.14.0) lets a contributor who can add or edit a repository's mkdocs.yml inject a malicious MkDocs `hooks` directive that runs on the TechDocs build server whenever TechDocs is configured with `runIn: local`. The flaw also affects documentation built in CI/CD via @techdocs/cli, which bundles the same package. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the CVSS of 8.8 reflects full host compromise of the build environment.

Python Node.js Docker Backstage Code Injection +1
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-4686 HIGH This Week

Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment is affected by sql injection (CVSS 8.6).

SQLi
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-36384 HIGH PATCH This Week

Db2 contains a vulnerability that allows attackers to a local user with filesystem access to escalate their privileges due to the use (CVSS 8.4).

IBM Windows Db2
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0805 HIGH This Week

Remote code execution in Crafty Controller's Backup Configuration feature results from insufficient path traversal validation, enabling authenticated attackers to manipulate files and execute arbitrary code on affected systems. The vulnerability requires valid credentials and specific conditions to exploit but carries high impact due to its ability to compromise system integrity and confidentiality. No patch is currently available.

RCE Path Traversal Crafty Controller
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-1395 HIGH This Week

Codriapp Innovation and Software Technologies Inc. HeyGarson is affected by error message information leak (CVSS 8.2).

Information Disclosure
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-22277 HIGH This Week

Dell UnityVSA versions 5.4 and prior allow local attackers with low privileges to achieve arbitrary command execution with root-level access through OS command injection. This vulnerability requires local access and no user interaction, enabling attackers to completely compromise affected systems. No patch is currently available.

Command Injection Unity Operating Environment
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21418 HIGH This Week

Dell Unity versions 5.5.2 and earlier suffer from an OS command injection vulnerability that allows local attackers with low privileges to execute arbitrary commands with root-level access. The flaw stems from improper input validation in command processing, enabling privilege escalation on affected systems. No patch is currently available for this vulnerability.

Command Injection Unity Operating Environment
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-62348 HIGH PATCH This Week

Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process. [CVSS 7.8 HIGH]

RCE Deserialization Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-4027 HIGH PATCH This Week

A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. [CVSS 7.5 HIGH]

Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-24714 HIGH This Week

End-of-service Netgear devices with TelnetEnable functionality can have telnet service remotely activated via specially crafted magic packets, enabling unauthenticated remote access to the device. An attacker on the network can exploit this to gain command-line access without credentials, potentially leading to device compromise and lateral movement. No patch is available for affected products.

Netgear
NVD
CVSS 3.0
7.5
EPSS
0.1%
CVE-2026-25156 HIGH PATCH This Week

HotCRP conference review software versions from October 2025 through January 2026 improperly render uploaded documents inline in the browser instead of forcing download, allowing malicious HTML or SVG files to execute JavaScript with access to user credentials and HotCRP API permissions. Attackers can exploit this stored XSS vulnerability by uploading crafted documents to submission fields, which then compromise any user who clicks the document link. A patch is available to restrict inline rendering to safe document types.

XSS Hotcrp
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-36184 HIGH PATCH This Week

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level. [CVSS 7.2 HIGH]

IBM Linux Windows Db2
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-22623 HIGH This Week

Authenticated command injection in HIKSEMI NAS devices allows privileged users to execute arbitrary commands through improper input validation on the device interface. Attackers with valid credentials can craft malicious messages to achieve unauthenticated code execution on affected systems. No patch is currently available for this vulnerability.

Command Injection RCE
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-0709 HIGH This Week

Authenticated command injection in Hikvision Wireless Access Points allows credential-holding attackers to execute arbitrary commands through insufficient input validation on network packets. The vulnerability affects all users of vulnerable Hikvision WAP models with valid account access and currently lacks available patches. With a CVSS score of 7.2, this poses a significant risk for environments where administrative credentials may be compromised or shared.

Hikvision
NVD
CVSS 3.1
7.2
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy