Skip to main content
CVE-2026-25069 CRITICAL POC Act Now

Unauthenticated arbitrary file read and delete in SunFounder's Pironman Dashboard (pm_dashboard) 1.3.13 and earlier lets remote attackers abuse a path-traversal flaw in the log-file API to exfiltrate sensitive files and destroy critical system files. The dashboard runs on Raspberry Pi power/cooling hardware, so a successful attack can disclose configuration/secrets and cause data loss or denial of service. Publicly available exploit code exists; no active exploitation is confirmed, and EPSS remains low (0.20%).

Denial Of Service Path Traversal
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-25253 HIGH POC PATCH This Week

OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs extracted from query strings, transmitting authentication tokens without user confirmation. This network-based vulnerability requires user interaction (clicking a malicious link) and allows attackers to hijack authenticated sessions and perform actions with the victim's privileges. Public exploit code exists for this high-severity flaw with no patch currently available.

Information Disclosure Openclaw
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2021-47915 HIGH POC This Week

PHP Melody version 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attackers to inject malicious SQL commands. [CVSS 8.1 HIGH]

SQLi Php Melody
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2021-47918 HIGH POC This Week

Simple CMS 2.1 contains a remote SQL injection vulnerability that allows privileged attackers to inject unfiltered SQL commands in the users module. Attackers can exploit unvalidated input parameters in the admin.php file to compromise the database management system and web application. [CVSS 8.1 HIGH]

PHP SQLi Simple Cms Php
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2020-37063 HIGH POC This Week

TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. [CVSS 7.8 HIGH]

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37061 HIGH POC This Week

BOOTP Turbo 2.0.1214 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37064 HIGH POC This Week

EMP_NSWLSV service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37062 HIGH POC This Week

DHCP Turbo 4.61298 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can place malicious executables in the service path to gain elevated privileges when the service starts. [CVSS 7.8 HIGH]

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37055 HIGH POC This Week

SpyHunter 4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37045 HIGH POC This Week

NetBackup INET Daemon service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37048 HIGH POC This Week

Iskysoft Application Framework Service 2.4.3.241 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated privileges. [CVSS 7.8 HIGH]

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37047 HIGH POC This Week

DeepMgmtService contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).

Windows
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37037 HIGH POC This Week

Avast SecureLine 5.5.522.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. [CVSS 7.8 HIGH]

Code Injection
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2021-47913 MEDIUM POC This Month

PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the video editor that allows privileged users to inject malicious scripts. Attackers can exploit the WYSIWYG editor to execute persistent scripts, potentially leading to session hijacking and application manipulation. [CVSS 6.4 MEDIUM]

XSS Php Melody
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2021-47912 MEDIUM POC This Month

PHP Melody version 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user import files. Attackers can inject malicious scripts through unvalidated parameters to execute client-side attacks and potentially hijack user sessions. [CVSS 6.4 MEDIUM]

XSS Php Melody
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2021-47914 MEDIUM POC This Month

PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. [CVSS 6.4 MEDIUM]

PHP XSS Php Melody
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2021-47917 MEDIUM POC This Month

Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. [CVSS 6.4 MEDIUM]

XSS Simple Cms Php
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2021-47919 MEDIUM POC This Month

Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. [CVSS 6.4 MEDIUM]

PHP XSS Simple Cms Php
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2021-47909 HIGH This Week

Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database management system. [CVSS 8.1 HIGH]

SQLi
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2022-50950 MEDIUM This Month

Webile 1.0.1 contains a directory traversal vulnerability that allows remote attackers to manipulate file system paths without authentication. Attackers can exploit path manipulation to access sensitive system directories and potentially compromise the mobile device's local file system. [CVSS 6.5 MEDIUM]

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2021-47921 MEDIUM This Month

Free Photo & Video Vault 0.0.2 contains a directory traversal web vulnerability that allows remote attackers to manipulate application path requests and access sensitive system files. [CVSS 6.5 MEDIUM]

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-50941 MEDIUM This Month

BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. [CVSS 6.4 MEDIUM]

RCE XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2022-50940 MEDIUM This Month

Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. [CVSS 6.4 MEDIUM]

PHP XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2022-50797 MEDIUM This Month

Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. [CVSS 6.4 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2021-47908 MEDIUM This Month

Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]

XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2021-47856 MEDIUM This Month

Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module's keyword parameter. Remote attackers can inject malicious script code through the search input to compromise user sessions and manipulate application content. [CVSS 6.4 MEDIUM]

XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2023-54343 MEDIUM This Month

QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. [CVSS 6.4 MEDIUM]

XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2022-50951 MEDIUM This Month

WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. [CVSS 6.4 MEDIUM]

XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2021-47885 MEDIUM This Month

Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. [CVSS 6.4 MEDIUM]

XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2022-50952 MEDIUM This Month

TextBox Name Profile input. Attackers can inject malicious script code through a POST request is affected by cross-site scripting (xss) (CVSS 6.4).

XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1733 LOW POC Monitor

Improper authorization in CRMEB up to version 5.6.3 allows authenticated remote attackers to access unauthorized order details by manipulating the order_id parameter in the /api/store_integral/order/detail/ endpoint. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.

Information Disclosure Crmeb
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2022-50942 MEDIUM This Month

Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. [CVSS 5.4 MEDIUM]

XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2021-47911 MEDIUM This Month

Affiliate Pro 1.7 contains multiple reflected cross-site scripting vulnerabilities in the index module's input fields. Attackers can inject malicious scripts through fullname, username, and email parameters to execute client-side attacks and manipulate browser requests. [CVSS 5.4 MEDIUM]

XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2021-47920 MEDIUM This Month

WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. [CVSS 5.4 MEDIUM]

XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy