Skip to main content
CVE-2020-37097 HIGH POC This Week

Ew-7438Rpn Mini Firmware versions up to 1.13 is affected by insufficiently protected credentials (CVSS 7.5).

Information Disclosure Ew 7438rpn Mini Firmware
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24672 HIGH POC This Week

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 7.3 HIGH]

XSS Open Eclass Platform
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2020-37084 HIGH POC This Week

School Erp Pro versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 7.2).

PHP RCE School Erp Pro
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2020-37072 HIGH POC This Week

Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers. [CVSS 7.2 HIGH]

XSS Victor Cms
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2020-37112 HIGH POC This Week

GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. [CVSS 7.1 HIGH]

SQLi Open Eclass Platform
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-25503 HIGH POC PATCH This Week

Iccdev versions prior to 2.3.1.2 are vulnerable to denial of service when processing malformed ICC color profiles with invalid image encoding type values, causing application crashes due to type confusion. The vulnerability is remotely triggerable and public exploit code is available. A patch is available in version 2.3.1.2 and later.

Denial Of Service Iccdev
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2020-37108 HIGH POC This Week

PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database information. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2020-37105 HIGH POC This Week

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2020-37081 HIGH POC This Week

Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabilities in admin.php, cart.php, and calendar.php that allow attackers to inject malicious SQL commands. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2020-37077 MEDIUM POC This Month

Booked Scheduler 2.7.7 contains a directory traversal vulnerability in the manage_email_templates.php script that allows authenticated administrators to access unauthorized files. [CVSS 6.5 MEDIUM]

PHP Path Traversal
NVD Exploit-DB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67189 MEDIUM POC This Month

A950Rg Firmware versions up to 4.1.2cu.5204_b20210112 is affected by classic buffer overflow (CVSS 6.5).

Buffer Overflow Denial Of Service A950rg Firmware RCE TOTOLINK
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2020-37115 MEDIUM POC This Month

GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and unauthorized access. [CVSS 6.5 MEDIUM]

Authentication Bypass Open Eclass Platform
NVD Exploit-DB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24670 MEDIUM POC This Month

Broken access control in Open eClass Platform versions prior to 4.2 allows authenticated students to create course units, a privilege normally reserved for instructors and administrators. An attacker with valid student credentials can escalate their capabilities within the platform by performing unauthorized administrative actions. Public exploit code exists for this vulnerability, and no patch is currently available.

Authentication Bypass Open Eclass Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24668 MEDIUM POC This Month

Broken access control in Open eClass Platform before version 4.2 allows authenticated students to modify course content that should only be editable by instructors and administrators. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. An attacker with valid student credentials can escalate their privileges to alter course materials and potentially disrupt educational content integrity.

Authentication Bypass Open Eclass Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24666 MEDIUM POC This Month

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 6.5 MEDIUM]

CSRF Open Eclass Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1207 MEDIUM POC PATCH GHSA This Month

SQL injection in Django's PostGIS RasterField lookups allows authenticated attackers to execute arbitrary SQL commands through the band index parameter in affected versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Unsupported Django series including 5.0.x, 4.1.x, and 3.2.x may also be vulnerable. A patch is available and authentication is required to exploit this vulnerability.

Django SQLi Python
NVD HeroDevs VulDB
CVSS 3.1
5.4
EPSS
5.5%
CVE-2020-37086 MEDIUM POC This Month

Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerability that allows remote attackers to access unauthorized file system paths without authentication. [CVSS 6.2 MEDIUM]

Path Traversal
NVD Exploit-DB
CVSS 3.1
6.2
EPSS
1.3%
CVE-2019-25265 MEDIUM POC This Month

group description field of the admin edit groups section. Attackers can inject malicious JavaScript through the description field is affected by cross-site scripting (xss) (CVSS 6.4).

XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2020-37103 MEDIUM POC This Month

DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. [CVSS 6.4 MEDIUM]

.NET XSS CSRF Dotnetnuke
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2019-25264 MEDIUM POC This Month

Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users. [CVSS 6.4 MEDIUM]

XSS
NVD GitHub Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25263 MEDIUM POC This Month

Zendesk SweetHawk Survey 1.6 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through support ticket submissions. [CVSS 6.4 MEDIUM]

XSS
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-71179 MEDIUM POC This Month

Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bundles/search/query endpoint. [CVSS 6.1 MEDIUM]

XSS Academy Lms
NVD GitHub Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-24671 MEDIUM POC This Month

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 6.1 MEDIUM]

XSS Open Eclass Platform
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-69431 MEDIUM POC This Month

The ZSPACE Q2C NAS contains a vulnerability related to incorrect symbolic link following. [CVSS 6.1 MEDIUM]

Path Traversal Q2c Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-69430 MEDIUM POC This Month

An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. [CVSS 6.1 MEDIUM]

Path Traversal Dm2 Firmware Dm200 Firmware Dm3 Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2020-37111 MEDIUM POC This Month

60CycleCMS 2.5.2 contains a cross-site scripting (XSS) vulnerability in news.php that allows attackers to inject malicious scripts through GET parameters. [CVSS 6.1 MEDIUM]

PHP SQLi XSS 60cyclecms
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-70849 MEDIUM POC PATCH This Month

Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. [CVSS 6.1 MEDIUM]

XSS Podinfo Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-69429 MEDIUM POC This Month

The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. [CVSS 6.1 MEDIUM]

Path Traversal Cd3510 Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-69983 CRITICAL Act Now

FUXA v1.2.7 allows remote code execution through the project import functionality by importing crafted project files containing malicious code.

RCE Fuxa
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-24936 CRITICAL Act Now

ASUSTOR ADM has an input validation vulnerability when joining AD Domain that allows unauthenticated attackers to compromise the NAS device.

Code Injection Data Master
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25237 CRITICAL Act Now

PEAR PHP framework has a code execution vulnerability through unsafe use of preg_replace() that allows attackers to execute arbitrary PHP code.

PHP Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25241 CRITICAL Act Now

PEAR PHP framework has a seventh SQL injection with higher EPSS (0.12%), indicating more active scanning for this particular injection vector.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69981 CRITICAL Act Now

FUXA v1.2.7 has an unrestricted file upload in the /api/upload endpoint that lacks authentication and file type validation, enabling web shell deployment on SCADA systems.

SQLi Fuxa
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25240 CRITICAL Act Now

PEAR PHP framework has another SQL injection vulnerability prior to version 1.33.0, the sixth in a series of critical security flaws in the PHP component distribution system.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25238 CRITICAL Act Now

PEAR PHP framework prior to 1.33.0 has a fifth SQL injection vulnerability, part of a comprehensive security audit that found multiple injection points across the framework.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25236 CRITICAL Act Now

PEAR PHP framework has a second SQL injection vulnerability in a different code path, providing an alternate database compromise vector.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25234 CRITICAL Act Now

PEAR PHP framework prior to 1.33.0 has a SQL injection vulnerability allowing attackers to extract data from the component distribution database.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-62799 CRITICAL PATCH Act Now

Fast DDS (eProsima) has a heap buffer overflow in its C++ DDS implementation that allows remote attackers to execute code through crafted DDS protocol messages.

Buffer Overflow Memory Corruption Denial Of Service Debian Linux Fast Dds
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-5319 CRITICAL Act Now

Emit Informatics product has a SQL injection vulnerability allowing unauthenticated database compromise through unsanitized input parameters.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-1568 CRITICAL Act Now

Rapid7 InsightVM before 8.34.0 has a SAML signature verification bypass (CVSS 9.6) allowing attackers to forge authentication assertions and gain unauthorized access.

Authentication Bypass
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-25483 MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce's Order Status History Message (versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1) allows authenticated attackers with database backup permissions to inject malicious scripts that execute in the context of other users' browsers. Public exploit code exists for this vulnerability, enabling attackers to exfiltrate sensitive data including user credentials, customer PII, order history, and 2FA recovery codes. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25150 CRITICAL PATCH Act Now

Qwik JavaScript framework prior to 1.19.0 has a prototype pollution vulnerability that can lead to server-side code execution in SSR applications.

Denial Of Service Privilege Escalation Authentication Bypass Qwik
NVD GitHub
CVSS 3.1
9.3
EPSS
0.1%
CVE-2026-24664 MEDIUM POC This Month

Open Eclass Platform versions up to 4.2 contains a vulnerability that allows attackers to identify valid user accounts by analyzing differences in the login response beha (CVSS 5.3).

Information Disclosure Open Eclass Platform
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-69970 CRITICAL Act Now

FUXA v1.2.7 SCADA/HMI system has insecure default configuration with security disabled by default, exposing industrial control interfaces without authentication.

Information Disclosure Fuxa
NVD GitHub
CVSS 3.1
9.3
EPSS
0.1%
CVE-2020-37091 MEDIUM POC This Month

Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24465 CRITICAL Act Now

ELECOM wireless LAN access point devices have a stack-based buffer overflow that allows remote attackers to execute code or crash the device via crafted packets.

Buffer Overflow Stack Overflow RCE Wab S300Iw Pd Firmware Wab S733Iw Pd Firmware +6
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-1341 CRITICAL Act Now

Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2020-37096 MEDIUM POC This Month

Ew-7438Rpn Mini Firmware versions up to 1.13 is affected by cross-site request forgery (csrf) (CVSS 5.3).

CSRF Ew 7438rpn Mini Firmware
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1632 CRITICAL Act Now

MOMA Seismic Station v2.4.2520 exposes its web management interface without authentication, allowing unauthenticated control of seismological monitoring equipment.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-25233 CRITICAL Act Now

PEAR PHP framework prior to 1.33.0 has a logic bug in the roadmap feature allowing unauthorized access through incorrect operator comparison.

PHP Pearweb
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
Prev Page 2 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy