Skip to main content
CVE-2025-15556 HIGH KEV PATCH THREAT Act Now

Notepad++ versions prior to 8.8.9 contain an update integrity verification vulnerability (CVE-2025-15556) when using the WinGUp updater. The update mechanism fails to cryptographically verify downloaded metadata and installers, allowing man-in-the-middle attackers to serve malicious executables during the update process. KEV-listed, this supply chain risk affects one of the most widely used text editors on Windows.

RCE Notepad
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
4.3%
CVE-2020-37113 HIGH POC This Week

Open Eclass Platform versions up to 1.7.3 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP RCE Open Eclass Platform
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2020-37073 HIGH POC This Week

Victor Cms versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP Victor Cms
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2020-37116 HIGH POC This Week

GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database compromise. [CVSS 8.8 HIGH]

PHP MySQL Open Eclass Platform
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2020-37078 HIGH POC This Week

import module contains a vulnerability that allows attackers to delete arbitrary files by manipulating the delete_import parameter (CVSS 8.8).

Information Disclosure
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-24665 HIGH POC This Week

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 8.7 HIGH]

XSS Open Eclass Platform
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2020-37094 HIGH POC This Week

Authorization bypass in EspoCRM 5.8.5 lets an authenticated low-privilege user reuse or manipulate Basic-Authorization and Espo-Authorization tokens to authenticate as a different user, including administrators, and inherit their privileges. The flaw stems from the login path never binding an auth token to its owning user, so a token valid for one account is accepted for another when passwords collide, also defeating two-factor authentication. Publicly available exploit code exists (Exploit-DB 48376); EPSS is low at 0.35%, and the issue is not listed in CISA KEV.

Authentication Bypass Espocrm
NVD Exploit-DB GitHub VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2020-37088 HIGH POC This Week

School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. [CVSS 7.5 HIGH]

PHP Path Traversal School Erp Pro
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
5.4%
CVE-2020-37076 HIGH POC This Week

Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. [CVSS 8.2 HIGH]

PHP SQLi Victor Cms
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2020-37083 HIGH POC This Week

PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2020-37110 HIGH POC This Week

60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. [CVSS 8.2 HIGH]

PHP SQLi XSS 60cyclecms
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37089 HIGH POC This Week

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. [CVSS 8.2 HIGH]

SQLi School Erp Pro
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2019-25260 HIGH POC This Week

OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. [CVSS 8.2 HIGH]

PHP SQLi
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-1803 HIGH POC This Week

Ziroom ZHOME A0101 devices running version 1.0.1.0 use hardcoded default credentials in the Dropbear SSH service, enabling unauthenticated remote attackers to gain unauthorized access with high impact to confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. While exploitation requires specific conditions, security professionals should prioritize assessment and credential rotation for affected systems.

SSH
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2020-37102 HIGH POC This Week

WCAssistantService contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37100 HIGH POC This Week

Syncbreeze versions up to 12.4.18 contains a vulnerability that allows attackers to execute arbitrary code with elevated system privileges (CVSS 7.8).

RCE Syncbreeze
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-69875 HIGH POC This Week

A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. [CVSS 7.8 HIGH]

Privilege Escalation Total Security
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37101 HIGH POC This Week

VPN Unlimited 6.1 contains an unquoted service path vulnerability that allows local attackers to inject malicious executables into the service binary path. [CVSS 7.8 HIGH]

Code Injection
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37099 HIGH POC This Week

its service configuration contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2019-25261 HIGH POC This Week

Anydesk versions up to 5.4.0 contains a vulnerability that allows attackers to potentially inject malicious executables (CVSS 7.8).

Windows Anydesk
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24669 HIGH POC This Week

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 7.8 HIGH]

Authentication Bypass Open Eclass Platform
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2020-37098 HIGH POC This Week

Disk Sorter Enterprise 12.4.16 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

RCE
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-60865 HIGH POC This Week

Pc Helpsoft Driver Updater versions up to 9.1.57803.1174 is affected by improper access control (CVSS 7.8).

Windows Pc Helpsoft Driver Updater
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-25502 HIGH POC PATCH This Week

Arbitrary code execution in iccDEV versions prior to 2.3.1.2 via stack-based buffer overflow in the icFixXml() function when parsing malformed ICC color profiles with crafted NamedColor2 tags. Local attackers with user interaction can exploit this vulnerability to execute arbitrary code with high impact on confidentiality, integrity, and availability. Public exploit code exists and a patch is available in version 2.3.1.2 and later.

Buffer Overflow Stack Overflow Iccdev
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24773 HIGH POC This Week

Open Eclass Platform versions up to 4.2 is affected by authorization bypass through user-controlled key (CVSS 7.5).

Authentication Bypass Open Eclass Platform
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2020-37092 HIGH POC This Week

Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device. [CVSS 7.5 HIGH]

Authentication Bypass
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2020-37093 HIGH POC This Week

Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. [CVSS 7.5 HIGH]

Information Disclosure
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2020-37085 HIGH POC This Week

VirtualTablet Server 3.0.2 contains a denial of service vulnerability that allows attackers to crash the service by sending oversized string payloads through the Thrift protocol. [CVSS 7.5 HIGH]

Denial Of Service
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2020-37097 HIGH POC This Week

Ew-7438Rpn Mini Firmware versions up to 1.13 is affected by insufficiently protected credentials (CVSS 7.5).

Information Disclosure Ew 7438rpn Mini Firmware
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24672 HIGH POC This Week

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 7.3 HIGH]

XSS Open Eclass Platform
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2020-37084 HIGH POC This Week

School Erp Pro versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 7.2).

PHP RCE School Erp Pro
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2020-37072 HIGH POC This Week

Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers. [CVSS 7.2 HIGH]

XSS Victor Cms
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2020-37112 HIGH POC This Week

GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. [CVSS 7.1 HIGH]

SQLi Open Eclass Platform
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-25503 HIGH POC PATCH This Week

Iccdev versions prior to 2.3.1.2 are vulnerable to denial of service when processing malformed ICC color profiles with invalid image encoding type values, causing application crashes due to type confusion. The vulnerability is remotely triggerable and public exploit code is available. A patch is available in version 2.3.1.2 and later.

Denial Of Service Iccdev
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2020-37108 HIGH POC This Week

PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database information. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2020-37105 HIGH POC This Week

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2020-37081 HIGH POC This Week

Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabilities in admin.php, cart.php, and calendar.php that allow attackers to inject malicious SQL commands. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-1730 HIGH This Week

OS DataHub Maps (WordPress plugin) is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

WordPress RCE
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-65875 HIGH This Week

An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file. [CVSS 8.8 HIGH]

PHP Fpdf
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-24954 HIGH This Week

magepeopleteam WpEvently mage-eventpress is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-24512 HIGH PATCH This Week

Ingress-nginx controllers are vulnerable to arbitrary code execution through malicious path specifications in Ingress rules, allowing authenticated attackers to inject nginx configuration and execute commands with controller privileges. The vulnerability also enables disclosure of cluster-wide Secrets accessible to the controller. No patch is currently available, and exploitation requires low complexity with only low privileges needed.

Nginx Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1862 HIGH PATCH This Week

Chrome versions up to 144.0.7559.132 is affected by access of resource using incompatible type (type confusion) (CVSS 8.8).

Chrome Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-24887 HIGH POC PATCH This Week

Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command parsing defect that bypasses the execution confirmation prompt via malicious find command syntax. An attacker with the ability to inject untrusted content into a Claude Code context can trigger unintended command execution with high impact to confidentiality, integrity, and availability. No patch is currently available for affected deployments.

Command Injection AI / ML Claude Code
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1580 HIGH PATCH This Week

Arbitrary code execution in ingress-nginx controllers via malicious `nginx.ingress.kubernetes.io/auth-method` Ingress annotations allows authenticated attackers to execute commands within the controller context and access cluster-wide Secrets. This vulnerability affects Nginx and Kubernetes deployments where the ingress controller has default cluster-wide Secret access permissions. No patch is currently available.

Nginx Kubernetes Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1861 HIGH PATCH This Week

Heap buffer overflow in Chrome's libvpx video codec allows remote attackers to achieve arbitrary code execution through a malicious webpage, requiring only user interaction to trigger exploitation. The vulnerability affects Chrome versions prior to 144.0.7559.132 and currently lacks a patch. With a CVSS score of 8.8, this high-severity flaw poses significant risk to users who visit compromised or attacker-controlled websites.

Buffer Overflow Chrome Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-22550 HIGH This Week

Authenticated command injection in WRC-X1500GS-B and WRC-X1500GSA-B routers enables logged-in users to execute arbitrary OS commands through specially crafted requests. An attacker with valid credentials can gain complete system control over the affected devices. No patch is currently available to remediate this vulnerability.

Command Injection Wrc X1500Gsa B Firmware Wrc X1500Gs B Firmware
NVD
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-6397 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS.This issue affects Website Software: through 03022026. [CVSS 8.6 HIGH]

XSS
NVD VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-62600 HIGH PATCH This Week

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Information Disclosure Buffer Overflow Fast Dds Debian Linux
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-62599 HIGH PATCH This Week

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Information Disclosure Buffer Overflow Fast Dds Debian Linux
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-25022 HIGH This Week

Blind SQL injection in KiviCare clinic management system versions 3.6.16 and earlier allows authenticated attackers to execute arbitrary SQL queries over the network with no user interaction required. An attacker with valid credentials can exploit this vulnerability to extract sensitive data from the underlying database, though code execution is not possible. No patch is currently available for this HIGH severity vulnerability affecting the Iqonic Design product.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy