Skip to main content
CVE-2019-25675 HIGH POC This Week

eDirectory contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to bypass administrator authentication and disclose sensitive files by injecting SQL code into. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2019-25676 HIGH POC This Week

Ask Expert Script 3.0.5 contains cross-site scripting and SQL injection vulnerabilities that allow unauthenticated attackers to inject malicious code by manipulating URL parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS SQLi RCE
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25668 HIGH POC This Week

News Website Script 2.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the news ID parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25662 HIGH POC This Week

ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25694 HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user2reset parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25688 HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the menu_lev1 parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados Greenbee
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25684 HIGH POC This Week

OpenDocMan 1.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'where' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25680 HIGH POC This Week

Advance Gift Shop Pro Script 2.0.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Advance Gift Shop Pro Script
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25674 HIGH POC This Week

CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25672 HIGH POC This Week

PilusCart 1.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'send' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Piluscart
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25678 HIGH POC This Week

C4G Basic Laboratory Information System 3.4 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25700 HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the sort_direction parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25696 HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the language_tag parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25669 HIGH POC This Week

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the search_by_extrafields[] parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Qdpm
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25704 HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the filter_user_mail parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25702 HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the id_project parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25698 HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the id_to_delete parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25692 HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id_to_modify' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25690 HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the mng_profile_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25671 HIGH POC This Week

VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal RCE Apache
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2019-25685 HIGH POC This Week

phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal File Upload RCE
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2019-25673 HIGH POC This Week

UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload RCE
NVD Exploit-DB GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2019-25686 HIGH POC This Week

Core FTP 2.0 build 653 contains a denial of service vulnerability in the PBSZ command that allows unauthenticated attackers to crash the service by sending a malformed command with an oversized. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Denial Of Service Core Ftp
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2019-25681 HIGH POC This Week

Xlight FTP Server 3.9.1 contains a structured exception handler (SEH) overwrite vulnerability that allows local attackers to crash the application and overwrite SEH pointers by supplying a crafted. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow RCE Xlight
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25670 HIGH POC This Week

River Past Video Cleaner 7.6.3 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow RCE River Past Video Cleaner
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25656 HIGH POC This Week

R i386 3.5.0 contains a local buffer overflow vulnerability in the GUI Preferences dialog that allows local attackers to trigger a structured exception handler (SEH) overwrite by supplying malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow RCE R I386
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25679 HIGH POC This Week

RealTerm Serial Terminal 2.0.0.70 contains a structured exception handling (SEH) buffer overflow vulnerability in the Echo Port tab that allows local attackers to execute arbitrary code by supplying. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow RCE Realterm
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-5604 HIGH POC This Week

Stack-based buffer overflow in Tenda CH22 router firmware version 1.0.0.1 allows authenticated remote attackers to execute arbitrary code via crafted 'standard' parameter to the formCertLocalPrecreate function in /goform/CertLocalPrecreate endpoint. Publicly available exploit code exists (GitHub), CVSS 7.4 (High), but no active exploitation confirmed (not in CISA KEV). CVSS vector indicates low attack complexity with required authentication (PR:L), affecting all three confidentiality, integrity, and availability at high impact levels.

Tenda Buffer Overflow Stack Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-5567 HIGH POC This Week

Buffer overflow in Tenda M3 router firmware 1.0.0.10 allows authenticated remote attackers to achieve code execution via the setAdvPolicyData endpoint. The vulnerability resides in the Destination Handler component's policyType parameter processing. Publicly available exploit code exists (GitHub POC), elevating immediate risk despite low-privilege authentication requirement. CVSS 7.4 reflects network-accessible attack with low complexity; no CISA KEV listing indicates exploitation remains proof-of-concept stage rather than widespread campaign targeting.

Tenda Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-5566 HIGH POC This Week

Buffer overflow in UTT HiPER 1250GW router firmware (versions ≤3.2.7-210907-180535) allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the strcpy function within /goform/formNatStaticMap endpoint, where manipulation of the NatBind parameter triggers memory corruption. Publicly available exploit code exists (GitHub POC published), significantly lowering exploitation barriers for threat actors with valid credentials. CVSS 8.8 severity reflects network-based attack vector with low complexity, though low-privilege authentication is required, reducing immediate internet-scale exploitation risk.

Buffer Overflow Hiper 1250Gw
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-5544 HIGH POC This Week

Stack-based buffer overflow in UTT HiPER 1250GW router (versions up to 3.2.7-210907-180535) allows authenticated remote attackers to achieve arbitrary code execution with high integrity and availability impact via malformed Profile parameter in /goform/formRemoteControl endpoint. Publicly available exploit code exists. CVSS 8.8 reflects network accessibility with low attack complexity, though authentication requirement (PR:L) moderately reduces immediate exploit surface. No CISA KEV listing indicates exploitation remains proof-of-concept stage rather than widespread campaign activity.

Buffer Overflow Stack Overflow Hiper 1250Gw
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-5605 HIGH POC This Week

Stack-based buffer overflow in Tenda CH22 router firmware version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution via the formWrlExtraSet function. The vulnerability resides in the /goform/WrlExtraSet endpoint where manipulation of the 'GO' parameter triggers memory corruption. With CVSS 8.8 (network-accessible, low complexity, requires low-privileged authentication), this represents a critical risk to affected devices. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no confirmed active exploitation (CISA KEV) has been reported at time of analysis.

Tenda Buffer Overflow Stack Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2019-25664 HIGH POC This Week

SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2019-25663 HIGH POC This Week

SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Suitecrm
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-5550 HIGH This Week

Stack-based buffer overflow in Tenda AC10 router firmware version 16.03.10.10_multi_TDE01 allows authenticated remote attackers to achieve complete system compromise through the fromSysToolChangePwd function in /bin/httpd. The vulnerability requires only low-privilege authentication (CVSS PR:L) and has low attack complexity, enabling potential remote code execution with full confidentiality, integrity, and availability impact. No public exploit code identified at time of analysis, though detailed technical findings have been published on GitHub documenting multiple vulnerable endpoints.

Tenda Stack Overflow Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-5548 HIGH This Week

Stack-based buffer overflow in Tenda AC10 router firmware 16.03.10.10_multi_TDE01 allows authenticated remote attackers to achieve code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the fromSysToolChangePwd function within /bin/httpd, triggered by manipulating the sys.userpass parameter. Publicly available exploit code exists (GitHub repository documented), though no confirmed active exploitation (not in CISA KEV). CVSS 8.8 reflects network-accessible attack requiring only low-privilege authentication with low complexity, making this a realistic threat for internet-exposed routers with default or compromised credentials.

Tenda Buffer Overflow Stack Overflow
NVD VulDB GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-4272 HIGH This Week

Remote unauthenticated command execution in Honeywell Handheld Scanner base stations (C1/D1/A1/B1 models) allows attackers within Bluetooth range to execute system commands on connected host systems without authentication. Affects C1 Base (Ingenic x1000) before GK000432BAA, D1 Base (Ingenic x1600) before HE000085BAA, and A1/B1 Base (IMX25) before BK000763BAA/BK000765BAA/CU000101BAA. CVSS 8.1 (High) reflects high confidentiality and integrity impact with network attack vector requiring user interaction. No public exploit identified at time of analysis, though the missing authentication (CWE-306) combined with proximity-based Bluetooth attack vector creates significant risk for environments using these industrial scanning devices.

Honeywell Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-5599 HIGH PATCH This Week

Cross-world user deletion in venueless allows authenticated API users with 'manage users' permission in one world to delete user accounts in completely separate worlds. Venueless versions prior to commit 02b9cbe5 are affected. The CVSS 7.3 rating reflects network-based attack requiring low-complexity exploitation by authenticated users with low privileges. No public exploit identified at time of analysis, though the vulnerability permits unauthorized data destruction across tenant boundaries in multi-tenant deployments.

Information Disclosure Venueless
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy