Skip to main content
CVE-2021-47928 HIGH POC This Week

Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Extension Tmd Vendor System
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2021-47941 HIGH POC This Week

WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2021-47930 HIGH POC This Week

Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Balbooa Joomla Forms Builder
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2021-47939 HIGH POC This Week

Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE
NVD Exploit-DB GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2021-47937 HIGH POC This Week

e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2021-47935 HIGH POC PATCH GHSA This Week

Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection RCE Sentry
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2021-47938 HIGH POC This Week

ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2021-47943 HIGH POC This Week

TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2021-47949 HIGH POC This Week

CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Cyberpanel
NVD Exploit-DB GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2022-50944 HIGH POC This Week

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP
NVD Exploit-DB GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2021-47944 HIGH POC This Week

memono Notepad 4.2 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character buffers into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apple Denial Of Service
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2021-47945 HIGH POC This Week

Argus Surveillance DVR 4.0 contains an unquoted service path vulnerability in the DVRWatchdog service that allows local attackers to escalate privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Argus Surveillance Dvr
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-45186 HIGH POC PATCH This Week

Denial of service in libexpat before 2.8.1 lets remote attackers exhaust CPU by submitting moderately sized crafted XML whose elements contain many colliding attribute names, triggering quadratic-time behavior in the parser's duplicate-attribute detection. Affects the widely embedded Expat C XML parsing library; publicly available exploit code exists (a proof-of-concept gist), though EPSS is 0.00% and the issue is not in CISA KEV, indicating no observed in-the-wild exploitation. CVSS 7.5 reflects availability-only impact with no confidentiality or integrity exposure.

Denial Of Service Libexpat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8234 HIGH POC This Week

Stack-based buffer overflow in ipTIME A8004T router firmware 14.18.2 enables authenticated remote attackers to achieve complete system compromise via malformed WiFi configuration requests. The vulnerability exists in the formWifiBasicSet function's handling of the security_5g parameter. Public exploit code (GitHub POC) increases exploitation risk, though EPSS data and active exploitation status are not available. Vendor (EFM Networks) has not responded to disclosure or released a patch.

Stack Overflow Buffer Overflow Iptime A8004T
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-45180 HIGH This Week

Session ID disclosure in Catalyst::Plugin::Statsd for Perl (versions ≤0.10.0) occurs when the StatsD communication channel lacks encryption, leaking authentication tokens over unsecured UDP to remote StatsD daemons. CVSS 7.5 (High) reflects network-accessible confidentiality impact, but EPSS score of 0.03% (9th percentile) and SSVC assessment (no observed exploitation, partial technical impact) indicate limited real-world exploitation activity. Vendor advisory from GitHub Security (GHSA-gjvr-hq83-fc38) confirms the issue with related advisories for similar Plack-Middleware-Statsd vulnerability (CVE-2026-45179).

Information Disclosure Catalyst
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8177 HIGH PATCH This Week

Out-of-bounds heap read in XML::LibXML for Perl (all versions through 2.0210) allows remote attackers to trigger denial-of-service crashes by supplying XML node names with truncated UTF-8 sequences. The parser fails to validate multi-byte UTF-8 boundaries in node names, reading past allocated memory into adjacent heap regions. No public exploit identified at time of analysis, with EPSS score of 0.01% indicating very low observed exploitation probability. Vendor-released patch available via upstream commit 15652bd9.

Denial Of Service Information Disclosure Buffer Overflow Xml
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14179 HIGH PATCH This Week

SQL injection in PHP's PDO Firebird driver allows remote attackers to manipulate database queries when applications use PDO::quote() with attacker-controlled input containing NUL bytes. The vulnerability affects PHP versions 8.2.* through 8.5.* across all maintained branches, with vendor patches released (8.2.31, 8.3.31, 8.4.21, 8.5.6). CVSS 7.4 with network attack vector but requires user interaction and precise timing conditions (AT:P). Proof-of-concept exploitation status confirmed (E:P), though no active exploitation identified in CISA KEV at time of analysis.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy