Skip to main content
CVE-2021-47952 CRITICAL POC Act Now

python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Deserialization Code Injection Python Jsonpickle
NVD Exploit-DB GitHub VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2020-37239 CRITICAL POC Act Now

libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety checks by exploiting signature overwriting in freed chunks. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Libbabl
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2020-37228 CRITICAL POC Act Now

iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Ids6 Dsspro Digital Signage System
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2021-47956 HIGH POC This Week

EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2020-37244 HIGH POC This Week

Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Membership
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2020-37243 HIGH POC This Week

Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi XSS Pricing Table
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2020-37242 HIGH POC This Week

Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Ultimate Maps
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2021-47954 HIGH POC This Week

LayerBB 1.1.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the search_query parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2021-47977 HIGH POC This Week

WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2021-47942 HIGH POC PATCH This Week

Home Assistant Community Store (HACS) 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Home Assistant Community Store Hacs
NVD Exploit-DB GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2020-37245 HIGH POC This Week

Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Path Traversal Digital Publications
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2021-47976 HIGH POC This Week

TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE CSRF PHP
NVD Exploit-DB GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2020-37227 HIGH POC This Week

HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload PHP
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2021-47979 HIGH POC This Week

WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2021-47973 HIGH POC This Week

Sticky Notes Widget 3.0.6 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Apple
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2021-47972 HIGH POC This Week

Sticky Notes & Color Widgets 1.4.2 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Sticky Notes Color Widgets
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2021-47971 HIGH POC This Week

My Notes Safe 5.3 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service My Notes Safe
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2021-47970 HIGH POC This Week

Macaron Notes 5.5 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Macaron Notes Gear Notebook
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2021-47969 HIGH POC This Week

Color Notes 1.4 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Color Notes
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2021-47974 HIGH POC This Week

VX Search 13.5.28 contains an unquoted service path vulnerability in both VX Search Server and VX Search Enterprise services that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Vx Search
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2020-37247 HIGH POC This Week

Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2020-37232 HIGH POC This Week

Advanced System Care Service 13.0.0.157 contains an unquoted service path vulnerability in the AdvancedSystemCareService13 service binary path that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Advanced System Care Service
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2020-37231 HIGH POC This Week

Privacy Drive 3.17.0 contains an unquoted service path vulnerability in the pdsvc.exe service binary that allows local attackers to escalate privileges by exploiting the service startup process. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Privacy Drive
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2020-37230 HIGH POC This Week

Syncplify.me Server!. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Syncplify Me Server
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2020-37229 HIGH POC This Week

OKI sPSV Port Manager 1.0.41 contains an unquoted service path vulnerability in the sPSVOpLclSrv service that allows local attackers to escalate privileges by inserting executable files into the. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Oki Spsv Port Manager
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2021-47980 HIGH POC This Week

Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Fuel Cms
NVD Exploit-DB GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2021-47978 MEDIUM POC This Month

ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

LFI Path Traversal PHP
NVD Exploit-DB VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2021-47934 MEDIUM POC This Month

MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP CSRF
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2020-37246 MEDIUM POC This Month

Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

LFI Path Traversal PHP
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2020-37241 MEDIUM POC This Month

bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Bloofoxcms
NVD Exploit-DB GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2020-37234 MEDIUM POC This Month

Internet Download Manager 6.38.12 contains a buffer overflow vulnerability in the Scheduler component that allows local attackers to crash the application by supplying oversized input. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Internet Download Manager
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2021-47975 MEDIUM POC This Month

WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wp Learn Manager
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2021-47981 MEDIUM POC This Month

Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP CSRF
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47957 MEDIUM POC This Month

Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Information Disclosure
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37240 MEDIUM POC This Month

Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Queue Management System
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37238 MEDIUM POC This Month

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Cms Made Simple
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37237 MEDIUM POC This Month

Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Composr Cms
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37235 MEDIUM POC This Month

WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47955 MEDIUM POC This Month

CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload XSS PHP
NVD Exploit-DB GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37236 MEDIUM POC This Month

NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Newslister
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37233 MEDIUM POC This Month

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-46728 HIGH PATCH This Week

FIT image signature verification bypass in Das U-Boot before 2026.04 lets an attacker who can supply a Flat Image Tree get tampered boot components accepted as authentic, defeating verified/secure boot. Because the 'hashed-nodes' list is omitted from the computed hash, an attacker can alter which nodes are actually covered by the signature and load unsigned or modified kernels/images. There is no public exploit identified at time of analysis and EPSS is 0.00%, but SSVC rates technical impact as total, reflecting a full compromise of the chain of trust.

Authentication Bypass U Boot
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-8657 HIGH PATCH This Week

Prototype pollution in the jsondiffpatch JavaScript library before 0.7.6 allows attackers to modify Object.prototype by supplying crafted delta documents to jsondiffpatch.patch() or JSON Patch documents to the jsonpatch formatter's patch() API. Because attacker-controlled key names and JSON Pointer path segments were used to traverse and mutate objects without filtering __proto__, constructor, or prototype, any application that feeds untrusted diffs into the library can have global object behavior tampered with. A public POC exists in the Snyk advisory and an accompanying gist, but there is no public exploit identified at time of analysis (not on CISA KEV).

Prototype Pollution Information Disclosure Jsondiffpatch
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.1%
CVE-2026-46719 MEDIUM PATCH This Month

Metric injection in Net::Statsd::Lite (Perl) affects all releases before v0.9.0, allowing unauthenticated remote attackers to inject arbitrary statsd metrics by embedding newline, colon, or pipe characters into metric names derived from untrusted input. Because the statsd wire protocol uses these characters as record separators and field delimiters, an unsanitized metric name can smuggle additional forged metrics into the UDP stream transmitted to a statsd daemon, corrupting monitoring and telemetry data. No public exploit code exists at time of analysis and the EPSS score of 0.01% (1st percentile) indicates negligible observed exploitation activity; however, the patch diff makes exploitation trivially constructible by any attacker who can influence metric name values in a vulnerable application.

Code Injection Net
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8681 MEDIUM This Month

Authorization bypass in Essential Chat Support plugin for WordPress versions ≤1.0.1 allows unauthenticated remote attackers to reset all plugin configuration settings to defaults via a single POST request. The vulnerability stems from missing authorization checks in the settings reset function, enabling tampering with general settings, display rules, custom CSS, and WooCommerce integration without credentials. CVSS 5.3 indicates medium severity with network-accessible exploitation requiring no privileges or user interaction. No public exploit identified at time of analysis, though the attack is trivial given the simple POST parameter requirement.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-4202 MEDIUM This Month

Authorization bypass in Multicollab WordPress plugin allows authenticated attackers with Subscriber-level privileges to inject comments into arbitrary editorial collaborations. This affects all versions up to and including 5.2. While CVSS rates this 4.3 (Low), the ability for low-privileged users to pollute editorial workflows could enable social engineering, misinformation injection into content review processes, or disruption of collaborative editing. EPSS data not provided. No active exploitation confirmed (not in CISA KEV). Patch available in version 3519252 per WordPress plugin repository changeset.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8656 LOW PATCH Monitor

Cross-site scripting (XSS) in jsondiffpatch library versions before 0.7.6 allows remote attackers to inject malicious HTML/JavaScript through crafted JSON property names or values when the annotated formatter output is rendered in a browser. The vulnerability enables attackers to execute arbitrary client-side code in victim browsers when applications compare untrusted JSON data and display formatted diffs to users. Publicly available exploit code exists (EPSS not provided in data, no CISA KEV listing), with fix version 0.7.6 confirmed via vendor advisory and GitHub commit 232338b34.

XSS Jsondiffpatch
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy