Total
27080 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-48138 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
| A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template. | |||||
| CVE-2024-48206 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
| A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code. | |||||
| CVE-2024-50503 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Deryck OƱate User Toolkit allows Authentication Bypass.This issue affects User Toolkit: from n/a through 1.2.3. | |||||
| CVE-2024-10456 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
| Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication. | |||||
| CVE-2024-50507 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Daniel Schmitzer DS.DownloadList allows Object Injection.This issue affects DS.DownloadList: from n/a through 1.3. | |||||
| CVE-2024-8512 | 2024-11-01 | N/A | 9.1 CRITICAL | ||
| The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. | |||||
| CVE-2024-10392 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
| The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload' function in all versions up to, and including, 1.8.89. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-50511 | 2024-11-01 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in David DONISA WP donimedia carousel allows Upload a Web Shell to a Web Server.This issue affects WP donimedia carousel: from n/a through 1.0.1. | |||||
| CVE-2024-50510 | 2024-11-01 | N/A | 10.0 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Web and Print Design AR For Woocommerce allows Upload a Web Shell to a Web Server.This issue affects AR For Woocommerce: from n/a through 6.2. | |||||
| CVE-2024-49674 | 2024-11-01 | N/A | 9.6 CRITICAL | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Lukas Huser EKC Tournament Manager allows Upload a Web Shell to a Web Server.This issue affects EKC Tournament Manager: from n/a through 2.2.1. | |||||
| CVE-2024-48910 | 2024-11-01 | N/A | 9.1 CRITICAL | ||
| DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2. | |||||
| CVE-2024-40457 | 2024-10-31 | N/A | 9.1 CRITICAL | ||
| No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. NOTE: the vendor's position is that cleartext in /etc/default/noip-duc is recommended and is the intentional behavior. | |||||
| CVE-2024-7042 | 1 Langchain | 1 Langchain | 2024-10-31 | N/A | 9.8 CRITICAL |
| A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database. | |||||
| CVE-2024-5823 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2024-10-31 | N/A | 9.1 CRITICAL |
| A file overwrite vulnerability exists in gaizhenbiao/chuanhuchatgpt versions <= 20240410. This vulnerability allows an attacker to gain unauthorized access to overwrite critical configuration files within the system. Exploiting this vulnerability can lead to unauthorized changes in system behavior or security settings. Additionally, tampering with these configuration files can result in a denial of service (DoS) condition, disrupting normal system operation. | |||||
| CVE-2024-50497 | 1 Buynowdepot | 1 Advanced Online Ordering And Delivery Platform | 2024-10-31 | N/A | 9.8 CRITICAL |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BuyNowDepot Advanced Online Ordering and Delivery Platform allows PHP Local File Inclusion.This issue affects Advanced Online Ordering and Delivery Platform: from n/a through 2.0.0. | |||||
| CVE-2024-50483 | 1 Tareqhasan | 1 Meetup | 2024-10-31 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in Meetup allows Privilege Escalation.This issue affects Meetup: from n/a through 0.1. | |||||
| CVE-2024-50479 | 1 Mansurahamed | 1 Woocommerce Quote Calculator | 2024-10-31 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mansur Ahamed Woocommerce Quote Calculator allows Blind SQL Injection.This issue affects Woocommerce Quote Calculator: from n/a through 1.1. | |||||
| CVE-2024-10449 | 1 Codezips | 1 Hospital Appointment System | 2024-10-31 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in Codezips Hospital Appointment System 1.0. This affects an unknown part of the file /loginAction.php. The manipulation of the argument Username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-50478 | 1 Swoopnow | 1 1-click Login\ | 2024-10-31 | N/A | 9.8 CRITICAL |
| Authentication Bypass by Primary Weakness vulnerability in Swoop 1-Click Login: Passwordless Authentication allows Authentication Bypass.This issue affects 1-Click Login: Passwordless Authentication: 1.4.5. | |||||
| CVE-2024-50498 | 1 Lubus | 1 Wp Query Console | 2024-10-31 | N/A | 9.8 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection.This issue affects WP Query Console: from n/a through 1.0. | |||||