CVE Tracker

Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network.

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-lev

Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure.

CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8

Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails.

Crafted MQTT messages can trigger command injection, resulting in root-level code execution on the target device.

The acer_cgi.log file in the device firmware is accessible without authentication via the web interface.

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key.

Flowise is a drag & drop user interface to build a customized large language model flow.

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath querie

Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0.

LiteSpeed cPanel Plugin Privilege Escalation Vulnerability

Sangoma FreePBX Authentication Bypass Vulnerability

An Improper Resource Locking vulnerability in the SDM component of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated netw

Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability

A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary

Arbitrary File Write via Path Traversal upload to Remote Code Execution in SeppMail User Web Interface. The affected feature is the large file transfer (LFT).

Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerabilit

Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability

Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability

Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability

Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemor

Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems.

Meta React Server Components Remote Code Execution Vulnerability

OpenEMR is a free and open source electronic health records and medical practice management application.

ConnectWise ScreenConnect Authentication Bypass Vulnerability

Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution.

Moby is an open-source project created by Docker for software containerization.

An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to c

A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modifi

Files or directories accessible to external parties vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24.

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to ta

OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed.

A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to

Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.

SimpleHelp Missing Authorization Vulnerability

Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary cod

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL st

Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification.

An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.

Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.

Use after free in Windows Kernel allows an unauthorized attacker to execute code over a network.

Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.

Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker ca

ZDRES-232: resolveProxyClass Not Overridden acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed.

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12.

CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content th

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achi

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions

Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter device firmware contains plaintext administrative credentials embedded in