CVSS 9-10
| CVE ID | CVSS | Vendor | Exploit | Patch | Trends |
|---|---|---|---|---|---|
CVE-2024-50486Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API allows Authentication Bypass.This issue affects Acnoo Flutter API: from n/a through 1.0.5. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-50485: Incorrect Privilege Assignment vulnerability in Udit Rawat Exam Matrix allows Privilege Escalation.This issue affects Exam Matrix: from n/a through 1.5. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-50483Authorization Bypass Through User-Controlled Key vulnerability in Meetup allows Privilege Escalation.This issue affects Meetup: from n/a through 0.1. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-50480Unrestricted Upload of File with Dangerous Type vulnerability in azexo Marketing Automation by AZEXO allows Upload a Web Shell to a Web Server.This issue affects Marketing Automation by AZEXO: from n/a through 1.27.80. | CVSS 9.9 | Azexo | - | - |  |
CVE-2024-50479Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mansur Ahamed Woocommerce Quote Calculator allows Blind SQL Injection.This issue affects Woocommerce Quote Calculator: from n/a through 1.1. | CVSS 9.8 | Woocommerce | - | - |  |
CVE-2024-50478Authentication Bypass by Primary Weakness vulnerability in Swoop 1-Click Login: Passwordless Authentication allows Authentication Bypass.This issue affects 1-Click Login: Passwordless Authentication: 1.4.5. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-50477Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App Builder: from n/a through 5.2.3. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-50476Missing Authorization vulnerability in GRÜN Software Group GmbH GRÜN spendino Spendenformular allows Privilege Escalation.This issue affects GRÜN spendino Spendenformular: from n/a through 1.0.1. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-50475Missing Authorization vulnerability in Scott Gamon Signup Page allows Privilege Escalation.This issue affects Signup Page: from n/a through 1.0. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-50459Missing Authorization vulnerability in HM Plugin WordPress Stripe Donation and Payment Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Stripe Donation and Payment Plugin: from n/a through 3.2.3. | CVSS 9.8 | Hmplugin, et al | - | - |  |
CVE-2024-50450Improper Control of Generation of Code ('Code Injection') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Code Injection.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.4. | CVSS 9.8 | Wordpress, et al | - | - |  |
CVE-2024-50427Unrestricted Upload of File with Dangerous Type vulnerability in Devsoft Baltic OÜ SurveyJS: Drag & Drop WordPress Form Builder.This issue affects SurveyJS: Drag & Drop WordPress Form Builder: from n/a through 1.9.136. | CVSS 9.9 | Wordpress | - | - |  |
CVE-2024-50330SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. | CVSS 9.8 | Ivanti | - | - |  |
CVE-2024-50306Unchecked return value can allow Apache Traffic Server to retain privileges on startup.
This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1.
Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue. | CVSS 9.1 | Apache | - | - |  |
CVE-2024-5021The WordPress Picture / Portfolio / Media Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.1 via the 'file_get_contents' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | CVSS 9.3 | Wordpress | - | - |  |
CVE-2024-4992Vulnerability in SiAdmin 1.1 that allows SQL injection via the /modul/mod_kuliah/aksi_kuliah.php parameter in nim. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in it. | CVSS 9.8 | - | - |  | |
CVE-2024-4991Vulnerability in SiAdmin 1.1 that allows SQL injection via the /modul/mod_pass/aksi_pass.php parameter in nama_lengkap. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in it. | CVSS 9.8 | - | - |  | |
CVE-2024-49681Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SWIT WP Sessions Time Monitoring Full Automatic allows SQL Injection.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through 1.0.9. | CVSS 9.3 | Wordpress | - | - |  |
CVE-2024-49674Cross-Site Request Forgery (CSRF) vulnerability in Lukas Huser EKC Tournament Manager allows Upload a Web Shell to a Web Server.This issue affects EKC Tournament Manager: from n/a through 2.2.1. | CVSS 9.6 | Wordpress | - | - |  |
CVE-2024-49671Unrestricted Upload of File with Dangerous Type vulnerability in Dogu Pekgoz AI Image Generator for Your Content & Featured Images – AI Postpix allows Upload a Web Shell to a Web Server.This issue affects AI Image Generator for Your Content & Featured Images – AI Postpix: from n/a through 1.1.8. | CVSS 9.9 | Wordpress | - | - |  |
CVE-2024-49669Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official allows Upload a Web Shell to a Web Server.This issue affects INK Official: from n/a through 4.1.2. | CVSS 9.9 | Alex project | - | - |  |
CVE-2024-49658Unrestricted Upload of File with Dangerous Type vulnerability in Ecomerciar Woocommerce Custom Profile Picture allows Upload a Web Shell to a Web Server.This issue affects Woocommerce Custom Profile Picture: from n/a through 1.0. | CVSS 9.9 | Woocommerce | - | - |  |
CVE-2024-49653Unrestricted Upload of File with Dangerous Type vulnerability in James Eggers Portfolleo portfolleo allows Upload a Web Shell to a Web Server.This issue affects Portfolleo: from n/a through 1.2. | CVSS 9.9 | Apache | - | - |  |
CVE-2024-49652Unrestricted Upload of File with Dangerous Type vulnerability in ReneeCussack 3D Work In Progress allows Upload a Web Shell to a Web Server.This issue affects 3D Work In Progress: from n/a through 1.0.3. | CVSS 9.9 | Wordpress | - | - |  |
CVE-2024-49626Deserialization of Untrusted Data vulnerability in Piyushmca Shipyaari Shipping Management allows Object Injection.This issue affects Shipyaari Shipping Management: from n/a through 1.2. | CVSS 9.8 | Shipyaari | - | - |  |
CVE-2024-49625Deserialization of Untrusted Data vulnerability in Brandon Clark SiteBuilder Dynamic Components allows Object Injection.This issue affects SiteBuilder Dynamic Components: from n/a through 1.0. | CVSS 9.8 | Sitebuilder dynamic components project | - | - |  |
CVE-2024-49624Deserialization of Untrusted Data vulnerability in Smartdevth Advanced Advertising System allows Object Injection.This issue affects Advanced Advertising System: from n/a through 1.3.1. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-49611Unrestricted Upload of File with Dangerous Type vulnerability in Paxman Product Website Showcase allows Upload a Web Shell to a Web Server.This issue affects Product Website Showcase: from n/a through 1.0. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-49610Unrestricted Upload of File with Dangerous Type vulnerability in Jack Zhu allows Upload a Web Shell to a Web Server.This issue affects photokit: from n/a through 1.0. | CVSS 9.8 | - | - |  | |
CVE-2024-49607Unrestricted Upload of File with Dangerous Type vulnerability in Redwan Hilali WP Dropbox Dropins allows Upload a Web Shell to a Web Server.This issue affects WP Dropbox Dropins: from n/a through 1.0. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-49604Authentication Bypass Using an Alternate Path or Channel vulnerability in Najeeb Ahmad Simple User Registration allows Authentication Bypass.This issue affects Simple User Registration: from n/a through 5.5. | CVSS 9.8 | Wordpress, et al | - | - |  |
CVE-2024-4949Use after free in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | CVSS 9.6 | Google, et al | - | Patched |  |
CVE-2024-49400Tacquito prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was not properly performing regex matches on authorized commands and arguments. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. That would have potentially allowed unauthorized commands to be executed. | CVSS 9.8 | Cloudflare | - | - |  |
CVE-2024-49388Sensitive information manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690. | CVSS 9.1 | Acronis | - | Patched |  |
CVE-2024-49369Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12. | CVSS 9.8 | Icinga | - | - |  |
CVE-2024-49368Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue. | CVSS 9.8 | Nginxui | Exploit | Patched |  |
CVE-2024-4936The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required allow_url_include to be enabled on the target site in order to exploit. | CVSS 9.8 | Wordpress, et al | - | Patched |  |
CVE-2024-49332Deserialization of Untrusted Data vulnerability in Giveaway Boost allows Object Injection.This issue affects Giveaway Boost: from n/a through 2.1.4. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-49330Unrestricted Upload of File with Dangerous Type vulnerability in brx8r Nice Backgrounds allows Upload a Web Shell to a Web Server.This issue affects Nice Backgrounds: from n/a through 1.0. | CVSS 9.8 | Huawei | - | - |  |
CVE-2024-49329Unrestricted Upload of File with Dangerous Type vulnerability in Vivek Tamrakar WP REST API FNS allows Upload a Web Shell to a Web Server.This issue affects WP REST API FNS: from n/a through 1.0.0. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-49328Authentication Bypass Using an Alternate Path or Channel vulnerability in Vivek Tamrakar WP REST API FNS allows Authentication Bypass.This issue affects WP REST API FNS: from n/a through 1.0.0. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-49327Unrestricted Upload of File with Dangerous Type vulnerability in Asep Bagja Priandana Woostagram Connect allows Upload a Web Shell to a Web Server.This issue affects Woostagram Connect: from n/a through 1.0.2. | CVSS 9.8 | - | - |  | |
CVE-2024-49326Unrestricted Upload of File with Dangerous Type vulnerability in Vasilis Kerasiotis Affiliator allows Upload a Web Shell to a Web Server.This issue affects Affiliator: from n/a through 2.1.3. | CVSS 9.8 | - | - |  | |
CVE-2024-49324Unrestricted Upload of File with Dangerous Type vulnerability in Sovratec Sovratec Case Management allows Upload a Web Shell to a Web Server.This issue affects Sovratec Case Management: from n/a through 1.0.0. | CVSS 9.8 | - | - |  | |
CVE-2024-49322Incorrect Privilege Assignment vulnerability in CodePassenger Job Board Manager for WordPress allows Privilege Escalation.This issue affects Job Board Manager for WordPress: from n/a through 1.0. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-49318Deserialization of Untrusted Data vulnerability in Scott Olson My Reading Library allows Object Injection.This issue affects My Reading Library: from n/a through 1.0. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-49305Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Email Verification for WooCommerce allows SQL Injection.This issue affects Email Verification for WooCommerce: from n/a through 2.8.10. | CVSS 9.3 | Woocommerce, et al | - | - |  |
CVE-2024-49286Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Moridrin SSV Events allows PHP Local File Inclusion.This issue affects SSV Events: from n/a through 3.2.7. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-49271: Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) allows : Command Injection.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.121. | CVSS 9.1 | - | - |  | |
CVE-2024-49260Unrestricted Upload of File with Dangerous Type vulnerability in Limb WordPress Gallery Plugin – Limb Image Gallery allows Code Injection.This issue affects WordPress Gallery Plugin – Limb Image Gallery: from n/a through 1.5.7. | CVSS 9.9 | Wordpress | - | - |  |
CVE-2024-49247: Authentication Bypass Using an Alternate Path or Channel vulnerability in sooskriszta, webforza BuddyPress Better Registration allows : Authentication Bypass.This issue affects BuddyPress Better Registration: from n/a through 1.6. | CVSS 9.8 | Buddypress | - | - |  |
CVE-2024-49246Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in anand23 Ajax Rating with Custom Login allows SQL Injection.This issue affects Ajax Rating with Custom Login: from n/a through 1.1. | CVSS 9.3 | Wordpress | - | - |  |
CVE-2024-49218Deserialization of Untrusted Data vulnerability in Al Imran Akash Recently allows Object Injection.This issue affects Recently: from n/a through 1.1. | CVSS 9.8 | - | - |  | |
CVE-2024-49217Incorrect Privilege Assignment vulnerability in Madiri Salman Aashish Adding drop down roles in registration allows Privilege Escalation.This issue affects Adding drop down roles in registration: from n/a through 1.1. | CVSS 9.8 | Wordpress | - | - |  |
CVE-2024-49195Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun in pkwrite when writing an opaque key pair | CVSS 9.8 | Mbed | - | - |  |
CVE-2024-4898The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts. | CVSS 9.8 | Wordpress, et al | Exploit | Patched |  |
CVE-2024-48974The ventilator does not perform proper file integrity checks when adopting firmware updates. This makes it possible for an attacker to force unauthorized changes to the device's configuration settings and/or compromise device functionality by pushing a compromised/illegitimate firmware file. This could disrupt the function of the device and/or cause unauthorized information disclosure. | CVSS 9.3 | Medtronic | - | - |  |
CVE-2024-48973The debug port on the ventilator's serial interface is enabled by default. This could allow an attacker to send and receive messages over the debug port (which are unencrypted; see 3.2.1) that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance. | CVSS 9.3 | Medtronic | - | - |  |
CVE-2024-48971The Clinician Password and Serial Number Clinician Password are hard-coded into the ventilator in plaintext form. This could allow an attacker to obtain the password off the ventilator and use it to gain unauthorized access to the device, with clinician privileges. | CVSS 9.3 | Philips | - | - |  |
CVE-2024-48970The ventilator's microcontroller lacks memory protection. An attacker could connect to the internal JTAG interface and read or write to flash memory using an off-the-shelf debugging tool, which could disrupt the function of the device and/or cause unauthorized information disclosure. | CVSS 9.3 | Medtronic | - | - |  |
CVE-2024-48963The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted PHP project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects. | CVSS 9.8 | Snyk | - | Patched |  |
CVE-2024-48949The Elliptic package 6.5.5 for Node.js for EDDSA implementation does not perform the required check if the signature proof(s) is within the bounds of the order n of the base point of the elliptic curve, leading to signature malleability. Namely, the verify function in lib/elliptic/eddsa/index.js omits sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg() validation. This vulnerability could have a security-relevant impact if an application relies on the uniqueness of a signature. | CVSS 9.1 | Indutny, et al | - | Patched |  |
CVE-2024-4893DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands. | CVSS 9.8 | Digiwin | - | - |  |
CVE-2024-48920PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually. | CVSS 9.1 | - | - |  | |
CVE-2024-48914Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed URI. Patches are available in versions 3.0.5 and 2.3.3. Some workarounds are also available. One may use object storage rather than the local file system, e.g. MinIO or S3, or define middleware which detects and blocks requests with urls containing `/../`. | CVSS 9.1 | Vendure | Exploit | Patched |  |
CVE-2024-48910DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2. | CVSS 9.1 | Cure53 | - | Patched |  |
CVE-2024-48904An command injection vulnerability in Trend Micro Cloud Edge could allow a remote attacker to execute arbitrary code on affected appliances.
Please note: authentication is not required in order to exploit this vulnerability. | CVSS 9.8 | Trendmicro | - | - |  |
CVE-2024-4885This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability.<br/>The specific flaw exists within the implementation of GetFileWithoutZip method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account.<br/> Progress Software has issued an update to correct this vulnerability. More details can be found at: <br/><a href="https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024">https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024</a> <br/></td> | CVSS 9.8 | Progress | Exploit | Patched |  |
CVE-2024-4884This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability.<br/>The specific flaw exists within the CommunityController class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of the service account.<br/> Progress Software has issued an update to correct this vulnerability. More details can be found at: <br/><a href="https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024">https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024</a> <br/></td> | CVSS 9.8 | Progress | Exploit | Patched |  |
CVE-2024-4883This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability.<br/>The specific flaw exists within the WriteDataFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account.<br/> Progress Software has issued an update to correct this vulnerability. More details can be found at: <br/><a href="https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024">https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024</a> <br/></td> | CVSS 9.8 | Progress | Exploit | Patched |  |
CVE-2024-48823Local file inclusion in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the PassageAutoServer.php page. | CVSS 9.8 | Automaticsystems | - | - |  |
CVE-2024-4879ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington, D.C. Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible. | CVSS 9.8 | Servicenow | Exploit | Patched |  |
CVE-2024-48787An issue in Revic Optics Revic Ops (us.revic.revicops) 1.12.5 allows a remote attacker to obtain sensitive information via the firmware update process. | CVSS 9.1 | - | - |  | |
CVE-2024-48786An issue in SWITCHBOT INC SwitchBot (com.theswitchbot.switchbot) 5.0.4 allows a remote attacker to obtain sensitive information via the firmware update process. | CVSS 9.1 | Switchbot | - | - |  |
CVE-2024-48784An Incorrect Access Control issue in SAMPMAX com.sampmax.homemax 2.1.2.7 allows a remote attacker to obtain sensitive information via the firmware update process. | CVSS 9.8 | - | - |  | |
CVE-2024-48782File Upload vulnerability in DYCMS Open-Source Version v2.0.9.41 allows a remote attacker to execute arbitrary code via the application only detecting the extension of image files in the front-end. | CVSS 9.8 | - | - |  | |
CVE-2024-48781An issue in Wanxing Technology Yitu Project Management Kirin Edition 2.3.6 allows a remote attacker to execute arbitrary code via a specially constructed so file/opt/EdrawProj-2/plugins/imageformat. | CVSS 9.8 | - | - |  | |
CVE-2024-48779An issue in Wanxing Technology's Yitu project Management Software 3.2.2 allows a remote attacker to execute arbitrary code via the platformpluginpath parameter to specify that the qt plugin loads the directory. | CVSS 9.8 | - | - |  | |
CVE-2024-48778An issue in GIANT MANUFACTURING CO., LTD RideLink (tw.giant.ridelink) 2.0.7 allows a remote attacker to obtain sensitive information via the firmware update process. | CVSS 9.1 | - | - |  | |
CVE-2024-48772An issue in C-CHIP (com.cchip.cchipamaota) v.1.2.8 allows a remote attacker to obtain sensitive information via the firmware update process. | CVSS 9.1 | - | - |  | |
CVE-2024-48769An issue in BURG-WCHTER KG de.burgwachter.keyapp.app 4.5.0 allows a remote attacker to obtain sensitve information via the firmware update process. | CVSS 9.1 | - | - |  | |
CVE-2024-48746An issue in Lens Visual integration with Power BI v.4.0.0.3 allows a remote attacker to execute arbitrary code via the Natural language processing component | CVSS 9.8 | Microsoft | - | - |  |
CVE-2024-48659An issue in DCME-320-L <=9.3.2.114 allows a remote attacker to execute arbitrary code via the log_u_umount.php component. | CVSS 9.8 | - | - |  | |
CVE-2024-48581File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. | CVSS 9.8 | Mayurik | - | - |  |
CVE-2024-48580SQL Injection vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the email parameter of the login request. | CVSS 9.8 | Mayurik | - | - |  |
CVE-2024-48579SQL Injection vulnerability in Best House rental management system project in php v.1.0 allows a remote attacker to execute arbitrary code via the username parameter of the login request. | CVSS 9.8 | Mayurik | - | - |  |
CVE-2024-48573A NoSQL injection vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. | CVSS 9.8 | - | - |  | |
CVE-2024-48548The APK file in Cloud Smart Lock v2.0.1 has a leaked a URL that can call an API for binding physical devices. This vulnerability allows attackers to arbitrarily construct a request to use the app to bind to unknown devices by finding a valid serial number via a bruteforce attack. | CVSS 9.3 | - | - |  | |
CVE-2024-48539Neye3C v4.5.2.0 was discovered to contain a hardcoded encryption key in the firmware update mechanism. | CVSS 9.8 | - | - |  | |
CVE-2024-48538Incorrect access control in the firmware update and download processes of Neye3C v4.5.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file. | CVSS 9.8 | - | - |  | |
CVE-2024-48510Directory Traversal vulnerability in DotNetZip v.1.16.0 and before allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | CVSS 9.8 | Dotnetzip.semverd project | - | Patched |  |
CVE-2024-48509Learning with Texts (LWT) 2.0.3 is vulnerable to SQL Injection. This occurs when the application fails to properly sanitize user inputs, allowing attackers to manipulate SQL queries by injecting malicious SQL statements into URL parameters. By exploiting this vulnerability, an attacker could gain unauthorized access to the database, retrieve sensitive information, modify or delete data, and execute arbitrary commands. | CVSS 9.8 | Oracle | - | - |  |
CVE-2024-48465The MRBS version 1.5.0 has an SQL injection vulnerability in the edit_entry_handler.php file, specifically in the rooms%5B%5D parameter | CVSS 9.8 | - | - |  | |
CVE-2024-48428An issue in Olive VLE allows an attacker to obtain sensitive information via the reset password function. | CVSS 9.8 | Exploit | - |  | |
CVE-2024-48411itsourcecode Online Tours and Travels Management System v1.0 is vulnerable to SQL Injection (SQLI) via a crafted payload to the val-email parameter in forget_password.php. | CVSS 9.8 | - | - |  | |
CVE-2024-48359Qualitor v8.24 was discovered to contain a remote code execution (RCE) vulnerability via the gridValoresPopHidden parameter. | CVSS 9.8 | - | - |  | |
CVE-2024-48357LyLme Spage 1.2.0 through 1.6.0 is vulnerable to SQL Injection via /admin/apply.php. | CVSS 9.8 | Lylme | - | - |  |
CVE-2024-48356LyLme Spage <=1.6.0 is vulnerable to SQL Injection via /admin/group.php. | CVSS 9.8 | Lylme | - | - |  |
CVE-2024-48283Phpgurukul User Registration & Login and User Management System 3.2 is vulnerable to SQL Injection in /admin//search-result.php via the searchkey parameter. | CVSS 9.8 | Phpgurukul | - | - |  |
CVE-2024-4826SQL injection vulnerability in Simple PHP Shopping Cart affecting version 0.9. This vulnerability could allow an attacker to retrieve all the information stored in the database by sending a specially crafted SQL query, due to the lack of proper sanitisation of the category_id parameter in the category.php file. | CVSS 9.8 | - | - |  |