CVE Catalog
Browse the latest Common Vulnerabilities and Exposures (CVEs) with CVSS scores, affected products, and next-gen risk scores.
Acronis Cyber Protect 16 DLL Hijacking Vulnerability Leading to Local Privilege Escalation
A local privilege escalation vulnerability has been identified in Acronis Cyber Protect 16 for Windows, prior to build 39169. This issue arises from a DLL hijacking vulnerability, which can be exploited to gain elevated privileges on the system.
Acronis Cyber Protect and Cyber Protect Cloud Agent Tray Monitor Service Privilege Escalation Vulnerability
A local privilege escalation vulnerability has been identified in the Tray Monitor service of Acronis Cyber Protect 16 and Acronis Cyber Protect Cloud Agent. This issue arises from excessive permissions assigned to the service, allowing unauthorized users to gain elevated privileges. The vulnerability affects Acronis Cyber Protect 16 (Linux, macOS, Windows) prior to build 39169, and Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) prior to build 35895.
Acronis Cyber Protect 16 Stored Cross-Site Scripting Vulnerability
A stored cross-site scripting vulnerability has been identified in Acronis Cyber Protect 16 for both Linux and Windows platforms, prior to build 39169. This vulnerability arises from inadequate origin validation in the postMessage function, allowing for the injection of malicious scripts that are stored and executed in the context of the user.
Acronis Cyber Protect 16 DLL Hijacking Vulnerability Leading to Local Privilege Escalation
A local privilege escalation vulnerability has been identified in Acronis Cyber Protect 16 for Windows, prior to build 39169. This issue arises from a DLL hijacking vulnerability, which can be exploited to gain elevated privileges on the system.
Kentico CMS Reflected Cross-Site Scripting Vulnerability
A reflected cross-site scripting vulnerability has been identified in Kentico CMS version 7. This issue arises from the improper neutralization of input in the '/CMSMessages/AccessDenied.aspx' endpoint, allowing attackers to manipulate specific GET request parameters. Support for Kentico CMS version 7 ended in 2016, and version 8 does not exhibit this vulnerability.
Liquid Web GiveWP Plugin Missing Authorization Vulnerability Allowing Arbitrary Content Deletion
A missing authorization vulnerability has been identified in the Liquid Web / StellarWP GiveWP plugin, specifically in versions through 2.25.1. This vulnerability allows for arbitrary content deletion, meaning that a malicious actor could potentially delete various types of content from a website, such as images, posts, or pages.
JoomUnited WP Table Manager Missing Authorization Vulnerability Allowing Access Control Exploitation
A missing authorization vulnerability has been identified in the JoomUnited WP Table Manager plugin for WordPress, affecting versions through 3.5.2. This vulnerability arises from broken access control, which allows users with lower privileges to perform actions reserved for higher-privileged users.
WeyHan Post Teaser Missing Authorization Vulnerability
A broken access control vulnerability has been identified in the WeyHan Post Teaser plugin for WordPress, affecting versions through 4.1.5. This vulnerability allows an unprivileged user to perform actions that require higher privileges, due to a lack of proper authorization checks.
Code-Projects Chat System SQL Injection Vulnerability in Delete User Admin Function
A critical SQL injection vulnerability has been identified in Code-Projects Chat System version 1.0. The issue arises in the admin/deleteuser.php file, where the 'id' argument can be manipulated to execute unauthorized SQL commands. This vulnerability can be exploited remotely, potentially leading to unauthorized data access or modification.
MaxKB Remote Command Execution Vulnerability in Function Library Module
A remote command execution vulnerability has been identified in MaxKB, an open-source knowledge base question-answering system that utilizes a large language model and retrieval-augmented generation. This vulnerability, present in versions prior to 1.9.0, allows privileged users to execute operating system commands within custom scripts. The issue has been addressed in version 1.9.0.
Acronis True Image Sensitive Information Disclosure Vulnerability
A vulnerability allowing sensitive information disclosure has been identified in Acronis True Image for both macOS (versions prior to build 41725) and Windows (versions prior to build 41736). This issue arises from missing authentication, which could potentially be exploited to access confidential information.
Acronis True Image Sensitive Information Disclosure Vulnerability Due to Insecure Folder Permissions
A vulnerability allowing sensitive information disclosure exists in Acronis True Image for Windows, prior to build 41736, due to insecure folder permissions.
Crocoblock JetEngine Missing Authorization Vulnerability Allowing Access Control Bypass
A missing authorization vulnerability has been identified in the Crocoblock JetEngine plugin, specifically in versions through 3.2.4. This vulnerability allows users to exploit improperly configured access control levels, potentially leading to unauthorized actions or access.
Porto Theme Functionality Plugin Broken Access Control Vulnerability
A missing authorization vulnerability has been identified in the Porto Theme Functionality plugin for WordPress, affecting versions prior to 2.12.1. This vulnerability arises from incorrectly configured access control security levels, which can be exploited to perform actions that require higher privileges.
10Web 10WebAnalytics Missing Authorization Vulnerability Allowing Broken Access Control
A broken access control vulnerability has been identified in the 10WebAnalytics WordPress plugin, affecting versions through 1.2.12. This vulnerability arises from missing authorization checks, which could allow an unprivileged user to perform actions reserved for higher privileges.
LuckyWP Scripts Control Plugin Broken Access Control Vulnerability
A missing authorization vulnerability has been identified in the LuckyWP Scripts Control WordPress plugin, affecting versions through 1.2.1. This vulnerability arises from incorrectly configured access control security levels, allowing unprivileged users to perform actions reserved for higher privileges.
WordPress IMPress Listings Plugin Broken Access Control Vulnerability
A missing authorization vulnerability has been identified in the WordPress IMPress Listings plugin, specifically in versions through 2.6.2. This vulnerability allows exploitation of improperly configured access control security levels, potentially leading to unauthorized actions by users with lower privileges.
10Web Map Builder for Google Maps Missing Authorization Vulnerability Allowing Broken Access Control
A missing authorization vulnerability has been identified in the 10Web Map Builder for Google Maps plugin, affecting versions through 1.0.73. This vulnerability allows exploitation of incorrectly configured access control security levels, potentially leading to broken access control issues.
Putler WooCommerce Connector Missing Authorization Vulnerability
A broken access control vulnerability has been identified in the Putler Connector for WooCommerce, affecting versions through 2.12.0. This vulnerability allows unauthenticated users to perform actions that require higher privileges, due to a lack of proper authorization checks.
Repute InfoSystems ARMember Premium Broken Access Control Vulnerability
A missing authorization vulnerability has been identified in the Repute InfoSystems ARMember Premium WordPress membership plugin, affecting versions through 5.9.2. This vulnerability allows unprivileged users to exploit incorrectly configured access control security levels, potentially leading to unauthorized actions that require higher privileges.
Xtemos WoodMart Theme Broken Access Control Vulnerability
A missing authorization vulnerability has been identified in the Xtemos WoodMart WordPress theme, specifically in versions through 7.2.1. This vulnerability allows exploitation of improperly configured access control, potentially enabling users to perform actions reserved for higher privileges.
Linux Kernel CEC Message Length Limitation Vulnerability
A vulnerability in the Linux kernel's media subsystem, specifically within the S5P CEC (Consumer Electronics Control) component, allows for improper handling of message lengths. The issue arises because the message length is not correctly restricted to the maximum allowed size, potentially leading to buffer overflows or other unintended behavior. This vulnerability has been addressed by implementing a check to ensure that message lengths do not exceed the maximum permissible limit.
WordPress Analytify Plugin Privilege Escalation Vulnerability
A missing authorization vulnerability allowing privilege escalation has been identified in the WordPress Analytify Google Analytics Dashboard plugin, affecting versions through 4.2.3. This vulnerability could enable a low-privileged user to gain higher privileges, potentially leading to full control of the website.
WordPress Subscribe to Category Plugin Broken Access Control Vulnerability
A missing authorization vulnerability has been identified in the WordPress Subscribe to Category plugin, specifically in versions through 2.7.4. This vulnerability allows unprivileged users to exploit incorrectly configured access control security levels, potentially leading to unauthorized actions.
Gallery Images Ape WordPress Plugin Broken Access Control Vulnerability
A broken access control vulnerability has been identified in the Gallery Images Ape WordPress plugin, specifically in versions through 2.2.8. This vulnerability arises from missing authorization checks, allowing users with lower privileges to perform actions reserved for higher privileged users.
VolThemes Patricia Blog Cross-Site Request Forgery Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the VolThemes Patricia Blog WordPress theme, specifically in versions through 1.2. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.
Marsian i-amaze WordPress Theme Cross-Site Request Forgery Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Marsian i-amaze WordPress theme, affecting versions through 1.3.7. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.
Creativthemes Point WordPress Theme Cross-Site Request Forgery Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Creativthemes Point WordPress theme, specifically in versions through 1.1. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.
BuddyBoss Theme Cross-Site Request Forgery Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the BuddyBoss Theme by BuddyBoss LLC, affecting versions through 2.4.61. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.
MyThemeShop Schema Lite Cross-Site Request Forgery Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the MyThemeShop Schema Lite WordPress theme, specifically in versions through 1.2.2. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.
Uncanny Owl Uncanny Toolkit Pro for LearnDash Cross-Site Request Forgery Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Uncanny Owl Uncanny Toolkit Pro for LearnDash plugin, affecting versions prior to 4.1.4.1. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.
Automattic WP Job Manager - Resume Manager Cross-Site Request Forgery Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Automattic WP Job Manager - Resume Manager plugin, affecting versions through 2.1.0. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.
FS Code FS Poster Cross-Site Request Forgery Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the FS Poster WordPress plugin, affecting versions through 6.5.8. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.
Beijing Yunfan Internet Technology Yunfan Learning Examination System Improper Authentication Vulnerability via JWT Token
A critical vulnerability has been identified in version 1.9.2 of the Yunfan Learning Examination System by Beijing Yunfan Internet Technology. The issue resides in the JWT Token Handler component, specifically within the SysUserControl file. The vulnerability allows for improper authentication, as the system's JWT tokens can be exploited universally across any server using this application. The flaw arises because the application does not properly validate JWT tokens during the login process. As a result, an attacker can replace the existing JWT with a crafted token that bypasses authentication and grants administrative privileges.
Beijing Yunfan Internet Technology Yunfan Learning Examination System Information Disclosure Vulnerability
An information disclosure vulnerability has been identified in version 1.9.2 of the Yunfan Learning Examination System by Beijing Yunfan Internet Technology. The issue arises in the Exam Answer Handler component, specifically within the PaperController.java file. The vulnerability allows remote attackers to view answers during the exam process by manipulating input IDs, thereby facilitating cheating.
WP Hait Post Grid Elementor Addon Stored Cross-Site Scripting Vulnerability
A stored cross-site scripting vulnerability has been identified in the WP Hait Post Grid Elementor Addon, affecting versions through 2.0.18. This vulnerability arises from improper input sanitization during web page generation, allowing malicious scripts to be injected and executed when users visit the affected site.
CoolPlugins Coins MarketCap DOM-Based Cross-Site Scripting Vulnerability
A DOM-based cross-site scripting vulnerability has been identified in the CoolPlugins Coins MarketCap WordPress plugin, affecting versions through 5.5.8. This vulnerability arises from improper input sanitization during web page generation, allowing malicious actors to inject and execute harmful scripts on the site.
Markyis Cool Olivia WordPress Theme Reflected Cross-Site Scripting Vulnerability
A reflected cross-site scripting vulnerability has been identified in the Markyis Cool Olivia WordPress theme, specifically in versions through 0.9.5. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.
CridioStudio ListingPro Cross-Site Request Forgery Vulnerability Allowing Authentication Bypass
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the CridioStudio ListingPro WordPress theme, specifically in versions through 2.9.4. This vulnerability allows for authentication bypass, enabling attackers to manipulate actions on behalf of users with higher privileges.
Epsiloncool WP Fast Total Search Cross-Site Request Forgery Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Epsiloncool WP Fast Total Search plugin for WordPress, affecting versions through 1.69.234. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.
WordPress i-Transform Theme Cross-Site Request Forgery Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the WordPress i-Transform theme, affecting versions through 3.0.9. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.
Beijing Yunfan Internet Technology Yunfan Learning Examination System Improper Authorization Vulnerability
A critical vulnerability has been identified in version 1.9.2 of the Yunfan Learning Examination System by Beijing Yunfan Internet Technology. The issue arises from the file 'doc.html', which lacks proper access permissions, allowing unauthorized users to view all interfaces. This vulnerability can be exploited remotely.
D-Link DIR-816 A2 Critical Vulnerability in form2NetSniper.cgi Allowing Improper Access Control
A critical vulnerability has been identified in the D-Link DIR-816 A2 router, specifically in version 1.10CNB05_R1B011D88210. The issue arises in the file form2NetSniper.cgi, where improper access controls allow for unauthorized actions to be performed. This vulnerability can be exploited remotely, potentially leading to unauthorized access or manipulation of the device.
ConvertCalculator for WordPress Stored Cross-Site Scripting Vulnerability
A stored cross-site scripting vulnerability has been identified in the ConvertCalculator plugin for WordPress, affecting versions through 1.1.1. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.
Fla-shop.com Interactive UK Map Stored Cross-Site Scripting Vulnerability
A stored cross-site scripting vulnerability has been identified in the Fla-shop.com Interactive UK Map plugin, affecting versions through 3.4.8. This issue arises from improper input neutralization during web page generation, allowing malicious users to inject harmful scripts that are executed when the affected page is viewed.
Sonaar Music MP3 Audio Player Broken Access Control Vulnerability
A broken access control vulnerability has been identified in the Sonaar Music MP3 Audio Player for Music, Radio & Podcast plugin, affecting versions through 5.8. This vulnerability allows users to access functionalities that are not properly restricted by access control lists (ACLs).
Beee ACF City Selector Unrestricted File Upload Vulnerability Allowing Web Shell Upload
A vulnerability allowing unrestricted file upload of dangerous types has been identified in the Beee ACF City Selector WordPress plugin, affecting versions through 1.14.0. This vulnerability could be exploited to upload a web shell to the server, potentially leading to unauthorized access or control over the website.
GS Plugins GS Shots for Dribbble DOM-Based Cross-Site Scripting Vulnerability
A DOM-based cross-site scripting vulnerability has been identified in the GS Shots for Dribbble WordPress plugin, affecting versions through 1.2.0. This issue arises from improper input sanitization during web page generation, allowing malicious actors to inject and execute harmful scripts on the site.
GS Plugins GS Coaches Stored Cross-Site Scripting Vulnerability
A stored cross-site scripting vulnerability has been identified in the GS Coaches WordPress plugin, affecting versions through 1.1.0. This issue allows for the injection of malicious scripts that could be executed when users visit the affected site.
GS Plugins Project Showcase Stored Cross-Site Scripting Vulnerability
A stored cross-site scripting vulnerability has been identified in the GS Plugins Project Showcase WordPress plugin, affecting versions through 1.1.1. This vulnerability allows attackers to inject malicious scripts that are executed when users visit the affected site.
