Export limit exceeded: 366649 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (366649 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-58301 1 Purei 1 Cms 2026-04-15 N/A
Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit vulnerable endpoints like getAllParks.php and events-ajax.php by injecting crafted SQL payloads to potentially extract or modify database information.
CVE-2024-58292 2 Xmb Forum, Xmbforum2 2 Xmb, Xmb 2026-04-15 N/A
XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for all forum users when pages are rendered.
CVE-2024-58293 1 Akaunting 1 Akaunting 2026-04-15 N/A
Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operations and string manipulations.
CVE-2024-58295 1 Elkarte 1 Forum 2026-04-15 N/A
ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process. Attackers can upload a ZIP archive with a PHP file containing system commands, which can then be executed by accessing the uploaded file in the theme directory.
CVE-2024-58298 1 Bmc 1 Compuware Istrobe Web 2026-04-15 N/A
Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute arbitrary commands by sending POST requests to the uploaded JSP endpoint.
CVE-2024-58299 2 Pcman, Wftpserver 2 Ftp Server, Wing Ftp Server 2026-04-15 9.8 Critical
PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted payload during the FTP login process to overwrite memory and potentially gain system access.
CVE-2024-5829 2026-04-15 3.5 Low
A vulnerability classified as problematic was found in smallweigit Avue up to 3.4.4. Affected by this vulnerability is an unknown functionality of the component avueUeditor. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-267895. NOTE: The code maintainer explains, that "rich text is no longer maintained".
CVE-2024-58288 2 Genexus, Microsoft 2 Protection Server, Windows 2026-04-15 N/A
Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. Attackers can exploit the unquoted binary path to execute arbitrary code with elevated LocalSystem privileges by placing malicious executables in specific file system locations.
CVE-2024-58286 1 Vexorian 1 Dizquetv 2026-04-15 N/A
dizqueTV 1.5.3 contains a remote code execution vulnerability that allows attackers to inject arbitrary commands through the FFMPEG Executable Path settings. Attackers can modify the executable path with shell commands to read system files like /etc/passwd by exploiting improper input validation.
CVE-2024-58277 1 R Radio Network 1 Radio Network Fm Transmitter 2026-04-15 N/A
R Radio Network FM Transmitter 1.07 allows unauthenticated attackers to access the admin user's password through the system.cgi endpoint, enabling authentication bypass and FM station setup access.
CVE-2024-58276 2026-04-15 N/A
Obi08/Enrollment System 1.0 contains a SQL injection vulnerability in the keyword parameter of /get_subject.php that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can use UNION-based injection to extract sensitive information from the users table including usernames and passwords.
CVE-2024-58274 1 Hikvision 1 Isecure Center 2026-04-15 8.3 High
Hikvision CSMP (Comprehensive Security Management Platform) iSecure Center through 2024-08-01 allows execution of a command within $( ) in /center/api/installation/detection JSON data, as exploited in the wild in 2024 and 2025.
CVE-2024-5827 1 Vanna-ai 1 Vanna 2026-04-15 N/A
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `<?php system($_GET[0]); ?>`. This can lead to command execution or the creation of backdoors.
CVE-2024-58269 1 Suse 1 Rancher 2026-04-15 4.3 Medium
A vulnerability has been identified in Rancher Manager, where sensitive information, including secret data, cluster import URLs, and registration tokens, is exposed to any entity with access to Rancher audit logs.
CVE-2024-58267 2 Rancher, Suse 2 Rancher, Rancher 2026-04-15 8 High
A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-based providers can be abused to steal Rancher’s authentication tokens.
CVE-2024-58260 2 Rancher, Suse 2 Rancher, Rancher 2026-04-15 7.6 High
A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts.
CVE-2024-5826 1 Vanna-ai 1 Vanna 2026-04-15 N/A
In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server.
CVE-2024-58259 1 Suse 1 Rancher 2026-04-15 8.2 High
A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are fully loaded into memory during processing, leading to Denial of Service (DoS).
CVE-2024-58258 1 Sugarcrm 1 Sugarcrm 2026-04-15 7.2 High
SugarCRM before 13.0.4 and 14.x before 14.0.1 allows SSRF in the API module because a limited type of code injection can occur.
CVE-2024-58249 1 Wxwidgets 1 Wxwidgets 2026-04-15 3.7 Low
In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL.