Export limit exceeded: 363775 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363775 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-58281 | 1 Dotclear | 1 Dotclear | 2026-04-07 | 8.8 High |
| Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command execution form to gain system access through the uploaded file. | ||||
| CVE-2024-58280 | 1 Cmsimple | 1 Cmsimple | 2026-04-07 | 8.8 High |
| CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ',php' to Extensions_userfiles and upload a shell script to the media directory to execute arbitrary code on the server. | ||||
| CVE-2024-58279 | 1 Apprain | 1 Apprain | 2026-04-07 | 8.8 High |
| appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. Attackers can leverage authenticated access to generate a web shell with command execution capabilities by uploading a crafted PHP file to the site's uploads directory. | ||||
| CVE-2026-5671 | 1 Cyber-iii | 1 Student-management-system | 2026-04-07 | 4.3 Medium |
| A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Impacted is an unknown function of the file /admin/class%20schedule/delete_batch.php of the component Class Schedule Deletion Endpoint. Executing a manipulation of the argument batch can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2024-12847 | 1 Netgear | 2 Dgn1000, Dgn1000 Firmware | 2026-04-07 | 9.8 Critical |
| NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been observed to be exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC. | ||||
| CVE-2023-7328 | 2 Db Elettronica, Dbbroadcast | 4 Screen Sft Dab 600c, Sft Dab 600/c, Sft Dab 600\/c and 1 more | 2026-04-07 | 5.3 Medium |
| Screen SFT DAB 600/C firmware versions up to and including 1.9.3 contain an improper access control on the user management API allows unauthenticated requests to retrieve structured user data, including account names and connection metadata such as client IP and timeout values. | ||||
| CVE-2023-54335 | 1 Extplorer | 1 Extplorer | 2026-04-07 | 9.8 Critical |
| eXtplorer 2.1.14 contains an authentication bypass vulnerability that allows attackers to login without a password by manipulating the login request. Attackers can exploit this flaw to upload malicious PHP files and execute remote commands on the vulnerable file management system. | ||||
| CVE-2023-53985 | 1 Zippy | 1 Zstore | 2026-04-07 | 6.1 Medium |
| Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context. | ||||
| CVE-2023-53981 | 2 Roxio, Thibaud-rohmer | 2 Photoshow, Photoshow | 2026-04-07 | 7.2 High |
| PhotoShow 3.0 contains a remote code execution vulnerability that allows authenticated administrators to inject malicious commands through the exiftran path configuration. Attackers can exploit the ffmpeg configuration settings by base64 encoding a reverse shell command and executing it through a crafted video upload process. | ||||
| CVE-2023-53978 | 1 Mybb | 1 Mybb | 2026-04-07 | 5.4 Medium |
| myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the announcement title field when adding announcements through the 'Forums and Posts' > 'Forum Announcements' interface, causing arbitrary JavaScript to execute when the announcement is displayed on the forum. | ||||
| CVE-2023-53977 | 1 Mybb | 1 Mybb | 2026-04-07 | 5.4 Medium |
| myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authenticated administrators to inject malicious scripts when creating new forums. Attackers can exploit this vulnerability by inserting script payloads in the forum title field when adding new forums through the 'Forums and Posts' > 'Forum Management' interface, causing arbitrary JavaScript to execute when the forum listing is viewed. | ||||
| CVE-2023-53976 | 1 Mybb | 1 Mybb | 2026-04-07 | 5.4 Medium |
| myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the template management system that allows authenticated administrators to inject malicious scripts when creating new templates. Attackers can exploit this vulnerability by inserting script payloads in the template title field when adding new templates through the 'Templates and Style' > 'Templates' > 'Manage Templates' > 'Global Templates' interface, causing arbitrary JavaScript to execute when the template is viewed. | ||||
| CVE-2023-53975 | 1 Thedigitalcraft | 1 Atomcms | 2026-04-07 | 7.5 High |
| Atom CMS 2.0 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries through unvalidated parameters. Attackers can inject malicious SQL code in the 'id' parameter of the admin index page to execute time-based blind SQL injection attacks. | ||||
| CVE-2023-53972 | 1 Webtareas Project | 1 Webtareas | 2026-04-07 | 7.5 High |
| WebTareas 2.4 contains a SQL injection vulnerability in the webTareasSID cookie parameter that allows unauthenticated attackers to manipulate database queries. Attackers can exploit error-based and time-based blind SQL injection techniques to extract database information and potentially access sensitive system data. | ||||
| CVE-2023-53971 | 1 Webtareas Project | 1 Webtareas | 2026-04-07 | 8.8 High |
| WebTareas 2.4 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the chat photo upload functionality. Attackers can upload a PHP file with arbitrary code to the /files/Messages/ directory and execute it directly through the generated file path. | ||||
| CVE-2023-53957 | 1 Kimai | 1 Kimai | 2026-04-07 | 9.8 Critical |
| Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking. | ||||
| CVE-2023-53953 | 1 Websitebaker | 1 Websitebaker | 2026-04-07 | 5.4 Medium |
| WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating web pages. Attackers can craft malicious payloads in page titles that execute arbitrary JavaScript when the page is viewed by other users. | ||||
| CVE-2023-53952 | 1 Dotclear | 1 Dotclear | 2026-04-07 | 8.8 High |
| Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed, enabling arbitrary code execution on the server. | ||||
| CVE-2023-53945 | 1 Brainycp | 1 Brainycp | 2026-04-07 | 8.8 High |
| BrainyCP 1.0 contains an authenticated remote code execution vulnerability that allows logged-in users to inject arbitrary commands through the crontab configuration interface. Attackers can exploit the crontab endpoint by adding a malicious command that spawns a reverse shell to a specified IP and port. | ||||
| CVE-2023-53944 | 2 Easyphp, Microsoft | 2 Webserver, Windows | 2026-04-07 | 6.5 Medium |
| EasyPHP Webserver 14.1 contains a path traversal vulnerability that allows remote users with low privileges to access files outside the document root by bypassing SecurityManager restrictions. Attackers can send GET requests with encoded directory traversal sequences like /..%5c..%5c to read system files such as /windows/win.ini. | ||||