Export limit exceeded: 363715 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363715 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-47732 1 Cmsimple 1 Cmsimple 2026-04-07 6.1 Medium
CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection.
CVE-2021-47731 1 Selea 24 Carplateserver, Izero Box Full, Izero Box Full Firmware and 21 more 2026-04-07 9.8 Critical
Selea Targa IP OCR-ANPR Camera contains a hard-coded developer password vulnerability that allows unauthorized configuration access through an undocumented page. Attackers can exploit the hidden endpoint by using the hard-coded password 'Selea781830' to enable configuration upload and overwrite device settings.
CVE-2021-47730 1 Selea 24 Carplateserver, Izero Box Full, Izero Box Full Firmware and 21 more 2026-04-07 8.8 High
Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication. Attackers can craft a malicious web page that submits a form to add a new admin user with full system privileges when a logged-in user visits the page.
CVE-2021-47729 1 Selea 24 Carplateserver, Izero Box Full, Izero Box Full Firmware and 21 more 2026-04-07 5.4 Medium
Selea Targa IP OCR-ANPR Camera contains a stored cross-site scripting vulnerability in the 'files_list' parameter that allows attackers to inject malicious HTML and script code. Attackers can send a POST request to /cgi-bin/get_file.php with crafted payload to execute arbitrary scripts in victim's browser session.
CVE-2021-47728 1 Selea 24 Carplateserver, Izero Box Full, Izero Box Full Firmware and 21 more 2026-04-07 9.8 Critical
Selea Targa IP OCR-ANPR Camera contains an unauthenticated command injection vulnerability in utils.php that allows remote attackers to execute arbitrary shell commands. Attackers can exploit the 'addr' and 'port' parameters to inject commands and gain www-data user access through chained local file inclusion techniques.
CVE-2021-47727 1 Selea 24 Carplateserver, Izero Box Full, Izero Box Full Firmware and 21 more 2026-04-07 5.3 Medium
Selea Targa IP OCR-ANPR Camera contains an unauthenticated vulnerability that allows remote attackers to access live video streams without authentication. Attackers can directly connect to RTP/RTSP or M-JPEG streams by requesting specific endpoints like p1.mjpg or p1.264 to view camera footage.
CVE-2021-47724 1 Stvs 1 Provision 2026-04-07 6.5 Medium
STVS ProVision 5.9.10 contains a path traversal vulnerability that allows authenticated attackers to access arbitrary files by manipulating the files parameter in the archive download functionality. Attackers can send GET requests to /archive/download with directory traversal sequences to read sensitive system files like /etc/passwd.
CVE-2021-47723 1 Stvs 1 Provision 2026-04-07 8.8 High
STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users.
CVE-2021-47720 1 Orangescrum 1 Orangescrum 2026-04-07 7.1 High
Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information.
CVE-2021-47718 1 Openbmcs 1 Openbmcs 2026-04-07 7.5 High
OpenBMCS 2.4 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive files by exploiting directory listing functionality. Attackers can browse directories like /debug/ and /php/ to discover configuration files, database credentials, and system information.
CVE-2021-47716 1 Orangescrum 1 Orangescrum 2026-04-07 5.4 Medium
Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to execute arbitrary JavaScript code in victim's browsers by submitting crafted payloads through application endpoints.
CVE-2021-47714 1 Hasura 1 Graphql Engine 2026-04-07 5.5 Medium
Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pg_read_file() PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server.
CVE-2021-47704 1 Openbmcs 1 Openbmcs 2026-04-07 6.5 Medium
OpenBMCS 2.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting arbitrary SQL code. Attackers can send GET requests to /debug/obix_test.php with malicious 'id' values to extract database information.
CVE-2021-47703 1 Openbmcs 1 Openbmcs 2026-04-07 7.2 High
OpenBMCS 2.4 contains an unauthenticated SSRF vulnerability that allows attackers to bypass firewalls and initiate service and network enumeration on the internal network through the affected application, allowing hijacking of current sessions. Attackers can specify an external domain in the 'ip' parameter to force the application to make an HTTP request to an arbitrary destination host.
CVE-2021-47702 1 Openbmcs 1 Openbmcs 2026-04-07 4.3 Medium
OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings.
CVE-2021-47701 1 Openbmcs 1 Openbmcs 2026-04-07 8.8 High
OpenBMCS 2.4 allows an attacker to escalate privileges from a read user to an admin user by manipulating permissions and exploiting a vulnerability in the update_user_permissions.php script. Attackers can submit a malicious HTTP POST request to PHP scripts in '/plugins/useradmin/' directory.
CVE-2026-5678 1 Totolink 2 A7100ru, A7100ru Firmware 2026-04-07 7.3 High
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument mode can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
CVE-2021-4462 2 Employee Records System Project, Skittles 2 Employee Records System, Employee Records System 2026-04-07 9.8 Critical
Employee Records System version 1.0 contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload arbitrary files via the uploadID.php endpoint; uploaded files can be executed because the application does not perform proper server-side validation. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.
CVE-2020-37119 1 Nsasoft 1 Nsauditor 2026-04-07 9.8 Critical
Nsauditor 3.0.28 and 3.2.1.0 contains a buffer overflow vulnerability in the DNS Lookup tool that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious DNS query payload to trigger a three-byte overwrite, bypass ASLR, and execute shellcode through a carefully constructed exploit.
CVE-2020-37094 1 Espocrm 1 Espocrm 2026-04-07 9.8 Critical
EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges.