Export limit exceeded: 364840 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364840 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-37818 1 Strapi 1 Strapi 2025-06-20 8.6 High
Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability allows attackers to scan for open ports or access sensitive information via a crafted GET request. NOTE: The Strapi Development Community argues that this issue is not valid. They contend that "the strapi/admin was wrongly attributed a flaw that only pertains to the strapi.io website, and which, at the end of the day, does not pose any real SSRF risk to applications that make use of the Strapi library."
CVE-2024-37081 1 Vmware 2 Cloud Foundation, Vcenter Server 2025-06-20 7.8 High
The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance.
CVE-2024-38467 2 Guoxinled, Shenzen 2 Synthesis Image System, Guoxin Synthesis Image System 2025-06-20 7.5 High
Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized user information retrieval via the queryUser API.
CVE-2022-43216 1 Abrhil 2 Employees Portal, Lista De Asistencia 2025-06-20 9.1 Critical
AbrhilSoft Employee's Portal before v5.6.2 was discovered to contain a SQL injection vulnerability in the login page.
CVE-2024-29390 2 Anuj Kumar, Anujk305 2 Daily Expenses Management System, Daily Expenses Management System 2025-06-20 7.3 High
Daily Expenses Management System version 1.0, developed by PHP Gurukul, contains a time-based blind SQL injection vulnerability in the 'add-expense.php' page. An attacker can exploit the 'item' parameter in a POST request to execute arbitrary SQL commands in the backend database. This can be done by injecting specially crafted SQL queries that make the database perform time-consuming operations, thereby confirming the presence of the SQL injection vulnerability based on the delay in the server's response.
CVE-2024-38951 1 Dronecode 1 Px4 Drone Autopilot 2025-06-20 6.5 Medium
A buffer overflow in PX4-Autopilot v1.12.3 allows attackers to cause a Denial of Service (DoS) via a crafted MavLink message.
CVE-2024-38952 1 Dronecode 1 Px4 Drone Autopilot 2025-06-20 7.5 High
PX4-Autopilot v1.14.3 was discovered to contain a buffer overflow via the topic_name parameter at /logger/logged_topics.cpp.
CVE-2024-46340 1 Tp-link 2 Tl-wr845n, Tl-wr845n Firmware 2025-06-20 9.8 Critical
TL-WR845N(UN)_V4_201214, TP-Link TL-WR845N(UN)_V4_200909, and TL-WR845N(UN)_V4_190219 was discovered to transmit user credentials in plaintext after executing a factory reset.
CVE-2024-46341 1 Tp-link 2 Tl-wr845n, Tl-wr845n Firmware 2025-06-20 8 High
TP-Link TL-WR845N(UN)_V4_190219 was discovered to transmit credentials in base64 encoded form, which can be easily decoded by an attacker executing a man-in-the-middle attack.
CVE-2024-56072 1 Pavel-odintsov 1 Fastnetmon 2025-06-20 7.5 High
An issue was discovered in FastNetMon Community Edition through 1.2.7. The sFlow v5 plugin allows remote attackers to cause a denial of service (application crash) via a crafted packet that specifies many sFlow samples.
CVE-2024-56073 1 Pavel-odintsov 1 Fastnetmon 2025-06-20 7.5 High
An issue was discovered in FastNetMon Community Edition through 1.2.7. Zero-length templates for Netflow v9 allow remote attackers to cause a denial of service (divide-by-zero error and application crash).
CVE-2024-56084 1 Logpoint 1 Universal Normalizer 2025-06-20 7.1 High
An issue was discovered in Logpoint UniversalNormalizer before 5.7.0. Authenticated users can inject payloads while creating Universal Normalizer. These are executed, leading to Remote Code Execution.
CVE-2024-54887 1 Tp-link 2 Tl-wr940n, Tl-wr940n Firmware 2025-06-20 8 High
TP-Link TL-WR940N V3 and V4 with firmware 3.16.9 and earlier contain a buffer overflow via the dnsserver1 and dnsserver2 parameters at /userRpm/Wan6to4TunnelCfgRpm.htm. This vulnerability allows an authenticated attacker to execute arbitrary code on the remote device in the context of the root user.
CVE-2024-55224 1 Dani-garcia 1 Vaultwarden 2025-06-20 9.6 Critical
An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message.
CVE-2024-55225 1 Dani-garcia 1 Vaultwarden 2025-06-20 9.8 Critical
An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.
CVE-2024-37776 1 Sunbirddcim 1 Dctrack 2025-06-20 4.8 Medium
A cross-site scripting (XSS) vulnerability in Sunbird DCIM dcTrack v9.1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in some admin screens.
CVE-2024-37775 1 Sunbirddcim 1 Dctrack 2025-06-20 7.5 High
Incorrect access control in Sunbird DCIM dcTrack v9.1.2 allows attackers to create or update a ticket with a location which bypasses an RBAC check.
CVE-2024-37774 1 Sunbirddcim 1 Dctrack 2025-06-20 8 High
A Cross-Site Request Forgery (CSRF) in Sunbird DCIM dcTrack v9.1.2 allows authenticated attackers to escalate their privileges by forcing an Administrator user to perform sensitive requests in some admin screens.
CVE-2024-23347 1 Facebook 1 Meta Spark Studio 2025-06-20 7.8 High
Prior to v176, when opening a new project Meta Spark Studio would execute scripts defined inside of a package.json file included as part of that project. Those scripts would have the ability to execute arbitrary code on the system as the application.
CVE-2024-22714 1 Codelyfe 1 Stupid Simple Cms 2025-06-20 6.1 Medium
Stupid Simple CMS <=1.2.4 is vulnerable to Cross Site Scripting (XSS) in the editing section of the article content.