LiveActive security incident?Get immediate response
CVE archive

2014 CVE Archive

Browse CVE records published in 2014 CVE Archive, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 8427 matching CVEs · Page 1 of 169.

High · CVSS 8.8

CVE-2014-125125: A10 Networks AX Loadbalancer Path Traversal

A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion.

Published Jul 31, 2025 · Updated May 15, 2026

Critical · CVSS 10

CVE-2014-125124: Pandora FMS <= 5.0RC1 Anyterm Unauthenticated Command Injection

An unauthenticated remote command execution vulnerability exists in Pandora FMS versions up to and including 5.0RC1 via the Anyterm web interface, which listens on TCP port 8023. The anyterm-module endpoint accepts unsanitized user input via the p parameter and directly injects it into a shell command, allowing arbitrary command execution as the pandora user. In certain versions (notably 4.1 and 5.0RC1), the pandora user can elevate privileges to root without a password using a chain involving the artica user account. This account is typically installed without a password and is configured to run sudo without authentication. Therefore, full system compromise is possible without any credentials.

Published Jul 31, 2025 · Updated May 15, 2026

Critical · CVSS 10

CVE-2014-125123: Kloxo < 6.1.12 Unauthenticated SQL Injection RCE

An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel (developed by LXCenter) prior to version 6.1.12. The flaw resides in the login-name parameter passed to lbin/webcommand.php, which fails to properly sanitize input, allowing an attacker to extract the administrator’s password from the backend database. After recovering valid credentials, the attacker can authenticate to the Kloxo control panel and leverage the Command Center feature (display.php) to execute arbitrary operating system commands as root on the underlying host system. This vulnerability was reported to be exploited in the wild in January 2014.

Published Jul 31, 2025 · Updated May 15, 2026

Critical · CVSS 10

CVE-2014-125115: Pandora FMS ≤ 5.0 SP2 Default Credential SQL Injection RCE

An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution.

Published Jul 25, 2025 · Updated May 15, 2026

Critical · CVSS 9.2

CVE-2014-125126: Simple E-Document Arbitrary File Upload RCE

An unrestricted file upload vulnerability exists in Simple E-Document versions 3.0 to 3.1 that allows an unauthenticated attacker to bypass authentication by sending a specific cookie header (access=3) with HTTP requests. The application’s upload mechanism fails to restrict file types and does not validate or sanitize user-supplied input, allowing attackers to upload malicious .php scripts. Authentication can be bypassed entirely by supplying a specially crafted cookie (access=3), granting access to the upload functionality without valid credentials. If file uploads are enabled on the server, the attacker can upload a web shell and gain remote code execution with the privileges of the web server user, potentially leading to full system compromise.

Published Jul 31, 2025 · Updated May 14, 2026

High · CVSS 8.4

CVE-2014-125119: WinRAR < 5.00 Filename Spoofing RCE

A filename spoofing vulnerability exists in WinRAR when opening specially crafted ZIP archives. The issue arises due to inconsistencies between the Central Directory and Local File Header entries in ZIP files. When viewed in WinRAR, the file name from the Central Directory is displayed to the user, while the file from the Local File Header is extracted and executed. An attacker can leverage this flaw to spoof filenames and trick users into executing malicious payloads under the guise of harmless files, potentially leading to remote code execution.

Published Jul 25, 2025 · Updated May 14, 2026

Critical · CVSS 9.3

CVE-2014-125113: Dell/Quest KACE K1000 Unauthenticated File Upload RCE

An unrestricted file upload vulnerability exists in Dell (acquired by Quest) KACE K1000 System Management Appliance version 5.0 - 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547 in the download_agent.php endpoint. An attacker can upload arbitrary PHP files to a temporary web-accessible directory, which are later executed through inclusion in backend code that loads files under attacker-controlled paths.

Published Aug 5, 2025 · Updated May 14, 2026

Medium · CVSS 5.3

CVE-2014-125122: Linksys WRT120N tmUnblock.cgi Stack-Based Buffer Overflow Admin Password Reset

A stack-based buffer overflow vulnerability exists in the tmUnblock.cgi endpoint of the Linksys WRT120N wireless router. The vulnerability is triggered by sending a specially crafted HTTP POST request with an overly long TM_Block_URL parameter to the endpoint. By exploiting this flaw, an unauthenticated remote attacker can overwrite memory in a controlled manner, enabling them to temporarily reset the administrator password of the device to a blank value. This grants unauthorized access to the router’s web management interface without requiring valid credentials.

Published Jul 31, 2025 · Updated Apr 7, 2026

Critical · CVSS 10

CVE-2014-125121: Array Networks vAPV and vxAG Default Credential Privilege Escalation

Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise.

Published Jul 31, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.4

CVE-2014-125118: eScan 5.5-2 Web Management Console Command Injection

A command injection vulnerability exists in the eScan Web Management Console version 5.5-2. The application fails to properly sanitize the 'pass' parameter when processing login requests to login.php, allowing an authenticated attacker with a valid username to inject arbitrary commands via a specially crafted password value. Successful exploitation results in remote code execution. Privilege escalation to root is possible by abusing the runasroot utility with mwconf-level privileges.

Published Jul 25, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.3

CVE-2014-125117: D-Link info.cgi POST Request Stack-Based Buffer Overflow RCE

A stack-based buffer overflow vulnerability in the my_cgi.cgi component of certain D-Link devices, including the DSP-W215 version 1.02, can be exploited via a specially crafted HTTP POST request to the /common/info.cgi endpoint. This flaw enables an unauthenticated attacker to achieve remote code execution with system-level privileges.

Published Jul 25, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.3

CVE-2014-125116: HybridAuth 2.0.9 - 2.2.2 Unauthenticated RCE via install.php Configuration Injection

A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application’s config.php file. An unauthenticated attacker can inject arbitrary PHP code into config.php, which is later executed when the file is loaded. This allows attackers to achieve remote code execution on the server. Exploitation of this issue will overwrite the existing configuration, rendering the application non-functional.

Published Jul 25, 2025 · Updated Apr 7, 2026

High · CVSS 8.4

CVE-2014-125114: i-Ftp 2.20 Schedule.xml Stack-Based Buffer Overflow

A stack-based buffer overflow vulnerability exists in i-Ftp version 2.20 due to improper handling of the Time attribute within Schedule.xml. By placing a specially crafted Schedule.xml file in the i-Ftp application directory, a remote attacker can trigger a buffer overflow during scheduled download parsing, potentially leading to arbitrary code execution or a crash.

Published Jul 25, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.8

CVE-2014-125112: Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.

Published Mar 26, 2026 · Updated Mar 26, 2026

High · CVSS 8.8

CVE-2014-6278: GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment v...

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

Published Sep 30, 2014 · Updated Dec 30, 2025

Critical · CVSS 10

CVE-2014-5419: GE Multilink Use of Hard-coded Cryptographic Key

GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key across different customers' installations, which makes it easier for remote attackers to obtain the cleartext content of network traffic by reading this key from a firmware image and then sniffing the network.

Published Jan 17, 2015 · Updated Nov 4, 2025

Medium · CVSS 5

CVE-2014-5418: GE Multilink Uncontrolled Resource Consumption

GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier allow remote attackers to cause a denial of service (resource consumption or reboot) via crafted packets.

Published Jan 17, 2015 · Updated Nov 4, 2025

High · CVSS 7.5

CVE-2014-5417: Meinberg Radio Clocks LANTIME M-Series

Cross-site scripting (XSS) vulnerability in Meinberg NTP Server firmware on LANTIME M-Series devices 6.15.019 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published Nov 5, 2014 · Updated Nov 4, 2025

High · CVSS 7.1

CVE-2014-5410: Rockwell Automation Micrologix 1400 Improper Input Validation

The DNP3 feature on Rockwell Automation Allen-Bradley MicroLogix 1400 1766-Lxxxxx A FRN controllers 7 and earlier and 1400 1766-Lxxxxx B FRN controllers before 15.001 allows remote attackers to cause a denial of service (process disruption) via malformed packets over (1) an Ethernet network or (2) a serial line.

Published Oct 3, 2014 · Updated Nov 4, 2025

Medium · CVSS 6.4

CVE-2014-5409: GE Hydran M2 Predictable Value Range from Previous Values

The 17046 Ethernet card before 94450214LFMT100SEM-L.R3-CL for the GE Digital Energy Hydran M2 does not properly generate random values for TCP Initial Sequence Numbers (ISNs), which makes it easier for remote attackers to spoof packets by predicting these values.

Published Mar 14, 2015 · Updated Nov 3, 2025

Medium · CVSS 4.1

CVE-2014-5407: Schneider Electric VAMPSET Stack-based Buffer Overflow

Multiple stack-based buffer overflows in Schneider Electric VAMPSET 2.2.136 and earlier allow local users to cause a denial of service (application halt) via a malformed (1) setting file or (2) disturbance recording file.

Published Sep 15, 2014 · Updated Nov 3, 2025

High · CVSS 7.5

CVE-2014-5408: Nordex NC2 Cross-site Scripting

Cross-site scripting (XSS) vulnerability in the login script in the Wind Farm Portal on Nordex Control 2 (NC2) SCADA devices 15 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter.

Published Nov 5, 2014 · Updated Nov 3, 2025

High · CVSS 7.6

CVE-2014-5406: Hospira LifeCare PCA Infusion System

The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.

Published Jul 6, 2015 · Updated Nov 3, 2025

Medium · CVSS 6.8

CVE-2014-5400: Hospira MedNet Password in Configuration File

The installation component in Hospira MedNet before 6.1 places cleartext credentials in configuration files, which allows local users to obtain sensitive information by reading a file.

Published Apr 3, 2015 · Updated Nov 3, 2025

Critical · CVSS 9

CVE-2014-5405: Hospira MedNet Use of Hard-coded Password

Hospira MedNet before 6.1 uses a hardcoded cleartext password to control SQL database authorization, which allows remote authenticated users to bypass intended access restrictions by leveraging knowledge of this password.

Published Apr 3, 2015 · Updated Nov 3, 2025

Medium · CVSS 6.8

CVE-2014-5403: Hospira MedNet Use of Hard-coded Cryptographic Key

Hospira MedNet before 6.1 uses hardcoded cryptographic keys for protection of data transmission from infusion pumps, which allows remote attackers to obtain sensitive information by sniffing the network.

Published Apr 3, 2015 · Updated Nov 3, 2025

Critical · CVSS 10

CVE-2014-5401: Hospira MedNet Code Injection

Hospira MedNet software version 5.8 and prior uses vulnerable versions of the JBoss Enterprise Application Platform software that may allow unauthenticated users to execute arbitrary code on the target system. Hospira has developed a new version of the MedNet software, MedNet 6.1. Existing versions of MedNet can be upgraded to MedNet 6.1.

Published Mar 26, 2019 · Updated Nov 3, 2025

High · CVSS 7.5

CVE-2014-5399: Schneider Electric Wonderware SQL Injection

SQL injection vulnerability in Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published Aug 28, 2014 · Updated Oct 31, 2025

Low · CVSS 2.1

CVE-2014-5398: Schneider Electric Wonderware Input Validation

Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Published Aug 28, 2014 · Updated Oct 31, 2025

High · CVSS 7.5

CVE-2014-5397: Schneider Electric Wonderware Cross-site Scripting

Cross-site scripting (XSS) vulnerability in Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published Aug 28, 2014 · Updated Oct 31, 2025

Medium · CVSS 6.2

CVE-2014-2349: Emerson DeltaV Use of Improper Authorization

Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.

Published May 22, 2014 · Updated Oct 31, 2025

Low · CVSS 2.4

CVE-2014-2350: Emerson DeltaV Use of Hard-coded Credentials

Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.

Published May 22, 2014 · Updated Oct 31, 2025

High · CVSS 8.8 · CISA KEV

CVE-2014-0502: Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0...

Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014.

Published Feb 21, 2014 · Updated Oct 22, 2025