Unknown · CVSS Not scored
jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.article.kit.ArticleNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.
Published Jan 26, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.page.PageNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.
Published Jan 26, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress 4.2.0 is vulnerable to remote code execution via io.jpress.web.admin._TemplateController#doInstall. The admin panel provides a function through which attackers can install templates and inject some malicious code.
Published Jan 26, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress 4.2.0 is vulnerable to RCE via io.jpress.web.admin._TemplateController#doUploadFile. The admin panel provides a function through which attackers can upload templates and inject some malicious code.
Published Jan 26, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress v 4.2.0 is vulnerable to RCE via io.jpress.module.product.ProductNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.
Published Jan 26, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress v4.2.0 allows users to register an account by default. With the account, user can upload arbitrary files to the server.
Published Jan 19, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress v4.2.0 is vulnerable to command execution via io.jpress.web.admin._AddonController::doUploadAndInstall.
Published Jan 13, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
jpress v4.2.0 admin panel provides a function through which attackers can modify the template and inject some malicious code.
Published Jan 13, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process "count" parameter via GET. No authentication is required.
Published Jan 13, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Multiple Tenda devices are affected by authentication bypass, such as AC15V1.0 Firmware V15.03.05.20_multi?AC5V1.0 Firmware V15.03.06.48_multi and so on. an attacker can obtain sensitive information, and even combine it with authenticated command injection to implement RCE.
Published Jan 28, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An information exposure issue has been discovered in Opmantek Open-AudIT 4.2.0. The vulnerability allows an authenticated attacker to read file outside of the restricted directory.
Published Jan 3, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Fluxbb v1.4.12 is affected by a Cross Site Scripting (XSS) vulnerability.
Published Jan 4, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use a hardcoded APP_KEY value, leading to pre-auth remote code execution.
Published Jan 31, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below deserializes attacker controlled leading to pre-auth remote code execution.
Published Jan 31, 2022 · Updated Jul 9, 2026
High · CVSS 8.1
Directory traversal vulnerability in Reprise License Manager (RLM) web interface before 14.2BL4 in the diagnostics function that allows RLM users with sufficient privileges to overwrite any file the on the server.
Published Jan 20, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.5
CRLF vulnerability in Reprise License Manager (RLM) web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers.
Published Jan 20, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.5
An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function.
Published Jan 20, 2023 · Updated Jul 9, 2026
High · CVSS 7.5
DDOS reflection amplification vulnerability in eAut module of Ruckus Wireless SmartZone controller that allows remote attackers to perform DOS attacks via crafted request.
Published Jan 18, 2023 · Updated Jul 9, 2026
High · CVSS 7.2
Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution.
Published Jan 16, 2026 · Updated Jun 30, 2026
High · CVSS 7.5
ASP.NET Core and Visual Studio Denial of Service Vulnerability
Published Jan 12, 2021 · Updated May 28, 2026
Medium · CVSS 6.1
Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access.
Published Jan 16, 2026 · Updated May 24, 2026
Medium · CVSS 5.4
OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a web shell, enabling remote command execution on the vulnerable OpenEMR instance.
Published Jan 21, 2026 · Updated May 24, 2026
Medium · CVSS 6.1
YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they access the signup page.
Published Jan 13, 2026 · Updated May 24, 2026
High · CVSS 8.6
Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information including the database credentials. Since the database runs with high privileges it is possible to execute commands with the attained credentials.
Published Jan 27, 2022 · Updated May 18, 2026
Medium · CVSS 5.3
Single Connect does not perform an authorization check when using the "sc-diagnostic-ui" module. A remote attacker could exploit this vulnerability to access the device information page. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information.
Published Jan 27, 2022 · Updated May 18, 2026
Medium · CVSS 5.3
Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitation of this vulnerability might allow a remote attacker to delete permissions from other users without authenticating.
Published Jan 27, 2022 · Updated May 18, 2026
Medium · CVSS 5.3
Single Connect does not perform an authorization check when using the "log-monitor" module. A remote attacker could exploit this vulnerability to access the logging interface. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information.
Published Jan 27, 2022 · Updated May 18, 2026
High · CVSS 7.5
CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a directory traversal vulnerability in the browse template feature that allows attackers to write files to arbitrary web root directories. Attackers can exploit the ServerMapPath() function by renaming uploaded HTML files using directory traversal sequences to write files outside the intended template directory.
Published Jan 13, 2026 · Updated May 14, 2026
High · CVSS 8.7
YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. Attackers can exploit the path traversal flaw in locale/function.php to include and view PHP files outside the intended directory by using directory traversal sequences.
Published Jan 13, 2026 · Updated May 14, 2026
Medium · CVSS 4.8
GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page.
Published Jan 21, 2026 · Updated May 12, 2026
Medium · CVSS 5.4
Cross-Site Request Forgery (CSRF) vulnerabilities leading to single or bulk e-mail entries deletion discovered in Email Tracker WordPress plugin (versions <= 5.2.6).
Published Jan 19, 2022 · Updated Apr 28, 2026
Medium · CVSS 4.8
Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WordPress plugin Download Monitor (versions <= 4.4.6).
Published Jan 14, 2022 · Updated Apr 28, 2026
Medium · CVSS 5.4
The Privilege Escalation vulnerability discovered in the WP Google Map WordPress plugin (versions <= 1.8.0) allows authenticated low-role users to create, edit, and delete maps.
Published Jan 25, 2022 · Updated Apr 28, 2026
Low · CVSS 3.4
Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6) Vulnerable parameters: &post_title, &downloadable_file_version[0].
Published Jan 28, 2022 · Updated Apr 28, 2026
Medium · CVSS 6.8
Authenticated (admin+) Arbitrary File Download vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6). The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the &downloadable_file_urls[0] parameter data. It's also possible to escape from the web server home directory and download any file within the OS.
Published Jan 28, 2022 · Updated Apr 28, 2026
Medium · CVSS 5.4
Cross-Site Request Forgery (CSRF) vulnerability in Alexander Fuchs PHP Everywhere plugin <= 2.0.2 versions.
Published Jan 13, 2022 · Updated Apr 28, 2026
Critical · CVSS 10
The Social Warfare plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.5.2 via the 'swp_url' parameter. This allows attackers to execute code on the server.
Published Jan 17, 2024 · Updated Apr 8, 2026
High · CVSS 8.8
PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server.
Published Jan 23, 2026 · Updated Apr 7, 2026
Critical · CVSS 9.8
Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command prompt and download and execute malicious payloads.
Published Jan 23, 2026 · Updated Apr 7, 2026
High · CVSS 7.1
SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. Attackers can use sqlmap to exploit the vulnerability and extract database information by injecting malicious SQL code into the order column parameter.
Published Jan 21, 2026 · Updated Apr 7, 2026
High · CVSS 8.7
ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers to overwhelm the server by creating multiple simultaneous FTP connections. Attackers can repeatedly establish connections using threading to exhaust server connection limits and block legitimate user access.
Published Jan 21, 2026 · Updated Apr 7, 2026
High · CVSS 8.5
OSAS Traverse Extension 11 contains an unquoted service path vulnerability in the TravExtensionHostSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject and execute malicious code by placing executable files in the service's path, potentially gaining elevated system access.
Published Jan 21, 2026 · Updated Apr 7, 2026
High · CVSS 8.5
MacPaw Encrypto 1.0.1 contains an unquoted service path vulnerability in its Encrypto Service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files\Encrypto\ to inject malicious executables and escalate privileges on Windows systems.
Published Jan 21, 2026 · Updated Apr 7, 2026
High · CVSS 8.5
GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page.
Published Jan 21, 2026 · Updated Apr 7, 2026
High · CVSS 8.8
Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain unauthorized administrative access.
Published Jan 21, 2026 · Updated Apr 7, 2026
High · CVSS 8.8
Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. Attackers can exploit the vulnerability by sending crafted SQL injection payloads in email and password parameters across police, incharge, user, and HQ login endpoints.
Published Jan 21, 2026 · Updated Apr 7, 2026
Medium · CVSS 6.1
Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse interactions or file opening.
Published Jan 16, 2026 · Updated Apr 7, 2026
Medium · CVSS 5.1
GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution.
Published Jan 21, 2026 · Updated Apr 7, 2026
Critical · CVSS 9.8
GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution.
Published Jan 15, 2026 · Updated Apr 7, 2026
Medium · CVSS 5.4
Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page.
Published Jan 15, 2026 · Updated Apr 7, 2026