Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. This issue is caused by an incomplete fix in CVE-2021-35463.
Published Mar 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script.
Published Mar 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A cross-site scripting (XSS) vulnerability in the fileNameStr parameter of jQuery-Upload-File v4.0.11 allows attackers to execute arbitrary web scripts or HTML via a crafted file with a Javascript payload in the file name.
Published Feb 25, 2022 · Updated Jul 9, 2026
High · CVSS 8.1
Directory traversal vulnerability in Reprise License Manager (RLM) web interface before 14.2BL4 in the diagnostics function that allows RLM users with sufficient privileges to overwrite any file the on the server.
Published Jan 20, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.5
CRLF vulnerability in Reprise License Manager (RLM) web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers.
Published Jan 20, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.5
An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function.
Published Jan 20, 2023 · Updated Jul 9, 2026
High · CVSS 7.5
An issue discovered in src/wallet/wallet.cpp in Ravencoin Core 4.3.2.1 and earlier allows attackers to view sensitive information via CWallet::CreateTransactionAll() function.
Published Feb 7, 2023 · Updated Jul 9, 2026
High · CVSS 7.5
An issue discovered in src/wallet/wallet.cpp in Dogecoin Project Dogecoin Core 1.14.3 and earlier allows attackers to view sensitive information via CWallet::CreateTransaction() function.
Published Feb 7, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.
Published Aug 13, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resources or disclose local system files.
Published Oct 5, 2021 · Updated Jul 9, 2026
Medium · CVSS 5.4
Cross Site Scripting (XSS) vulnerability in yzmcms 6.1 allows attackers to steal user cookies via image clipping function.
Published Feb 3, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name.
Published Nov 3, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
With an admin account, the .htaccess file in Artica Pandora FMS <=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new "file type" and the code can be executed with an HTTP request.
Published Nov 3, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
URL injection in Driva inSync 6.9.0 for MacOS, allows attackers to force a visit to an arbitrary url via the port parameter to the Electron App.
Published Jul 11, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Command injection vulnerability in Druva inSync 6.9.0 for MacOS, allows attackers to execute arbitrary commands via crafted payload to the local HTTP server due to un-sanitized call to the python os.system library.
Published Jul 11, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue was discovered in Druva 6.9.0 for MacOS, allows attackers to gain escalated local privileges via the inSyncDecommission.
Published Jul 11, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue was discovered in Druva 6.9.0 for macOS, allows attackers to gain escalated local privileges via the inSyncUpgradeDaemon.
Published Jul 11, 2022 · Updated Jul 9, 2026
High · CVSS 7.5
DDOS reflection amplification vulnerability in eAut module of Ruckus Wireless SmartZone controller that allows remote attackers to perform DOS attacks via crafted request.
Published Jan 18, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
In Kooboo CMS 2.1.1.0, it is possible to upload a remote shell (e.g., aspx) to the server and then call upon it to receive a reverse shell from the victim server. The files are uploaded to /Content/Template/root/reverse-shell.aspx and can be simply triggered by browsing that URL.
Published Sep 14, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Kooboo CMS 2.1.1.0 is vulnerable to Insecure file upload. It is possible to upload any file extension to the server. The server does not verify the extension of the file and the tester was able to upload an aspx to the server.
Published Sep 14, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Open Redirect vulnerability exists in IceWarp MailServer IceWarp Server Deep Castle 2 Update 1 (13.0.1.2) via the referer parameter.
Published Jul 27, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue was discovered in function scanallsubs in src/sbbs3/scansubs.cpp in Synchronet BBS, which may allow attackers to view sensitive information due to an uninitialized value.
Published Oct 19, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.
Published Apr 25, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter.
Published Dec 15, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
In Teradici PCoIP Management Console-Enterprise 20.07.0, an unauthenticated user can inject arbitrary text into user browser via the Web application.
Published Jul 7, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Server Side Request Forgery vulnerability found in Deskpro Support Desk v2021.21.6 allows attackers to execute arbitrary code via a crafted URL.
Published Jul 21, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters.
Published Mar 6, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
NTFS-3G versions < 2021.8.22, when a specially crafted NTFS attribute from the MFT is setup in the function ntfs_attr_setup_flag, a heap buffer overflow can occur allowing for code execution and escalation of privileges.
Published Sep 7, 2021 · Updated Jul 9, 2026
Medium · CVSS 6.7
In NTFS-3G versions < 2021.8.22, when a specially crafted NTFS inode is loaded in the function ntfs_inode_real_open, a heap buffer overflow can occur allowing for code execution and escalation of privileges.
Published Sep 7, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
NTFS-3G versions < 2021.8.22, a stack buffer overflow can occur when correcting differences in the MFT and MFTMirror allowing for code execution or escalation of privileges when setuid-root.
Published Sep 7, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
In NTFS-3G versions < 2021.8.22, when a specially crafted NTFS inode pathname is supplied in an NTFS image a heap buffer overflow can occur resulting in memory disclosure, denial of service and even code execution.
Published Sep 7, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
D-Link DIR-2640-US 1.01B04 is affected by Insufficiently Protected Credentials. D-Link AC2600(DIR-2640) stores the device system account password in plain text. It does not use linux user management. In addition, the passwords of all devices are the same, and they cannot be modified by normal users. An attacker can easily log in to the target router through the serial port and obtain root privileges.
Published Jun 16, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify routing information, monitor the traffic of all devices under the router, hijack DNS and phishing attacks. In addition, this interface is likely to be questioned by customers as a backdoor, because the interface should not be exposed.
Published Jun 16, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640) 1.01B04. Ordinary permissions can be elevated to administrator permissions, resulting in local arbitrary code execution. An attacker can combine other vulnerabilities to further achieve the purpose of remote code execution.
Published Jun 16, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
D-Link DIR-2640-US 1.01B04 is vulnerable to Buffer Overflow. There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640). Local ordinary users can overwrite the global variables in the .bss section, causing the process crashes or changes.
Published Jun 16, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
WinWaste.NET version 1.0.6183.16475 has incorrect permissions, allowing a local unprivileged user to replace the executable with a malicious file that will be executed with "LocalSystem" privileges.
Published Jul 8, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Insecure direct object reference (IDOR) vulnerability in ICREM H8 SSRMS allows attackers to disclose sensitive information via the Print Invoice Functionality.
Published Nov 10, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A stored cross-site scripting (XSS) vulnerability was discovered in the Web Interface for OpenWRT LuCI version 19.07 which allows attackers to inject arbitrary Javascript in the OpenWRT Hostname via the Hostname Change operation.
Published May 25, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
In NTFS-3G versions < 2021.8.22, when a specially crafted MFT section is supplied in an NTFS image a heap buffer overflow can occur and allow for code execution.
Published Sep 7, 2021 · Updated Jul 9, 2026
Medium · CVSS 6.7
In NTFS-3G versions < 2021.8.22, when specially crafted NTFS attributes are read in the function ntfs_attr_pread_i, a heap buffer overflow can occur and allow for writing to arbitrary memory or denial of service of the application.
Published Sep 7, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
In NTFS-3G versions < 2021.8.22, when a specially crafted unicode string is supplied in an NTFS image a heap buffer overflow can occur and allow for code execution.
Published Sep 7, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Several web interfaces in D-Link DIR-868LW 1.12b have no authentication requirements for access, allowing for attackers to obtain users' DNS query history.
Published Oct 31, 2021 · Updated Jul 9, 2026
Medium · CVSS 5.4
Cross Site Scripting (XSS) vulnerability in New equipment page in EasyVista Service Manager 2018.1.181.1 allows remote attackers to run arbitrary code via the notes field.
Published Oct 20, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
File upload vulnerability in Umbraco Forms v.8.7.0 allows unauthenticated attackers to execute arbitrary code via a crafted web.config and asp file.
Published Feb 24, 2023 · Updated Jul 9, 2026
High · CVSS 7.8
Beijing Feishu Technology Co., Ltd Feishu v3.40.3 was discovered to contain an untrusted search path vulnerability.
Published Oct 18, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
CASAP Automated Enrollment System 1.0 is affected by cross-site scripting (XSS) in users.php. An attacker can steal a cookie to perform user redirection to a malicious website.
Published Feb 8, 2021 · Updated Jul 9, 2026
Unknown · CVSS Not scored
TripSpark VEO Transportation-2.2.x-XP_BB-20201123-184084 NovusEDU-2.2.x-XP_BB-20201123-184084 allows unsafe data inputs in POST body parameters from end users without sanitizing using server-side logic. It was possible to inject custom SQL commands into the "Student Busing Information" search queries.
Published Aug 29, 2023 · Updated Jul 9, 2026
High · CVSS 7.8
EXEMSI MSI Wrapper Versions prior to 10.0.50 and at least since version 6.0.91 will introduce a local privilege escalation vulnerability in installers it creates.
Published Dec 13, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross Site Scripting vulnerability in IRZ Electronics RUH2 GSM router allows attacker to obtain sensitive information via the Upload File parameter.
Published Feb 27, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Chevereto before 3.17.1 allows Cross Site Scripting (XSS) via an image title at the image upload stage.
Published Jun 30, 2021 · Updated Jul 9, 2026