Medium · CVSS 6.1
A cross-site scripting (XSS) vulnerability in the check_login function of SIPE s.r.l WI400 between version 8 and 11 included allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the f parameter.
Published Mar 10, 2023 · Updated Jul 9, 2026
Medium · CVSS 5.4
Softr v2.0 was discovered to contain a HTML injection vulnerability via the Work Space Name parameter.
Published Feb 6, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.8
An Information disclosure vulnerability in /be/rpc.php in Jedox GmbH Jedox 2020.2.5 allow remote, authenticated users with permissions to modify database connections to disclose a connections' cleartext password via the 'test connection' function.
Published May 12, 2023 · Updated Jul 9, 2026
High · CVSS 7.5
A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods. NOTE: The vendor states that the vulnerability affects installations running version 22.5 or earlier. The issue was resolved with version 23.2 and later versions are not affected.
Published May 12, 2023 · Updated Jul 9, 2026
Critical · CVSS 9.8
Serenissima Informatica Fast Checkin version v1.0 is vulnerable to Unauthenticated SQL Injection.
Published Feb 1, 2023 · Updated Jul 9, 2026
Critical · CVSS 9.8
An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the server via the web shell.
Published Feb 1, 2023 · Updated Jul 9, 2026
High · CVSS 7.5
Serenissima Informatica Fast Checkin 1.0 is vulnerable to Directory Traversal.
Published Feb 1, 2023 · Updated Jul 9, 2026
Critical · CVSS 9.8
Nanoleaf firmware v7.1.1 and below is missing TLS verification, allowing attackers to execute arbitrary code via a DNS hijacking attack.
Published Apr 27, 2023 · Updated Jul 9, 2026
Critical · CVSS 9.8
A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request.
Published Feb 1, 2023 · Updated Jul 9, 2026
High · CVSS 8.1
PrestaShop module, totadministrativemandate before v1.7.1 was discovered to contain a SQL injection vulnerability.
Published Feb 2, 2023 · Updated Jul 9, 2026
Critical · CVSS 9.8
Nanoleaf Desktop App before v1.3.1 was discovered to contain a command injection vulnerability which is exploited via a crafted HTTP request.
Published Apr 18, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Accruent LLC Maintenance Connection 2021 (all) & 2022.2 was discovered to contain a SQL injection vulnerability via the E-Mail to Work Order function.
Published Mar 2, 2023 · Updated Jul 9, 2026
High · CVSS 8.8
Improper Input Validation in Comfast router CF-WR6110N V2.3.1 allows a remote attacker on the same network to execute arbitrary code on the target via an HTTP POST request
Published Feb 13, 2023 · Updated Jul 9, 2026
Medium · CVSS 5.4
Incorrect Access Control in Comfast router CF-WR6110N V2.3.1 allows a remote attacker on the same network to perform any HTTP request to an unauthenticated page to force the server to generate a SESSION_ID, and using this SESSION_ID an attacker can then perform authenticated requests.
Published Feb 13, 2023 · Updated Jul 9, 2026
High · CVSS 8.8
Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.
Published Feb 17, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Arbitrary File Delete vulnerability in Razer Central before v7.8.0.381 when handling files in the Accounts directory.
Published Feb 27, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It is important to note that in order to accomplish this, the attacker must know the corresponding API's parameter (authority : value).
Published Mar 1, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
ComponentSpace.Saml2 4.4.0 Missing SSL Certificate Validation. NOTE: the vendor does not consider this a vulnerability because the report is only about use of certificates at the application layer (not the transport layer) and "Certificates are exchanged in a controlled fashion between entities within a trust relationship. This is why self-signed certificates may be used and why validating certificates isn’t as important as doing so for the transport layer certificates."
Published Mar 24, 2023 · Updated Jul 9, 2026
High · CVSS 7.2
All versions before 8.0.1-R2022-10-RT and 7.3.1-R2022-09-RT of the Talend ESB Runtime are potentially vulnerable to SQL Injection attacks in the provisioning service only. Users of the provisioning service should upgrade to either 8.0.1-R2022-10-RT or 7.3.1-R2022-09-RT or a later release and use it in place of the previous version.
Published Feb 6, 2023 · Updated Jul 9, 2026
High · CVSS 7.8
All versions before R2022-09 of Talend's Remote Engine Gen 2 are potentially vulnerable to XML External Entity (XXE) type of attacks. Users should download the R2022-09 release or later and use it in place of the previous version. Talend Remote Engine Gen 1 and Talend Cloud Engine for Design are not impacted. This XXE vulnerability could only be exploited by someone with the appropriate rights to edit pipelines on the Talend platform. It could not be triggered remotely or by other user input.
Published Feb 3, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue discovered in Shenzhen Zhibotong Electronics WBT WE1626 Router v 21.06.18 allows attacker to execute arbitrary commands via serial connection to the UART port.
Published Mar 3, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An Insecure Permissions vulnerability in Shenzhen Zhiboton Electronics ZBT WE1626 Router v 21.06.18 allows attackers to obtain sensitive information via SPI bus interface connected to pinout of the NAND flash memory.
Published Mar 3, 2023 · Updated Jul 9, 2026
Critical · CVSS 9.8
An issue discovered in Shenzhen Zhiboton Electronics ZBT WE1626 Router v 21.06.18 allows attackers to escalate privileges via WGET command to the Network Diagnosis endpoint.
Published Mar 3, 2023 · Updated Jul 9, 2026
High · CVSS 8.8
An access control issue in Registration.aspx of Temenos CWX 8.5.6 allows authenticated attackers to escalate privileges and perform arbitrary Administrative commands.
Published Jun 21, 2023 · Updated Jul 9, 2026
Medium · CVSS 4.3
Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/user/deleteRecycleBin.
Published Nov 25, 2022 · Updated Jul 9, 2026
Medium · CVSS 4.3
Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/user/putRecycleBin.
Published Nov 25, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component updateNullByEmptyString.
Published Nov 25, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/duplicate/check.
Published Nov 25, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.3
Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData.
Published Nov 25, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /calendar/viewcalendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Subject field.
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /forums/editforum.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /general/search.php?searchtype=simple. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search field.
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /meetings/listmeetings.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /clients/listclients.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /projects/listprojects.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the Chat function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Messages field.
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /contacts/listcontacts.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Last Name field after clicking "Add".
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /linkedcontent/listfiles.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field after clicking "Add".
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking "Add".
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Short Name field.
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field after clicking "Add".
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Note field after clicking "Add".
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Page function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field.
Published Dec 2, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter.
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field.
Published Dec 2, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
A cross-site scripting (XSS) vulnerability in ApolloTheme AP PageBuilder component through 2.4.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the show_number parameter.
Published Jan 31, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.1
Resque Scheduler version 1.27.4 is vulnerable to Cross-site scripting (XSS). A remote attacker could inject javascript code to the "{schedule_job}" or "args" parameter in /resque/delayed/jobs/{schedule_job}?args={args_id} to execute javascript at client side.
Published Dec 13, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in phasesets.php.
Published Dec 2, 2022 · Updated Jul 9, 2026