High · CVSS 8.8
mojoPortal v2.7 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PNG file.
Published Sep 30, 2022 · Updated Jul 9, 2026
High · CVSS 7.2
Flatpress v1.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the Upload File function.
Published Sep 29, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
SourceCodester Simple Task Managing System v1.0 was discovered to contain a SQL injection vulnerability via the bookId parameter at changeStatus.php.
Published Sep 21, 2022 · Updated Jul 9, 2026
Medium · CVSS 4.8
SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newProjectValidation.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the shortName parameter.
Published Sep 21, 2022 · Updated Jul 9, 2026
Medium · CVSS 4.8
SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newProjectValidation.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fullName parameter.
Published Sep 21, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newTask.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the shortName parameter.
Published Sep 21, 2022 · Updated Jul 9, 2026
Medium · CVSS 4.3
The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.
Published Sep 21, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id90 parameter at /SVFE2/pages/feegroups/mcc_group.jsf.
Published Sep 20, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id88, UserForm:j_id90, and UserForm:j_id92 parameters at /SVFE2/pages/feegroups/country_group.jsf.
Published Sep 19, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the voiceAudit:j_id97 parameter at /SVFE2/pages/audit/voiceaudit.jsf.
Published Sep 19, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id90 parameter at /feegroups/tgrt_group.jsf.
Published Sep 13, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
SmartVista SVFE2 v2.2.22 was discovered to contain multiple SQL injection vulnerabilities via the UserForm:j_id88, UserForm:j_id90, and UserForm:j_id92 parameters at /SVFE2/pages/feegroups/service_group.jsf.
Published Sep 9, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue in the IGB Files and OutfileService features of SmartVista Cardgen v3.28.0 allows attackers to list and download arbitrary files via modifying the PATH parameter.
Published Sep 9, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Path Traversal vulnerability in SmartVista Cardgen v3.28.0 allows authenticated attackers to read arbitrary files in the system.
Published Sep 9, 2022 · Updated Jul 9, 2026
High · CVSS 8.8
ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators.
Published Sep 19, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.
Published Sep 26, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.5
The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via crafted URL.
Published Sep 22, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Genesys PureConnect Interaction Web Tools Chat Service (up to at least 26- September- 2019) allows XSS within the Printable Chat History via the participant -> name JSON POST parameter.
Published Sep 16, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Zentao Demo15 is vulnerable to Directory Traversal. The impact is: obtain sensitive information (remote). The component is: URL : view-source:https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig.
Published Sep 19, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js.
Published Sep 15, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts.
Published Sep 16, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
The PlexTrac platform prior to version 1.28.0 allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. Login attempts for valid, unlocked users configured to use PlexTrac as their authentication provider take significantly longer than those for invalid users, allowing for valid users to be enumerated by an unauthenticated remote attacker. Note that the lockout policy implemented in Plextrac version 1.17.0 makes it impossible to distinguish between valid, locked user accounts and user accounts that do not exist, but does not prevent valid, unlocked users from being enumerated.
Published Sep 8, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an attempt to obtain valid credentials for the platform users configured to use the PlexTrac authentication provider.
Published Sep 8, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
The PlexTrac platform prior to API version 1.17.0 does not restrict excessive MFA TOTP submission attempts. An unauthenticated remote attacker in possession of a valid username and password can bruteforce their way past MFA protections to login as the targeted user.
Published Sep 8, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization."
Published Sep 2, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens.
Published Sep 16, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below was discovered to contain multiple remote code execution (RCE) vulnerabilities via the Job_ExecuteBefore and Job_ExecuteAfter parameters at post_profilesettings.php.
Published Sep 16, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below was discovered to contain a cross-site scripting (XSS) vulnerability.
Published Sep 16, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Bolt CMS contains a vulnerability in version 5.1.12 and below that allows an authenticated user with the ROLE_EDITOR privileges to upload and rename a malicious file to achieve remote code execution.
Published Sep 16, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Outbyte PC Repair Installation File 1.7.112.7856 is vulnerable to Dll Hijacking. iertutil.dll is missing so an attacker can use a malicious dll with same name and can get admin privileges.
Published Sep 7, 2022 · Updated Jul 9, 2026
Critical · CVSS 9.8
Bus Pass Management System 1.0 was discovered to contain a SQL Injection vulnerability via the searchdata parameter at /buspassms/download-pass.php..
Published Sep 30, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
Bus Pass Management System v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the searchdata parameter.
Published Sep 30, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue in Micro-Star International MSI Feature Navigator v1.0.1808.0901 allows attackers to download arbitrary files regardless of file type or size.
Published Sep 12, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue in Micro-Star International MSI Feature Navigator v1.0.1808.0901 allows attackers to write arbitrary files to the directory \PromoPhoto\, regardless of file type or size.
Published Sep 12, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue in the Feature Navigator of Micro-Star International MSI Feature Nagivator v1.0.1808.0901 allows attackers to cause a Denial of Service (DoS) via a crafted image or video file.
Published Sep 12, 2022 · Updated Jul 9, 2026
High · CVSS 7.5
ICEcoder v8.1 allows attackers to execute a directory traversal.
Published Sep 22, 2022 · Updated Jul 9, 2026
High · CVSS 7.8
There is a stack buffer overflow vulnerability, which could lead to arbitrary code execution in UEFI DXE driver on some Acer products. An attack could exploit this vulnerability to escalate privilege from ring 3 to ring 0, and hijack control flow during UEFI DXE execution. This affects Altos T110 F3 firmware version <= P13 (latest) and AP130 F2 firmware version <= P04 (latest) and Aspire 1600X firmware version <= P11.A3L (latest) and Aspire 1602M firmware version <= P11.A3L (latest) and Aspire 7600U firmware version <= P11.A4 (latest) and Aspire MC605 firmware version <= P11.A4L (latest) and Aspire TC-105 firmware version <= P12.B0L (latest) and Aspire TC-120 firmware version <= P11-A4 (latest) and Aspire U5-620 firmware version <= P11.A1 (latest) and Aspire X1935 firmware version <= P11.A3L (latest) and Aspire X3475 firmware version <= P11.A3L (latest) and Aspire X3995 firmware version <= P11.A3L (latest) and Aspire XC100 firmware version <= P11.B3 (latest) and Aspire XC600 firmware version <= P11.A4 (latest) and Aspire Z3-615 firmware version <= P11.A2L (latest) and Veriton E430G firmware version <= P21.A1 (latest) and Veriton B630_49 firmware version <= AAP02SR (latest) and Veriton E430 firmware version <= P11.A4 (latest) and Veriton M2110G firmware version <= P21.A3 (latest) and Veriton M2120G fir.
Published Sep 22, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Command injection vulnerability was discovered in Netgear R6200 v2 firmware through R6200v2-V1.0.3.12 via binary /sbin/acos_service that could allow remote authenticated attackers the ability to modify values in the vulnerable parameter.
Published Sep 8, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
NETGEAR R6200_V2 firmware versions through R6200v2-V1.0.3.12_10.1.11 and R6300_V2 firmware versions through R6300v2-V1.0.4.52_10.0.93 allow remote authenticated attackers to execute arbitrary command via shell metacharacters in the ipv6_fix.cgi ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, or ipv6_lan_length parameters.
Published Sep 7, 2022 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Qsmart Next v4.1.2 was discovered to contain a cross-site scripting (XSS) vulnerability.
Published Sep 15, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.
Published Sep 21, 2022 · Updated Jul 9, 2026
High · CVSS 7.5
Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter.
Published Sep 22, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.
Published Sep 22, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.
Published Sep 21, 2022 · Updated Jul 9, 2026
Medium · CVSS 5.4
Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name.
Published Sep 21, 2022 · Updated Jul 9, 2026
Medium · CVSS 6.1
HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.
Published Sep 22, 2022 · Updated Jul 9, 2026
High · CVSS 7.5
.NET Core and Visual Studio Denial of Service Vulnerability
Published Sep 13, 2022 · Updated May 27, 2026
High · CVSS 7.9
Dell BIOS versions contain an Insecure Automated Optimization vulnerability. A local authenticated malicious user could exploit this vulnerability by sending malicious input via SMI to obtain arbitrary code execution during SMM.
Published Sep 6, 2022 · Updated May 27, 2026
Medium · CVSS 6.1
Dell BIOS contains a race condition vulnerability. A local attacker could exploit this vulnerability by sending malicious input via SMI in order to bypass security checks during SMM.
Published Sep 6, 2022 · Updated May 27, 2026
High · CVSS 7.5
Dell BIOS versions contain a stack-based buffer overflow vulnerability. A local attacker could exploit this vulnerability by sending malicious input via SMI to bypass security checks resulting in arbitrary code execution in SMM.
Published Sep 6, 2022 · Updated May 27, 2026