High · CVSS 7.5
All versions of the package audify are vulnerable to Improper Validation of Array Index when frameSize is provided to the new OpusDecoder().decode or new OpusDecoder().decodeFloat functions it is not checked for negative values. This can lead to a process crash.
Published Jul 10, 2024 · Updated Jul 10, 2026
High · CVSS 7.5
All versions of the package images are vulnerable to Denial of Service (DoS) due to providing unexpected input types to several different functions. This makes it possible to reach an assert macro, leading to a process crash.
**Note:**
By providing some specific integer values (like 0) to the size function, it is possible to obtain a Segmentation fault error, leading to the process crash.
Published Jul 10, 2024 · Updated Jul 9, 2026
Medium · CVSS 4.2
Cross Site Request Forgery vulnerability in ProcessWire v.3.0.229 allows a remote attacker to insert a comment. NOTE: this is disputed by the Supplier because the product intentionally accepts anonymous, unauthenticated comments and thus there are fewer situations in which CSRF would be a useful attack technique. Also, the submitted comments are, by default, held for moderator review.
Published Jul 19, 2024 · Updated Jul 9, 2026
Medium · CVSS 6.3
Incorrect access control in Himalaya Xiaoya nano smart speaker rom_version 1.6.96 allows a remote attacker to have an unspecified impact.
Published Jul 29, 2024 · Updated Jul 9, 2026
High · CVSS 8
A vulnerability was discovered in Linksys Router E2500 with firmware 2.0.00, allows authenticated attackers to execute arbitrary code via the hnd_parentalctrl_unblock function.
Published Jul 24, 2024 · Updated Jul 9, 2026
High · CVSS 8.8
Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a .png suffix.
Published Jul 9, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.
Published Jul 30, 2024 · Updated Jul 9, 2026
Medium · CVSS 6.1
Cross Site Scripting vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the page parameter to php-lfis/admin/index.php.
Published Jul 29, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php.
Published Jul 29, 2024 · Updated Jul 9, 2026
High · CVSS 8.8
SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via id parameter to php-lfis/admin/categories/view_category.php.
Published Jul 29, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.4
Cross Site Scripting vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the first, last, middle name fields in the User Profile page.
Published Jul 29, 2024 · Updated Jul 9, 2026
High · CVSS 8.8
An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.
Published Jun 18, 2024 · Updated Jul 9, 2026
High · CVSS 8.4
An issue in htop-dev htop v.2.20 allows a local attacker to cause an out-of-bounds access in the Header_populateFromSettings function.
Published Jun 20, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.4
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the parameter "sectionContent" related to the functionality of adding notes to an uploaded file.
Published Jun 21, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.5
Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity.
Published Jun 20, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.4
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the filename parameter.
Published Jun 21, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.4
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the idactivity parameter.
Published Jun 21, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.4
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the page parameter.
Published Jun 21, 2024 · Updated Jul 9, 2026
High · CVSS 8.8
A command injection issue in TOTOLINK A6000R V1.0.1-B20201211.2000 firmware allows a remote attacker to execute arbitrary code via the iface parameter in the vif_enable function.
Published Jun 20, 2024 · Updated Jul 9, 2026
High · CVSS 7.4
libiec61850 v1.5 was discovered to contain a heap overflow via the BerEncoder_encodeLength function at /asn1/ber_encoder.c.
Published Jun 11, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API.
Published Jun 17, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
CDG-Server-V5.6.2.126.139 and earlier was discovered to contain a SQL injection vulnerability via the permissionId parameter in CDGTempPermissions.
Published May 28, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.9
TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function.
Published May 28, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.3
TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a stack overflow via the desc parameter in the function SetPortForwardRules
Published May 28, 2024 · Updated Jul 9, 2026
High · CVSS 8.8
TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a stack overflow via the password parameter in the function loginAuth
Published May 28, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a stack overflow via the desc parameter in the function setMacFilterRules.
Published May 28, 2024 · Updated Jul 9, 2026
High · CVSS 8.8
TOTOLINK CP900L v4.1.5cu.798_B20221228 weas discovered to contain a command injection vulnerability in the NTPSyncWithHost function via the hostTime parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Published May 28, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a hardcoded password for telnet in /web_cste/cgi-bin/product.ini, which allows attackers to log in as root.
Published May 24, 2024 · Updated Jul 9, 2026
High · CVSS 8.8
TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows attackers to log in as root.
Published May 24, 2024 · Updated Jul 9, 2026
High · CVSS 7.5
The 'control' in Parrot ANAFI USA firmware 1.10.4 does not check the MAV_MISSION_TYPE(0, 1, 2, 255), which allows attacker to cut off the connection between a controller and the drone by sending MAVLink MISSION_COUNT command with a wrong MAV_MISSION_TYPE.
Published May 3, 2024 · Updated Jul 9, 2026
High · CVSS 7.5
An issue in FME Modules fileuploads v.2.0.3 and before and fixed in v2.0.4 allows a remote attacker to obtain sensitive information via the uploadfiles.php component.
Published Apr 30, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
Roothub v2.5 was discovered to contain an arbitrary file upload vulnerability via the customPath parameter in the upload() function. This vulnerability allows attackers to execute arbitrary code via a crafted JSP file.
Published May 7, 2024 · Updated Jul 9, 2026
High · CVSS 7.1
An issue in SEMCMS v.4.8 allows a remote attacker to execute arbitrary code via a crafted script.
Published Apr 19, 2024 · Updated Jul 9, 2026
Medium · CVSS 6.9
An RBAC authorization risk in Carina v0.13.0 and earlier allows local attackers to execute arbitrary code through designed commands to obtain the secrets of the entire cluster and further take over the cluster.
Published May 2, 2024 · Updated Jul 9, 2026
Medium · CVSS 4.6
A stored cross-site scripting (XSS) vulnerability in the component \affiche\admin\index.php of WUZHICMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $formdata parameter.
Published Apr 19, 2024 · Updated Jul 9, 2026
Medium · CVSS 4.3
CMSeasy 7.7.7.9 is vulnerable to Arbitrary file deletion.
Published Apr 17, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
jizhiCMS 2.5 suffers from a File upload vulnerability.
Published Apr 17, 2024 · Updated Jul 9, 2026
Low · CVSS 3.9
An issue in LIEF v.0.14.1 allows a local attacker to obtain sensitive information via the name parameter of the machd_reader.c component.
Published May 3, 2024 · Updated Jul 9, 2026
Medium · CVSS 6.1
Cross Site Scripting vulnerability in Insurance Mangement System v.1.0.0 and before allows a remote attacker to execute arbitrary code via the First Name input field.
Published Mar 28, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.5
SQL Injection vulnerability in Cloud based customer service management platform v.1.0.0 allows a local attacker to execute arbitrary code via a crafted payload to Login.asp component.
Published May 10, 2024 · Updated Jul 9, 2026
Medium · CVSS 6.1
Cross Site Scripting vulnerability in dcat-admin v.2.1.3 and before allows a remote attacker to execute arbitrary code via a crafted script to the user login box.
Published Mar 26, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component.
Published Mar 29, 2024 · Updated Jul 9, 2026
High · CVSS 8.8
Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.
Published Apr 3, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.3
A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.
Published Apr 10, 2024 · Updated Jul 9, 2026
High · CVSS 8.1
Unit4 Financials by Coda versions prior to 2023Q4 suffer from an incorrect access control authorization bypass vulnerability which allows an authenticated user to modify the password of any user of the application via a crafted request.
Published Mar 20, 2024 · Updated Jul 9, 2026
Medium · CVSS 6.3
Cross Site Scripting vulnerability in Innovaphone myPBX v.14r1, v.13r3, v.12r2 allows a remote attacker to execute arbitrary code via the query parameter to the /CMD0/xml_modes.xml endpoint
Published Apr 22, 2024 · Updated Jul 9, 2026
High · CVSS 8.1
SQL Injection vulnerability in CRMEB_Java e-commerce system v.1.3.4 allows an attacker to execute arbitrary code via the groupid parameter.
Published Mar 28, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An issue in Mblog Blog system v.3.5.0 allows an attacker to execute arbitrary code via a crafted file to the theme management feature.
Published Mar 28, 2024 · Updated Jul 9, 2026
High · CVSS 7.8
A buffer overflow vulnerability in pdf2json v0.70 allows a local attacker to execute arbitrary code via the GString::copy() and ImgOutputDev::ImgOutputDev function.
Published Apr 22, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An issue in Home-Made.io fastmagsync v.1.7.51 and before allows a remote attacker to execute arbitrary code via the getPhpBin() component.
Published Mar 25, 2024 · Updated Jul 9, 2026