Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2025-3363 The web service of iSherlock from HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-4395 The Membership For WooCommerce WordPress plugin before 2.1.7 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achiev... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-23334 The Robot application in Ip-label Newtest before v8.5R0 was discovered to use weak signature checks on executed binaries, allowing attackers to have write access and escalate privileges via replacing ... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-24612 The PdfBook extension through 2.0.5 before b07b6a64 for MediaWiki allows command injection via an option. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-29310 An issue in onos v2.7.0 allows attackers to trigger a packet deserialization problem when supplying a crafted LLDP packet. This vulnerability allows attackers to execute arbitrary commands or access n... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-29135 A stack-based buffer overflow vulnerability in Tenda AC7 V15.03.06.44 allows a remote attacker to execute arbitrary code through a stack overflow attack using the security parameter of the formWifiBas... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-29100 Tenda AC8 V16.03.34.06 is vulnerable to Buffer Overflow in the fromSetRouteStatic function via the parameter list. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-25535 HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-26002 Telesquare TLR-2005KSH 1.1.4 is affected by an unauthorized stack overflow vulnerability when requesting the admin.cgi parameter with setSyncTimeHost. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-26003 Telesquare TLR-2005KSH 1.1.4 is affected by an unauthorized command execution vulnerability when requesting the admin.cgi parameter with setAutorest. | 9.8 | CRITICAL | β | 0 |
| CVE-2019-10173 It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attack... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-47523 Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-26004 Telesquare TLR-2005KSH 1.1.4 is vulnerable to unauthorized stack buffer overflow vulnerability when requesting admin.cgi parameter with setDdns. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-45995 There is an unauthorized buffer overflow vulnerability in Tenda AX12 v22.03.01.21 _ cn. This vulnerability can cause the web service not to restart or even execute arbitrary code. It is a different vu... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-55964 An issue was discovered in Appsmith before 1.52. An incorrectly configured PostgreSQL instance in the Appsmith image leads to remote command execution inside the Appsmith Docker container. The attacke... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-26005 Telesquare TLR-2005KSH 1.1.4 is vulnerable to unauthorized stack overflow vulnerability when requesting admin.cgi parameter with setNtp. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-26006 Telesquare TLR-2005KSH 1.1.4 has an unauthorized stack overflow vulnerability when requesting the admin.cgi parameter with setAutorest. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-26007 Telesquare TLR-2005KSH 1.1.4 has an unauthorized stack overflow vulnerability in the login interface when requesting systemtil.cgi. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-26008 In Telesquare TLR-2005KSH 1.1.4, an unauthorized stack overflow vulnerability exists when requesting admin.cgi parameter with setSyncTimeHost. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-26010 Telesquare TLR-2005KSH 1.1.4 allows unauthorized password modification when requesting the admin.cgi parameter with setUserNamePassword. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-26011 Telesquare TLR-2005KSH 1.1.4 has an unauthorized stack overflow vulnerability when requesting the admin.cgi parameter with setUsernamePassword. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-2332 The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-25686 semcms <=5.0 is vulnerable to SQL Injection in SEMCMS_Fuction.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-28138 The TOTOLINK A800R V4.1.2cu.5137_B20200730 were found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-1446 The Pods WordPress plugin before 3.2.8.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | 9.8 | CRITICAL | β | 0 |
| CVE-2025-30361 WeGIA is a Web manager for charitable institutions. A security vulnerability was identified in versions prior to 3.2.6, where it is possible to change a user's password without verifying the old passw... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-30364 WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.2.8 in the endpoint /WeGIA/html/funcionario/remuneracao.php, in the id_funcionar... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-30365 WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.2.8 in the endpoint /WeGIA/html/socio/sistema/controller/query_geracao_auto.php,... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-30367 WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.2.6 in the nextPage parameter of the /WeGIA/controle/control.php endpoint. This ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-2621 A vulnerability was found in D-Link DAP-1620 1.03 and classified as critical. This issue affects the function check_dws_cookie of the file /storage. The manipulation of the argument uid leads to stack... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-2620 A vulnerability has been found in D-Link DAP-1620 1.03 and classified as critical. This vulnerability affects the function mod_graph_auth_uri_handler of the file /storage of the component Authenticati... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-47544 An issue was discovered in Siren Investigate before 12.1.7. Script variable whitelisting is insufficiently sandboxed. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-2619 A vulnerability, which was classified as critical, was found in D-Link DAP-1620 1.03. This affects the function check_dws_cookie of the file /storage of the component Cookie Handler. The manipulation ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-2618 A vulnerability, which was classified as critical, has been found in D-Link DAP-1620 1.03. Affected by this issue is the function set_ws_action of the file /dws/api/ of the component Path Handler. The... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-22671 Ghidra/RuntimeScripts/Linux/support/launch.sh in NSA Ghidra through 10.2.2 passes user-provided input into eval, leading to command injection when calling analyzeHeadless with untrusted input. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-2294 The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possibl... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-22884 Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-30372 Emlog is an open source website building system. Emlog Pro versions pro-2.5.7 and pro-2.5.8 contain an SQL injection vulnerability. `search_controller.php` does not use addslashes after urldecode, all... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-24292 A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js component. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-38988 alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This vulnerability allows attackers to execute arbitrary code or cause a D... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-56975 InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the upload_file method of the Upload controller. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-22953 A SQL injection vulnerability exists in Epicor HCM 2021 1.9, with patches available: 5.16.0.1033/HCM2022, 5.17.0.1146/HCM2023, and 5.18.0.573/HCM2024. The injection is specifically in the filter param... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-25763 crmeb CRMEB-KY v5.4.0 and before has a SQL Injection vulnerability at getRead() in /system/SystemDatabackupServices.php | 9.8 | CRITICAL | β | 0 |
| CVE-2024-35426 vmir e8117 was discovered to contain a stack overflow via the init_local_vars function at /src/vmir_wasm_parser.c. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-31429 Deserialization of Untrusted Data vulnerability in themeton PressGrid - Frontend Publish Reaction & Multimedia Theme allows Object Injection. This issue affects PressGrid - Frontend Publish Reaction &... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-31398 Deserialization of Untrusted Data vulnerability in themeton PIMP - Creative MultiPurpose allows Object Injection. This issue affects PIMP - Creative MultiPurpose: from n/a through 1.7. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-44183 Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetWifiGuestBasic. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-31396 Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-6847 The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated u... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-41530 Hospital Management System v4 was discovered to contain a SQL injection vulnerability via the app_contact parameter in appsearch.php. | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.