Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2022-50593 Advantech iView versions prior to v5.7.04 build 6425Β contain a vulnerability within the SNMP management toolΒ that allows for remote attackers to bypass authentication checks and reach a SQL injection ... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-53950 InnovaStudio WYSIWYG Editor 5.4 contains an unrestricted file upload vulnerability that allows attackers to bypass file extension restrictions through filename manipulation. Attackers can upload malic... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-50589 SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within theΒ processing of the βuidβ parameter within the βexportβ functionality. Successful exploitation allows remote unauthenti... | 9.8 | CRITICAL | β | 0 |
| CVE-2019-25237 V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers can send a cr... | 9.8 | CRITICAL | β | 0 |
| CVE-2019-25236 iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specifi... | 9.8 | CRITICAL | β | 0 |
| CVE-2019-25235 Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to m... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-68932 FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-63665 An issue in GT Edge AI Community Edition Versions before v2.0.12 allows attackers to execute arbitrary code via injecting a crafted JSON payload into the Prompt window. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-14964 A vulnerability has been found in TOTOLINK T10 4.1.8cu.5083_B20200521. This affects the function sprintf of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument loginAuthUrl leads to stack... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-57460 File upload vulnerability in machsol machpanel 8.0.32 allows attacker to gain a webshell. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-66576 Remote Keyboard Desktop 1.0.1 enables remote attackers to execute system commands via the rundll32.exe exported function export, allowing unauthenticated code execution. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-63362 Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to set the Administrator password and username as bla... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-29268 ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-29269 ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-65570 A type confusion in jsish 2.0 allows incorrect control flow during execution of the OP_NEXT opcode. When an βinstanceofβ expression uses an array element access as the left-hand operand inside a for-i... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-50803 JM-DATA ONU JF511-TV version 1.0.67 uses default credentials that allow attackers to gain unauthorized access to the device with administrative privileges. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-15194 A vulnerability was found in D-Link DIR-600 up to 2.15WWb02. Affected by this vulnerability is an unknown functionality of the file hedwig.cgi of the component HTTP Header Handler. The manipulation of... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-11522 The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-52725 Deserialization of Untrusted Data vulnerability in pebas CouponXxL couponxxl allows Object Injection.This issue affects CouponXxL: from n/a through <= 3.0.0. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-10041 The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-52724 Deserialization of Untrusted Data vulnerability in BoldThemes Amwerk amwerk allows Object Injection.This issue affects Amwerk: from n/a through <= 1.2.0. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-9967 The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly valid... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-10850 The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' func... | 9.8 | CRITICAL | β | 0 |
| CVE-2019-25614 Free Float FTP 1.0 contains a buffer overflow vulnerability in the STOR command handler that allows remote attackers to execute arbitrary code by sending a crafted STOR request with an oversized paylo... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-12813 The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitizatio... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-13313 The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.6. This is due to missing authorization and authentication che... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-4345 The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'process' function in the 'startklarDropZoneUploadProcess' c... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-12374 The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login β User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-12673 The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.7... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-13329 The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint i... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-11457 The EasyCommerce β AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-6989 The Shield Security β Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_t... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-48129 Incorrect Privilege Assignment vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce β Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light a... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-48287 Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve wc-pagaleve allows Object Injection.This issue affects Pix 4x sem juros - Pagaleve: from n/a through <= 1.6.9. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-48289 Deserialization of Untrusted Data vulnerability in AncoraThemes Kids Planet kidsplanet allows Object Injection.This issue affects Kids Planet: from n/a through <= 2.2.14. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-48336 Deserialization of Untrusted Data vulnerability in ThimPress Course Builder course-builder allows Object Injection.This issue affects Course Builder: from n/a through < 3.6.6. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-4560 The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the chatbot_chatgpt_upload_file_to_assistant function in all ver... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-49072 Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy mr-murphy allows Object Injection.This issue affects Mr. Murphy: from n/a through < 1.2.12.1. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-49073 Deserialization of Untrusted Data vulnerability in axiomthemes Sweet Dessert sweet-dessert allows Object Injection.This issue affects Sweet Dessert: from n/a through < 1.1.13. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-1514 The WP eCommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'cart_contents' parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-31022 Authentication Bypass Using an Alternate Path or Channel vulnerability in PayU India PayU India payu-india allows Authentication Abuse.This issue affects PayU India: from n/a through < 3.8.8. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-31052 Deserialization of Untrusted Data vulnerability in themeton The Fashion - Model Agency One Page Beauty Theme nrgfashion allows Object Injection.This issue affects The Fashion - Model Agency One Page B... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-4223 The Tutor LMS plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and i... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-3551 The Penci Soledad Data Migrator plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.0 via the 'data' parameter. This makes it possible for unauthentica... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-4898 The InstaWP Connect β 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, a... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-4936 The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to inc... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-4186 The Edwiser Bridge plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.5. This is due to the 'eb_user_email_verification_key' default value is empty, and ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-5577 The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER parameter of the /system/include/include_user.php file. This makes i... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-50477 Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App B... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-3729 The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'fea_encrypt' function in all versions up to, and including, 3.19.4. This ... | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.