CVEs from 2024
Total
6,633
critical
critical 166
high
high 1,073
medium
medium 2,066
low
low 49
% Critical
2.5%
% with KEV
2.5%
% with exploit
3.4%
Top products
- surveillance_station 12
- checkmk 10
- profilegrid 8
- office 8
- office_long_term_servicing_channel 6
- propertyhive 5
- glibc 5
- element_pack 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-51092 | critical | 9.1 | 10.0 | 27d ago | LibreNMS has an Authenticated OS Command Injection | |||
| CVE-2024-28000 | critical | 9.8 | 10.0 | 2y ago | Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache.This issue affects LiteSpeed Cache: from n/a through <= 6.3.0.1. | |||
| CVE-2024-7593 | critical | 9.8 | 10.0 | 2y ago | Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account. | |||
| CVE-2024-33559 | critical | 9.3 | 10.0 | 2y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore allows SQL Injection.This issue affects XStore: from n/a through 9.3.5. | |||
| CVE-2024-27956 | critical | 9.8 | 10.0 | 2y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0. | |||
| CVE-2024-1708 | high | 8.4 | 10.0 | 2y ago | ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems. | |||
| CVE-2024-4367 | high | 8.8 | 9.8 | 2y ago | A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thu… | |||
| CVE-2024-6387 | high | 8.1 | 9.1 | 2y ago | A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote a… | |||
| CVE-2024-47076 | high | — | 9.0 | 2y ago | RHSA-2024:7463: cups-filters security update (Important) | |||
| CVE-2024-47176 | high | — | 9.0 | 2y ago | RHSA-2024:7463: cups-filters security update (Important) | |||
| CVE-2024-21626 | high | — | 9.0 | 2y ago | Important: container-tools:4.0 security update | |||
| CVE-2024-53326 | high | 7.3 | 8.3 | 27d ago | LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution. | |||
| CVE-2024-45257 | high | 7.3 | 8.3 | 27d ago | A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server via a crafted build parameter. This occurs in free… | |||
| CVE-2024-2961 | high | 7.3 | 8.3 | 2y ago | RHSA-2024:3269: glibc security update (Important) | |||
| CVE-2024-30167 | medium | 6.3 | 7.3 | 27d ago | /cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter. | |||
| CVE-2024-29510 | medium | — | 6.5 | 2y ago | Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device. | |||
| CVE-2024-47175 | low | — | 3.5 | 2y ago | Low: cups security update | |||
| CVE-2024-7399 | unknown | — | 2.5 | 1mo ago | Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority. | |||
| CVE-2024-57727 | unknown | — | 2.5 | 1y ago | SimpleHelp remote support software contains multiple path traversal vulnerabilities that allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP r… | |||
| CVE-2024-12356 | unknown | — | 2.5 | 2y ago | BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site use… | |||
| CVE-2024-56145 | unknown | — | 2.5 | 2y ago | Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled. | |||
| CVE-2024-55956 | unknown | — | 2.5 | 2y ago | Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload vulnerability that could allow an unauthenticated user to import and execute arbitra… | |||
| CVE-2024-35250 | unknown | — | 2.5 | 2y ago | Microsoft Windows Kernel-Mode Driver contains an untrusted pointer dereference vulnerability that allows a local attacker to escalate privileges. | |||
| CVE-2024-20767 | unknown | — | 2.5 | 2y ago | Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel. | |||
| CVE-2024-49138 | unknown | — | 2.5 | 2y ago | Microsoft Windows Common Log File System (CLFS) driver contains a heap-based buffer overflow vulnerability that allows a local attacker to escalate privileges. | |||
| CVE-2024-51378 | unknown | — | 2.5 | 2y ago | CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property. | |||
| CVE-2024-11680 | unknown | — | 2.5 | 2y ago | ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP re… | |||
| CVE-2024-1212 | unknown | — | 2.5 | 2y ago | Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbi… | |||
| CVE-2024-9474 | unknown | — | 2.5 | 2y ago | Palo Alto Networks PAN-OS contains an OS command injection vulnerability that allows for privilege escalation through the web-based management interface for several PAN products, including firewalls … | |||
| CVE-2024-0012 | unknown | — | 2.5 | 2y ago | Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in the web-based management interface for several PAN-OS products, including firewalls and VPN concentrators. | |||
| CVE-2024-5910 | unknown | — | 2.5 | 2y ago | Palo Alto Networks Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration … | |||
| CVE-2024-51567 | unknown | — | 2.5 | 2y ago | CyberPanel contains an incorrect default permissions vulnerability that allows a remote, unauthenticated attacker to execute commands as root. | |||
| CVE-2024-37383 | unknown | — | 2.5 | 2y ago | RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code. | |||
| CVE-2024-47575 | unknown | — | 2.5 | 2y ago | Fortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted re… | |||
| CVE-2024-28987 | unknown | — | 2.5 | 2y ago | SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data. | |||
| CVE-2024-29824 | unknown | — | 2.5 | 2y ago | Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code. | |||
| CVE-2024-6670 | unknown | — | 2.5 | 2y ago | Progress WhatsUp Gold contains a SQL injection vulnerability that allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user. | |||
| CVE-2024-38856 | unknown | — | 2.5 | 2y ago | Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. | |||
| CVE-2024-38193 | unknown | — | 2.5 | 2y ago | Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. | |||
| CVE-2024-32113 | unknown | — | 2.5 | 2y ago | Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution. | |||
| CVE-2024-4879 | unknown | — | 2.5 | 2y ago | ServiceNow Utah, Vancouver, and Washington DC Now Platform releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute … | |||
| CVE-2024-28995 | unknown | — | 2.5 | 2y ago | SolarWinds Serv-U contains a path traversal vulnerability that allows an attacker access to read sensitive files on the host machine. | |||
| CVE-2024-23692 | unknown | — | 2.5 | 2y ago | Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability. This allows a remote, unauthenticated attacker to execute commands on the aff… | |||
| CVE-2024-36401 | unknown | — | 2.5 | 2y ago | OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unau… | |||
| CVE-2024-34102 | unknown | — | 2.5 | 2y ago | Adobe Commerce and Magento Open Source contain an improper restriction of XML external entity reference (XXE) vulnerability that allows for remote code execution. | |||
| CVE-2024-4358 | unknown | — | 2.5 | 2y ago | Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access. | |||
| CVE-2024-4577 | unknown | — | 2.5 | 2y ago | PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823. | |||
| CVE-2024-24919 | unknown | — | 2.5 | 2y ago | Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways connected to the … | |||
| CVE-2024-4040 | unknown | — | 2.5 | 2y ago | CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS). | |||
| CVE-2024-27348 | unknown | — | 2.5 | 2y ago | Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code. | |||
| CVE-2024-3400 | unknown | — | 2.5 | 2y ago | Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall. | |||
| CVE-2024-27198 | unknown | — | 2.5 | 2y ago | JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions. | |||
| CVE-2024-21338 | unknown | — | 2.5 | 2y ago | Microsoft Windows Kernel contains an exposed IOCTL with insufficient access control vulnerability within the IOCTL (input and output control) dispatcher in appid.sys that allows a local attacker to a… | |||
| CVE-2024-1709 | unknown | — | 2.5 | 2y ago | ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affec… | |||
| CVE-2024-21893 | unknown | — | 2.5 | 2y ago | Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that all… | |||
| CVE-2024-23897 | unknown | — | 2.5 | 2y ago | Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution. | |||
| CVE-2024-21887 | unknown | — | 2.5 | 2y ago | Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an auth… | |||
| CVE-2024-32019 | unknown | — | 1.0 | — | Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permiss… | |||
| CVE-2024-8517 | unknown | — | 1.0 | — | SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipar… | |||
| CVE-2024-6782 | unknown | — | 1.0 | — | Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution. | |||
| CVE-2024-7954 | unknown | — | 1.0 | — | The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP … | |||
| CVE-2024-48990 | unknown | — | 1.0 | — | Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlle… | |||
| CVE-2024-25641 | unknown | — | 1.0 | — | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authe… | |||
| CVE-2024-42365 | unknown | — | 1.0 | — | Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an A… | |||
| CVE-2024-42327 | unknown | — | 1.0 | — | A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRe… | |||
| CVE-2024-51774 | unknown | — | 1.0 | — | qBittorrent before 5.0.1 proceeds with use of https URLs even after certificate validation errors. | |||
| CVE-2024-30896 | unknown | — | 1.0 | — | InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default org… | |||
| CVE-2024-47177 | unknown | — | 1.0 | — | ||||
| CVE-2024-21111 | unknown | — | 1.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low pr… | |||
| CVE-2024-12905 | unknown | — | 1.0 | 1y ago | An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a malic… | |||
| CVE-2024-12029 | unknown | — | 1.0 | 1y ago | A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files… | |||
| CVE-2024-11956 | unknown | — | 1.0 | 1y ago | pimcore/customer-data-framework vulnerable to SQL Injection | |||
| CVE-2024-11954 | unknown | — | 1.0 | 1y ago | Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document | |||
| CVE-2024-47605 | unknown | — | 1.0 | 1y ago | Silverstripe Framework has a XSS via insert media remote file oembed | |||
| CVE-2024-55889 | unknown | — | 1.0 | 2y ago | thorsten/phpmyfaq Unintended File Download Triggered by Embedded Frames | |||
| CVE-2024-55661 | unknown | — | 1.0 | 2y ago | Laravel Pulse Allows Remote Code Execution via Unprotected Query Method | |||
| CVE-2024-11392 | unknown | — | 1.0 | 2y ago | Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installat… | |||
| CVE-2024-43425 | unknown | — | 1.0 | 2y ago | Moodle Remote Code Execution vulnerability | |||
| CVE-2024-0132 | unknown | — | 1.0 | 2y ago | NVIDIA Container Toolkit contains a Time-of-check Time-of-Use (TOCTOU) vulnerability in github.com/NVIDIA/nvidia-container-toolkit | |||
| CVE-2024-46528 | unknown | — | 1.0 | 2y ago | KubeSphere IDOR vulnerability in github.com/kubesphere/kubesphere | |||
| CVE-2024-42640 | unknown | — | 1.0 | 2y ago | angular-base64-upload vulnerable to unauthenticated remote code execution | |||
| CVE-2024-46987 | unknown | — | 1.0 | 2y ago | Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183) | |||
| CVE-2024-39205 | unknown | — | 1.0 | 2y ago | pyload-ng vulnerable to RCE with js2py sandbox escape | |||
| CVE-2024-42471 | unknown | — | 1.0 | 2y ago | @actions/artifact has an Arbitrary File Write via artifact extraction | |||
| CVE-2024-45440 | unknown | — | 1.0 | 2y ago | Drupal Full Path Disclosure | |||
| CVE-2024-41947 | unknown | — | 1.0 | 2y ago | XWiki Platform vulnerable to Cross-Site Scripting (XSS) through conflict resolution | |||
| CVE-2024-39930 | unknown | — | 1.0 | 2y ago | github.com/gogs/gogs affected by CVE-2024-39930 | |||
| CVE-2024-28397 | unknown | — | 1.0 | 2y ago | js2py allows remote code execution | |||
| CVE-2024-3408 | unknown | — | 1.0 | 2y ago | man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in th… | |||
| CVE-2024-37032 | unknown | — | 1.0 | 2y ago | Ollama does not validate the format of the digest (sha256 with 64 hex digits) in github.com/ollama/ollama | |||
| CVE-2024-34069 | unknown | — | 1.0 | 2y ago | Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This r… | |||
| CVE-2024-31621 | unknown | — | 1.0 | 2y ago | Flowise vulnerable to code injection via api/v1 | |||
| CVE-2024-31839 | unknown | — | 1.0 | 2y ago | Cross site scripting in github.com/tiagorlampert/CHAOS | |||
| CVE-2024-30850 | unknown | — | 1.0 | 2y ago | Arbitrary code execution in github.com/tiagorlampert/CHAOS | |||
| CVE-2024-31819 | unknown | — | 1.0 | 2y ago | WWBN AVideo Remote Code Execution | |||
| CVE-2024-3116 | unknown | — | 1.0 | 2y ago | pgAdmin Remote Code Execution (RCE) vulnerability | |||
| CVE-2024-22513 | unknown | — | 1.0 | 2y ago | djangorestframework-simplejwt version 5.3.1 and before is vulnerable to information disclosure. A user can access web application resources even after their account has been disabled due to missing u… | |||
| CVE-2024-2044 | unknown | — | 1.0 | 2y ago | pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user | |||
| CVE-2024-23346 | unknown | — | 1.0 | 2y ago | Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` m… | |||
| CVE-2024-24747 | unknown | — | 1.0 | 2y ago | Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation in github.com/minio/minio |