Exploit Database
136,378 exploits tracked across all sources.
mochiMQTT <2.6.3 - DoS
mochiMQTT v2.6.3 is vulnerable to Denial of Service (DoS) due to improper resource management. An attacker can exhaust system memory and crash the broker by establishing and maintaining a large number of malicious, long-term publish/subscribe sessions.
CVSS 7.5
Clementine - Untrusted Search Path
An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file.
CVSS 7.3
Ruijie NBR800G - Command Injection
Ruijie NBR800G gateway NBR_RGOS_11.1(6)B4P9 is vulnerable to command execution in /itbox_pi/networksafe.php via the province parameter.
CVSS 6.5
TCPDF 6.7.5 - LFI
Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through <img> src tag, potentially exposing sensitive information.
CVSS 6.2
HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL. This issue has been patched in version 6.9.4.
CVSS 9.3
HAPI FHIR: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services, cloud metadata endpoints, and map network topology through error-based information leakage. With explore=true (the default for this code path), each request triggers multiple outbound HTTP calls, amplifying reconnaissance capability. This issue has been patched in version 6.9.4.
CVSS 5.8
HAPI FHIR: Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect in HAPI FHIR Core
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain. This issue has been patched in version 6.9.4.
CVSS 7.4
HAPI FHIR HTTP authentication leak in redirects
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. This issue has been patched in release 6.9.0. No known workarounds are available.
CVSS 7.5
HAPI FHIR - XML External Entity Injection
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 8.6
HAPI FHIR - XML External Entity Injection
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 8.6
HAPI FHIR - XML External Entity Injection
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 8.6
HAPI FHIR - XML External Entity Injection
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 8.6
Ca.uhn.hapi.fhir Org.hl7.fhir.convertors < 6.4.0 - XXE
An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.
CVSS 9.8
HL7 FHIR Core <6.3.23 - XML External Entity Injection
The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available.
CVSS 8.6
HL7 FHIR Core <6.3.23 - XML External Entity Injection
The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available.
CVSS 8.6
Cyberpanel < 2.3.8 - OS Command Injection
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
CVSS 10.0
OpenKnowledgeMaps Headstart v7 - Privilege Escalation
An issue in OpenKnowledgeMaps Headstart v7 allows a remote attacker to escalate privileges via the url parameter of the getPDF.php component
CVSS 8.8
Altai Technologies Ltd Altai X500 Indoor - Info Disclosure
Altai Technologies Ltd Altai X500 Indoor 22 802.11ac Wave 2 AP web Management Weak password leakage in the background may lead to unauthorized access, data theft, and network attacks, seriously threatening network security.
CVSS 6.5
Yeswiki < 4.4.5 - Broken Cryptographic Algorithm
YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5.
CVSS 9.9
ZoneMinder <1.37.64 - SQL Injection
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65.
CVSS 9.9
Pypi Changedetection.io < 0.47.5 - Path Traversal
changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source:file:///etc/passwd` can be used to retrieve local system files, where the more traditional `file:///etc/passwd` gets blocked. Version 0.47.5 fixes the issue.
cobalt - XSS
cobalt is a media downloader that doesn't piss you off. A malicious cobalt instance could serve links with the `javascript:` protocol, resulting in Cross-site Scripting (XSS) when the user tries to download an item from a picker. This issue has been present since commit `66bac03e`, was mitigated in commit `97977efa` (correctly configured web instances were no longer vulnerable) and fully fixed in commit `c4be1d3a` (included in release version 10.2.1). Users are advised to upgrade. Users unable to upgrade should enable a content-security-policy.
CyberPanel Multi CVE Pre-auth RCE
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
CVSS 10.0
happy-dom <15.10.2 - RCE
happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability.
Multiple Brother devices authentication bypass via default administrator password generation
An unauthenticated attacker who can access either the HTTP service (TCP port 80), the HTTPS service (TCP port 443), or the IPP service (TCP port 631), can leak several pieces of sensitive information from a vulnerable device. The URI path /etc/mnt_info.csv can be accessed via a GET request and no authentication is required. The returned result is a comma separated value (CSV) table of information. The leaked information includes the device’s model, firmware version, IP address, and serial number.
CVSS 5.3
By Source