Exploit Database
145,169 exploits tracked across all sources.
Umbraco CMS < 10.8.9 - Authenticated Improper Authorization via Backoffice API URL Manipulation
Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to. The issue is patched in versions 10.8.9 and 13.7.1. No known workarounds are available.
CVSS 4.9
Element Android <1.6.32 - Info Disclosure
Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than the configured amount of times. An attacker with physical access to a device can exploit this to guess the PIN. Version 1.6.34 solves the issue.
CVSS 5.1
Python JSON Logger <4 Mar 2025 - RCE
Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0.
CVSS 8.8
libcontainer < 0.5.3 - Incorrect Default Permissions via Tenant Builder Capability Inheritance
libcontainer is a library for container control. Prior to libcontainer 0.5.3, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container. However, setting inherited caps in any case for tenant container can lead to elevation of capabilities, similar to CVE-2022-29162. This does not affect youki binary itself. This is only applicable if you are using libcontainer directly and using the tenant builder.
CVSS 5.9
umatiGateway - Unauthenticated Exposure of Sensitive Configuration Information
umatiGateway is software for connecting OPC Unified Architecture servers with an MQTT broker utilizing JSON messages. The user interface may possibly be publicly accessible with umatiGateway's provided docker-compose file. With this access, the configuration can be viewed and altered. Commit 5d81a3412bc0051754a3095d89a06d6d743f2b16 uses `127.0.0.1:8080:8080` to limit access to the local network. For those who are unable to use this proposed patch, a firewall on Port 8080 may block remote access, but the workaround may not be perfect because Docker may also bypass a firewall by its iptable based rules for port forwarding.
CVSS 8.2
go-vela/server < 0.25.3 and 0.26.0-0.26.3 - Repository Ownership Transfer via Spoofed Webhook Payload
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.
CVSS 8.5
pimcore < 11.5.4 - Authenticated SQL Injection via Filter String
Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue.
CVSS 8.8
SimpleSAMLphp saml2 < 4.17.0 and 5.0.0-alpha.1-5.0.0-alpha.20 - Signature Confusion Attack via HTTPRedirect Binding
The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue.
CVSS 8.6
Applio < 3.2.8-bugfix - Remote Code Execution via Unsafe Deserialization in infer.py
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `infer.py`. The issue can lead to remote code execution. As of time of publication, a fix is available on the `main` branch of the Applio repository but not attached to a numbered release.
CVSS 9.8
Applio < 3.2.8-bugfix - Remote Code Execution via Unsafe Deserialization in model_information.py
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in model_information.py. `model_name` in model_information.py takes user-supplied input (e.g. a path to a model) and pass that value to the `run_model_information_script` and later to `model_information` function, which loads that model with `torch.load` in rvc/train/process/model_information.py (on line 16 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available in the `main` branch of the repository.
CVSS 9.8
Applio < 3.2.8-bugfix - Remote Code Execution via Unsafe Deserialization in Model File Handling
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference.py. `model_file` in inference.py as well as `model_file` in tts.py take user-supplied input (e.g. a path to a model) and pass that value to the `change_choices` and later to `get_speakers_id` function, which loads that model with `torch.load` in inference.py (line 326 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available on the `main` branch of the repository.
CVSS 9.8
Espressif ESP32 Firmware - Hidden Functionality via Undocumented HCI Commands
Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory).
CVSS 6.8
Digiwin ERP 5.1 - Unrestricted Upload
A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 7.3
Dietiqa 1.0.20 - SQL Injection via Progress Body Weight Endpoint u Parameter
A SQL Injection vulnerability exists in the `u` parameter of the progress-body-weight.php endpoint of Dietiqa App v1.0.20.
CVSS 9.8
Edimax BR-6478AC V3 Firmware 1.0.15 - OS Command Injection via formDiskCreateShare foldername Parameter
Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3_1.0.15 was discovered to contain a command injection vulnerability via the foldername in /boafrm/formDiskCreateShare.
CVSS 6.5
Edimax BR-6478AC V3 Firmware 1.0.15 - OS Command Injection via Groupname Parameter
Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3_1.0.15 was discovered to contain a command injection vulnerability via the groupname at the /boafrm/formDiskCreateGroup.
CVSS 6.5
Edimax BR-6478AC V3 Firmware 1.0.15 - Stack-based Buffer Overflow via peerPin Parameter
Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a stack overflow vlunerability via peerPin parameter in the formWsc function.
CVSS 6.5
Edimax BR-6478AC V3 Firmware 1.0.15 - OS Command Injection via Disk Format Partition Parameter
Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via partition in /boafrm/formDiskFormat.
CVSS 6.5
Edimax BR-6478AC V3 Firmware 1.0.15 - OS Command Injection via fota_url Parameter
Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via fota_url in /boafrm/formLtefotaUpgradeQuectel
CVSS 9.8
Leantime < 3.3.0 - Authenticated Stored Cross-Site Scripting via First Name Field in processMentions()
Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().
CVSS 5.4
Volmarg Personal Management System 1.4.65 - Cross-Site Request Forgery via SameSite Cookie Attribute
Volmarg Personal Management System 1.4.65 is vulnerable to Cross Site Request Forgery (CSRF) allowing attackers to execute arbitrary code and obtain sensitive information via the SameSite cookie attribute defaults value set to none
CVSS 4.7
Mydata Ticket Sales Automation < 2025-04-03 - Blind SQL Injection
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind SQL Injection.
This issue affects Ticket Sales Automation: before 03.04.2025 (DD.MM.YYYY).
CVSS 9.8
D-Link DIR-823x Firmware - Remote Code Execution via Function 0x41dda8
An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the function 0x41dda8
CVSS 7.2
D-Link DIR-823x Firmware 240802 - OS Command Injection via target_addr Parameter
An issue in dlink DIR 823x 240802 allows a remote attacker to execute arbitrary code via the target_addr key value and the function 0x41737c
CVSS 9.8
D-Link DIR-823x 240802 - OS Command Injection via target_addr Parameter
An issue in dlink DIR 823x 240802 allows a remote attacker to execute arbitrary code via the target_addr key value and the function 0x41710c
CVSS 9.8
By Source