Export limit exceeded: 17783 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 343236 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343236 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-58311 | 1 Dormakaba | 1 Saflok System 6000 | 2026-04-07 | 9.8 Critical |
| Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. Attackers can exploit the deterministic key generation process by calculating valid access keys using a simple mathematical transformation of the card's unique identifier. | ||||
| CVE-2024-58309 | 1 Xbtitfm | 1 Xbtitfm | 2026-04-07 | 9.8 Critical |
| xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user credentials, and password hashes from the underlying database. | ||||
| CVE-2024-58308 | 1 Opensolution | 3 Quick.cms, Quick.cms.ext, Quick Cms | 2026-04-07 | 9.8 Critical |
| Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL payloads like ' or '1'='1 to gain unauthorized administrative access to the system. | ||||
| CVE-2024-58307 | 1 Cszcms | 2 Csz Cms, Cszcms | 2026-04-07 | 8.8 High |
| CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL injection attacks and extract database information. | ||||
| CVE-2024-58306 | 1 Hans Alshoff | 1 Minalic | 2026-04-07 | N/A |
| minaliC 2.0.0 contains a denial of service vulnerability that allows remote attackers to crash the web server by sending oversized GET requests. Attackers can send crafted HTTP requests with excessive data to overwhelm the server and cause service interruption. | ||||
| CVE-2024-58305 | 1 Wondercms | 1 Wondercms | 2026-04-07 | 8.8 High |
| WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by tricking an authenticated administrator into accessing a malicious link. | ||||
| CVE-2024-58304 | 1 Spa-cart | 2 Spa-cart, Spa-cartcms | 2026-04-07 | 7.5 High |
| SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary code in administrative users' browsers. | ||||
| CVE-2024-58303 | 1 Flarum | 2 Flarum, Pretty Mail | 2026-04-07 | N/A |
| FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation. | ||||
| CVE-2024-58302 | 1 Flarum | 2 Flarum, Pretty Mail | 2026-04-07 | N/A |
| FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit the template settings by inserting file inclusion payloads to read sensitive system files like /etc/passwd during email generation. | ||||
| CVE-2024-58301 | 1 Purei | 1 Cms | 2026-04-07 | N/A |
| Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit vulnerable endpoints like getAllParks.php and events-ajax.php by injecting crafted SQL payloads to potentially extract or modify database information. | ||||
| CVE-2024-58300 | 1 Siklu | 1 Multihaul Tg Series | 2026-04-07 | N/A |
| Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device. | ||||
| CVE-2024-58299 | 2 Pcman, Wftpserver | 2 Ftp Server, Wing Ftp Server | 2026-04-07 | 9.8 Critical |
| PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted payload during the FTP login process to overwrite memory and potentially gain system access. | ||||
| CVE-2024-58298 | 1 Bmc | 1 Compuware Istrobe Web | 2026-04-07 | N/A |
| Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute arbitrary commands by sending POST requests to the uploaded JSP endpoint. | ||||
| CVE-2024-58294 | 2 Freepbx, Sangoma | 2 Freepbx, Freepbx | 2026-04-07 | 8.8 High |
| FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access. | ||||
| CVE-2024-58293 | 1 Akaunting | 1 Akaunting | 2026-04-07 | N/A |
| Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operations and string manipulations. | ||||
| CVE-2024-58292 | 2 Xmb Forum, Xmbforum2 | 2 Xmb, Xmb | 2026-04-07 | N/A |
| XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for all forum users when pages are rendered. | ||||
| CVE-2024-58290 | 1 Elements | 1 Xhibiter Nft Marketplace | 2026-04-07 | N/A |
| Xhibiter NFT Marketplace 1.10.2 contains a SQL injection vulnerability in the collections endpoint that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to potentially extract or manipulate database information by sending crafted payloads to the collections page. | ||||
| CVE-2024-58289 | 1 Microweber | 1 Microweber | 2026-04-07 | 5.4 Medium |
| Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript. | ||||
| CVE-2024-58286 | 1 Vexorian | 1 Dizquetv | 2026-04-07 | N/A |
| dizqueTV 1.5.3 contains a remote code execution vulnerability that allows attackers to inject arbitrary commands through the FFMPEG Executable Path settings. Attackers can modify the executable path with shell commands to read system files like /etc/passwd by exploiting improper input validation. | ||||
| CVE-2024-58284 | 1 Popojicms | 1 Popojicms | 2026-04-07 | 7.2 High |
| PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter. | ||||