| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Subscriber Server Side Request Forgery (SSRF) in utm.codes <= 1.9.0 versions. |
| Unauthenticated Arbitrary File Deletion in ShortPixel Adaptive Images <= 3.11.4 versions. |
| Subscriber PHP Object Injection in Buddyboss Platform <= 3.0.4 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Quick Interest Slider <= 3.1.6 versions. |
| Subscriber Cross Site Scripting (XSS) in ListingPro <= 2.9.11 versions. |
| Subscriber Arbitrary File Upload in Travel Booking <= 2.2.5 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Everest Forms <= 3.4.8 versions. |
| Subscriber Sensitive Data Exposure in Site Reviews <= 8.0.11 versions. |
| Unauthenticated Cross Site Scripting (XSS) in NanoMag <= 1.8 versions. |
| File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell — semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8. |
| Subscriber Server Side Request Forgery (SSRF) in Kirki <= 6.0.11 versions. |
| Unauthenticated Sensitive Data Exposure in WCBoost – Products Compare <= 1.1.0 versions. |
| Subscriber Broken Access Control in MasterStudy LMS <= 3.7.30 versions. |
| Subscriber Insecure Direct Object References (IDOR) in Majestic Support <= 1.1.7 versions. |
| Unauthenticated Insecure Direct Object References (IDOR) in JS Help Desk <= 3.1.0 versions. |
| Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions. |
| Unauthenticated Sensitive Data Exposure in Bopo – WooCommerce Product Bundle Builder <= 1.1.6 versions. |
| An unauthenticated
buffer overflow vulnerability exists in IEEE8021x_upload.cgi in GeoVision
GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by
insufficient bounds checking when parsing filename values in multipart upload
data. A remote attacker may exploit this vulnerability by sending a crafted
upload request with overly long input, causing memory corruption and resulting
in a denial of service. |
| CWE-78 Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow unauthorized execution of commands with elevated privileges, impacting system integrity, confidentiality, and availability when a privileged authenticated user interacts with a vulnerable network-exposed service. |
| The Printcart Web to Print Product Designer for WooCommerce WordPress plugin through 2.4.8 is vulnerable to path traversal which makes it possible for the attacker to retrieve the directory listing for arbitrary directories on the server. |
