NVD

Icon for New NVD Communications and Status Updates Page

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Legal Disclaimer:

Here is where you can read the NVD legal disclaimer.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

CVE-2023-35051 - Missing Authorization vulnerability in Cimatti Consulting Contact Forms by Cimatti allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Forms by Cimatti: from n/a through 1.5.7.
Published: December 13, 2024; 10:15:15 AM -0500

V3.1: 8.8 HIGH
CVE-2024-53739 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Cool Plugins Cryptocurrency Widgets For Elementor allows PHP Local File Inclusion.This issue affects Cryptocurrency Widgets Fo... read CVE-2024-53739
Published: November 30, 2024; 4:15:15 PM -0500

V3.1: 9.8 CRITICAL
CVE-2024-10521 - The WordPress Contact Forms by Cimatti plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on the process_bulk_action function. This mak... read CVE-2024-10521
Published: November 27, 2024; 6:15:16 AM -0500

V3.1: 4.3 MEDIUM
CVE-2023-27992 - The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unaut... read CVE-2023-27992
Published: June 19, 2023; 8:15:09 AM -0400

V3.1: 9.8 CRITICAL
CVE-2023-5631 - Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load a... read CVE-2023-5631
Published: October 18, 2023; 11:15:08 AM -0400

V3.1: 5.4 MEDIUM
CVE-2023-1389 - TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parame... read CVE-2023-1389
Published: March 15, 2023; 7:15:09 PM -0400

V3.1: 8.8 HIGH
CVE-2020-5722 - The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject... read CVE-2020-5722
Published: March 23, 2020; 4:15:12 PM -0400

V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2020-5735 - Amcrest cameras and NVR are vulnerable to a stack-based buffer overflow over port 37777. An authenticated remote attacker can abuse this issue to crash the device and possibly execute arbitrary code.
Published: April 08, 2020; 9:15:13 AM -0400

V3.1: 8.8 HIGH
V2.0: 8.0 HIGH
CVE-2020-5741 - Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
Published: May 08, 2020; 9:15:11 AM -0400

V3.1: 7.2 HIGH
V2.0: 6.5 MEDIUM
CVE-2021-20090 - A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
Published: April 29, 2021; 11:15:10 AM -0400

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2021-42258 - BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka user... read CVE-2021-42258
Published: October 22, 2021; 6:15:07 PM -0400

V3.1: 9.8 CRITICAL
V2.0: 6.8 MEDIUM
CVE-2018-15133 - In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.p... read CVE-2018-15133
Published: August 09, 2018; 3:29:00 PM -0400

V3.1: 8.1 HIGH
V2.0: 6.8 MEDIUM
CVE-2022-26352 - An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outs... read CVE-2022-26352
Published: July 17, 2022; 6:15:08 PM -0400

V3.1: 9.8 CRITICAL
V2.0: 6.8 MEDIUM
CVE-2025-1661 - The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possi... read CVE-2025-1661
Published: March 11, 2025; 12:15:24 AM -0400

V3.1: 9.8 CRITICAL
CVE-2025-1383 - The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.2. This is due to missing or incorrect nonce validation on the ajax_transcript_delete() function. This makes i... read CVE-2025-1383
Published: March 06, 2025; 7:15:35 AM -0500

V3.1: 4.3 MEDIUM
CVE-2025-26775 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 BEAR allows Stored XSS. This issue affects BEAR: from n/a through 1.1.4.4.
Published: February 17, 2025; 7:15:29 AM -0500

V3.1: 4.8 MEDIUM
CVE-2025-0859 - The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.27.6 via the template_via_url() function. This makes it possible for authenticated att... read CVE-2025-0859
Published: February 06, 2025; 5:15:08 AM -0500

V3.1: 6.5 MEDIUM
CVE-2025-30066 - tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8... read CVE-2025-30066
Published: March 15, 2025; 2:15:12 AM -0400

V3.1: 8.6 HIGH
CVE-2025-24472 - An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote attacker to gain super-admin privileges via cra... read CVE-2025-24472
Published: February 11, 2025; 12:15:34 PM -0500

V3.1: 9.8 CRITICAL
CVE-2025-24605 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in realmag777 WOLF allows Path Traversal. This issue affects WOLF: from n/a through 1.0.8.5.
Published: February 03, 2025; 10:15:26 AM -0500

V3.1: 7.2 HIGH

Created September 20, 2022 , Updated August 27, 2024

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

Legal Disclaimer: