) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.
For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.
Legal Disclaimer:
Here is where you can read the NVD legal disclaimer.
-
CVE-2021-43635 - A Cross Site Scripting (XSS) vulnerability exists in Codex before 1.4.0 via Notebook/Page name field, which allows malicious users to execute arbitrary code via a crafted http code in a .json file.
Published: February 04, 2022; 1:15:07 PM -0500V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
-
CVE-2025-1068 - There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim per... read CVE-2025-1068
Published: February 25, 2025; 12:15:13 PM -0500V3.1: 7.3 HIGH
-
CVE-2025-1067 - There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs ... read CVE-2025-1067
Published: February 25, 2025; 12:15:13 PM -0500V3.1: 7.3 HIGH
-
CVE-2024-35079 - An arbitrary file upload vulnerability in the uploadAudio method of inxedu v2024.4 allows attackers to execute arbitrary code via uploading a crafted .jsp file.
Published: May 23, 2024; 3:16:01 PM -0400 -
CVE-2024-35080 - An arbitrary file upload vulnerability in the gok4 method of inxedu v2024.4 allows attackers to execute arbitrary code via uploading a crafted .jsp file.
Published: May 23, 2024; 3:16:01 PM -0400 -
CVE-2024-35570 - An arbitrary file upload vulnerability in the component \controller\ImageUploadController.class of inxedu v2.0.6 allows attackers to execute arbitrary code via uploading a crafted jsp file.
Published: May 23, 2024; 3:16:01 PM -0400 -
CVE-2023-26604 - systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and th... read CVE-2023-26604
Published: March 03, 2023; 11:15:10 AM -0500V3.1: 7.8 HIGH
-
CVE-2024-31030 - An issue in coap_msg.c in Keith Cullen's FreeCoAP v.0.7 allows remote attackers to cause a Denial of Service or potentially disclose information via a specially crafted packet.
Published: May 31, 2024; 2:15:12 PM -0400 -
CVE-2024-31648 - Cross Site Scripting (XSS) in Insurance Management System v1.0, allows remote attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter at /core/new_category2.
Published: April 15, 2024; 5:15:07 PM -0400 -
CVE-2024-30656 - An issue in Fireboltt Dream Wristphone BSW202_FB_AAC_v2.0_20240110-20240110-1956 allows attackers to cause a Denial of Service (DoS) via a crafted deauth frame.
Published: April 15, 2024; 6:15:08 PM -0400V3.1: 7.5 HIGH
-
CVE-2024-31651 - A cross-site scripting (XSS) in Cosmetics and Beauty Product Online Store v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the First Name parameter.
Published: April 15, 2024; 6:15:09 PM -0400 -
CVE-2023-33806 - Insecure default configurations in Hikvision Interactive Tablet DS-D5B86RB/B V2.3.0 build220119, allows attackers to execute arbitrary commands.
Published: April 15, 2024; 7:15:06 PM -0400 -
CVE-2024-21088 - Vulnerability in the Oracle Production Scheduling product of Oracle E-Business Suite (component: Import Utility). Supported versions that are affected are 12.2.4-12.2.12. Easily exploitable vulnerability allows unauthenticated attacker with netwo... read CVE-2024-21088
Published: April 16, 2024; 6:15:28 PM -0400 -
CVE-2024-37818 - Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability allows attackers to scan for open ports or access sensitive information via a crafted GET request. NOTE: The... read CVE-2024-37818
Published: June 20, 2024; 3:15:50 PM -0400 -
CVE-2024-37081 - The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Serve... read CVE-2024-37081
Published: June 18, 2024; 2:15:11 AM -0400 -
CVE-2024-38467 - Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized user information retrieval via the queryUser API.
Published: June 16, 2024; 12:15:09 PM -0400 -
CVE-2024-36600 - Buffer Overflow Vulnerability in libcdio v2.1.0 allows an attacker to execute arbitrary code via a crafted ISO 9660 image file.
Published: June 14, 2024; 3:15:50 PM -0400 -
CVE-2022-43216 - AbrhilSoft Employee's Portal before v5.6.2 was discovered to contain a SQL injection vulnerability in the login page.
Published: April 08, 2024; 8:15:08 AM -0400 -
CVE-2024-29390 - Daily Expenses Management System version 1.0, developed by PHP Gurukul, contains a time-based blind SQL injection vulnerability in the 'add-expense.php' page. An attacker can exploit the 'item' parameter in a POST request to execute arbitrary SQL ... read CVE-2024-29390
Published: June 20, 2024; 5:15:49 PM -0400 -
CVE-2024-38951 - A buffer overflow in PX4-Autopilot v1.12.3 allows attackers to cause a Denial of Service (DoS) via a crafted MavLink message.
Published: June 25, 2024; 10:15:12 AM -0400