CVE-2020-7961 - Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Published: March 20, 2020; 3:15:12 PM -0400

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-8515 - DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issu... read CVE-2020-8515
Published: February 01, 2020; 8:15:12 AM -0500

V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH

CVE-2020-8644 - PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.
Published: February 05, 2020; 5:15:11 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-25506 - D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.
Published: February 02, 2021; 8:15:12 AM -0500

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-26919 - NETGEAR JGS516PE devices before 2.6.0.43 are affected by lack of access control at the function level.
Published: October 09, 2020; 3:15:17 AM -0400

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-28949 - Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
Published: November 19, 2020; 2:15:11 PM -0500

V3.1: 7.8 HIGH
V2.0: 6.8 MEDIUM

CVE-2020-29557 - An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution.
Published: January 29, 2021; 3:15:12 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH

CVE-2020-29574 - An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely.
Published: December 11, 2020; 12:15:13 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-29583 - Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh ser... read CVE-2020-29583
Published: December 22, 2020; 5:15:14 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH

CVE-2020-36193 - Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
Published: January 18, 2021; 3:15:12 PM -0500

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2020-7247 - smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. Th... read CVE-2020-7247
Published: January 29, 2020; 11:15:12 AM -0500

V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH

CVE-2020-17463 - FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
Published: August 13, 2020; 9:15:17 AM -0400

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-17496 - vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
Published: August 12, 2020; 10:15:13 AM -0400

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-24363 - TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new admi... read CVE-2020-24363
Published: August 31, 2020; 12:15:15 PM -0400

V3.1: 8.8 HIGH
V2.0: 8.3 HIGH

CVE-2020-25078 - An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.
Published: September 02, 2020; 12:15:12 PM -0400

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2020-25079 - An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. cgi-bin/ddns_enc.cgi allows authenticated command injection.
Published: September 02, 2020; 12:15:12 PM -0400

V3.1: 8.8 HIGH
V2.0: 9.0 HIGH

CVE-2020-25213 - The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows ... read CVE-2020-25213
Published: September 09, 2020; 12:15:12 PM -0400

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-25223 - A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
Published: September 25, 2020; 12:23:04 AM -0400

V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH

CVE-2025-63450 - Car-Booking-System-PHP v.1.0 is vulnerable to Cross Site Scripting (XSS) in /carlux/booking.php.
Published: November 03, 2025; 11:15:37 AM -0500

CVE-2025-63451 - Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/sign-in.php.
Published: November 03, 2025; 11:15:37 AM -0500