Export limit exceeded: 338266 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 75952 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (75952 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-58316 | 2 Online-shopping-system-advanced Project, Puneethreddyhc | 2 Online-shopping-system-advanced, Online Shopping System Advanced | 2026-03-05 | 7.5 High |
| Online Shopping System Advanced 1.0 contains a SQL injection vulnerability in the payment_success.php script that allows attackers to inject malicious SQL through the unfiltered 'cm' parameter. Attackers can exploit the vulnerability by sending crafted SQL queries to retrieve sensitive database information by manipulating the user ID parameter. | ||||
| CVE-2024-58305 | 1 Wondercms | 1 Wondercms | 2026-03-05 | 8.8 High |
| WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by tricking an authenticated administrator into accessing a malicious link. | ||||
| CVE-2024-58287 | 1 Yogeshojha | 1 Rengine | 2026-03-05 | 8.8 High |
| reNgine 2.2.0 contains a command injection vulnerability in the nmap_cmd parameter of scan engine configuration that allows authenticated attackers to execute arbitrary commands. Attackers can modify the nmap_cmd parameter with malicious base64-encoded payloads to achieve remote code execution during scan engine configuration. | ||||
| CVE-2024-58284 | 1 Popojicms | 1 Popojicms | 2026-03-05 | 7.2 High |
| PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter. | ||||
| CVE-2024-58283 | 1 Wbce | 1 Wbce Cms | 2026-03-05 | 8.8 High |
| WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter. | ||||
| CVE-2024-58282 | 2 S9y, Serendipity | 2 Serendipity, Serendipity | 2026-03-05 | 7.2 High |
| Serendipity 2.5.0 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload mechanism by creating a PHP shell with a command execution form that enables arbitrary system command execution on the web server. | ||||
| CVE-2024-58281 | 1 Dotclear | 1 Dotclear | 2026-03-05 | 8.8 High |
| Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command execution form to gain system access through the uploaded file. | ||||
| CVE-2024-58280 | 1 Cmsimple | 1 Cmsimple | 2026-03-05 | 8.8 High |
| CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ',php' to Extensions_userfiles and upload a shell script to the media directory to execute arbitrary code on the server. | ||||
| CVE-2023-53982 | 1 Sigb | 1 Pmb | 2026-03-05 | 7.5 High |
| PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information or perform time-based blind SQL injection attacks. | ||||
| CVE-2023-53981 | 2 Roxio, Thibaud-rohmer | 2 Photoshow, Photoshow | 2026-03-05 | 7.2 High |
| PhotoShow 3.0 contains a remote code execution vulnerability that allows authenticated administrators to inject malicious commands through the exiftran path configuration. Attackers can exploit the ffmpeg configuration settings by base64 encoding a reverse shell command and executing it through a crafted video upload process. | ||||
| CVE-2023-53979 | 1 Mybb | 1 Mybb | 2026-03-05 | 8.8 High |
| MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language configuration editing interface. | ||||
| CVE-2023-53972 | 1 Webtareas Project | 1 Webtareas | 2026-03-05 | 7.5 High |
| WebTareas 2.4 contains a SQL injection vulnerability in the webTareasSID cookie parameter that allows unauthenticated attackers to manipulate database queries. Attackers can exploit error-based and time-based blind SQL injection techniques to extract database information and potentially access sensitive system data. | ||||
| CVE-2023-53971 | 1 Webtareas Project | 1 Webtareas | 2026-03-05 | 8.8 High |
| WebTareas 2.4 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the chat photo upload functionality. Attackers can upload a PHP file with arbitrary code to the /files/Messages/ directory and execute it directly through the generated file path. | ||||
| CVE-2023-53956 | 1 Flatnux | 1 Flatnux | 2026-03-05 | 8.8 High |
| Flatnux 2021-03.25 contains an authenticated file upload vulnerability that allows administrative users to upload arbitrary PHP files through the file manager. Attackers with admin credentials can upload malicious PHP scripts to the web root directory, enabling remote code execution on the server. | ||||
| CVE-2023-53952 | 1 Dotclear | 1 Dotclear | 2026-03-05 | 8.8 High |
| Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed, enabling arbitrary code execution on the server. | ||||
| CVE-2023-53947 | 1 Ocsinventory-ng | 2 Ocs Inventory Ng, Ocsinventory Ng | 2026-03-05 | 8.4 High |
| OCS Inventory NG 2.3.0.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges to system level. Attackers can place a malicious executable in the unquoted service path and trigger the service restart to execute code with elevated system privileges. | ||||
| CVE-2023-53946 | 1 Arcsoft | 1 Photostudio | 2026-03-05 | 8.4 High |
| Arcsoft PhotoStudio 6.0.0.172 contains an unquoted service path vulnerability in the ArcSoft Exchange Service that allows local attackers to escalate privileges. Attackers can place a malicious executable in the unquoted path and trigger the service to execute arbitrary code with system-level permissions. | ||||
| CVE-2023-53933 | 1 S9y | 1 Serendipity | 2026-03-05 | 8.8 High |
| Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server. | ||||
| CVE-2023-53930 | 1 Projectsend | 1 Projectsend | 2026-03-05 | 7.5 High |
| ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.php. | ||||
| CVE-2023-53929 | 1 Phpmyfaq | 1 Phpmyfaq | 2026-03-05 | 8.8 High |
| phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file. | ||||