Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2016-10759

    The Xinha plugin in Precurio 2.1 allows Directory Traversal, with resultant arbitrary code execution, via ExtendedFileManager/Classes/ExtendedFileManager.php because ExtendedFileManager can be used to rename the .htaccess file that blocks .php uploads.... Read more

    Affected Products : precurio
    • EPSS Score: %1.01
    • Published: May. 24, 2019
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2016-10758

    PHPKIT 1.6.6 allows arbitrary File Upload, as demonstrated by a .php file to pkinc/admin/mediaarchive.php and pkinc/func/default.php via the image_name parameter.... Read more

    Affected Products : phpkit
    • EPSS Score: %0.40
    • Published: May. 24, 2019
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2016-10757

    In Redaxo 5.2.0, the cron management of the admin panel suffers from CSRF that leads to arbitrary Remote Code Execution via addons/cronjob/lib/types/phpcode.php.... Read more

    Affected Products : readaxo
    • EPSS Score: %0.47
    • Published: May. 24, 2019
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2016-10756

    Kliqqi 3.0.0.5 allows CSRF with resultant Arbitrary File Upload because module.php?module=upload can be used to configure the uploading of .php files, and then modules/upload/upload_main.php can be used for the upload itself.... Read more

    Affected Products : kliqqi_cms
    • EPSS Score: %0.14
    • Published: May. 24, 2019
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2016-10755

    AbanteCart 1.2.8 allows SQL Injection via the source_language parameter to admin/controller/pages/localisation/language.php and core/lib/language_manager.php, or via POST data to admin/controller/pages/tool/backup.php and admin/model/tool/backup.php.... Read more

    Affected Products : abantecart
    • EPSS Score: %0.22
    • Published: May. 24, 2019
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2016-10754

    modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.... Read more

    Affected Products : vtiger_crm
    • EPSS Score: %0.24
    • Published: May. 24, 2019
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2016-10753

    e107 2.1.2 allows PHP Object Injection with resultant SQL injection, because usersettings.php uses unserialize without an HMAC.... Read more

    Affected Products : e107
    • EPSS Score: %0.23
    • Published: May. 24, 2019
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2016-10752

    serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote attackers to upload and execute arbitrary PHP code because it mishandles an extensionless filename during a rename, as demonstrated by "php" as a filename.... Read more

    Affected Products : serendipity
    • EPSS Score: %0.75
    • Published: May. 24, 2019
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2016-10751

    osClass 3.6.1 allows oc-admin/plugins.php Directory Traversal via the plugin parameter. This is exploitable for remote PHP code execution because an administrator can upload an image that contains PHP code in the EXIF data via index.php?page=ajax&action=a... Read more

    Affected Products : osclass
    • EPSS Score: %1.17
    • Published: May. 24, 2019
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2016-10750

    In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the at... Read more

    Affected Products : hazelcast
    • EPSS Score: %3.85
    • Published: May. 22, 2019
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2016-10746

    libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API calls by guest agents with an RO connection, even though an RW connection was supposed to be required, a different vulnerability than CVE-2019-3886.... Read more

    Affected Products : debian_linux libvirt
    • EPSS Score: %0.56
    • Published: Apr. 18, 2019
    • Modified: Nov. 21, 2024

  • 8.6

    HIGH
    CVE-2016-10745

    In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.... Read more

    Affected Products : jinja
    • EPSS Score: %1.04
    • Published: Apr. 08, 2019
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2016-10744

    In Select2 through 4.0.5, as used in Snipe-IT and other products, rich selectlists allow XSS. This affects use cases with Ajax remote data loading when HTML templates are used to display listbox data.... Read more

    Affected Products : select2
    • EPSS Score: %0.26
    • Published: Mar. 27, 2019
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2016-10743

    hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.... Read more

    Affected Products : hostapd
    • EPSS Score: %0.46
    • Published: Mar. 23, 2019
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2016-10742

    Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter.... Read more

    Affected Products : debian_linux zabbix
    • EPSS Score: %0.42
    • Published: Feb. 17, 2019
    • Modified: Nov. 21, 2024

  • 4.7

    MEDIUM
    CVE-2016-10741

    In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/... Read more

    Affected Products : linux_kernel debian_linux
    • EPSS Score: %0.07
    • Published: Feb. 01, 2019
    • Modified: Nov. 21, 2024

  • 4.9

    MEDIUM
    CVE-2016-10740

    Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources.... Read more

    Affected Products : crowd
    • EPSS Score: %0.22
    • Published: Jan. 29, 2019
    • Modified: Nov. 21, 2024

  • 5.3

    MEDIUM
    CVE-2016-10739

    In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it ... Read more

    Affected Products : leap glibc
    • EPSS Score: %0.04
    • Published: Jan. 21, 2019
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2016-10738

    Zenbership v107 has CSRF via admin/cp-functions/event-add.php.... Read more

    Affected Products : zenbership
    • EPSS Score: %0.18
    • Published: Jan. 16, 2019
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2016-10737

    Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter.... Read more

    Affected Products : serendipity
    • EPSS Score: %0.28
    • Published: Jan. 16, 2019
    • Modified: Nov. 21, 2024
Showing 20 of 291887 Results