CVE Tracker

CVE ID	Severity	EPSS	Vendor	Description	Date	Status
CVE-2024-40890	High	45.9%	ZyxelDSL CPE Devices	Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request.	Feb 11, 2025	KEV
CVE-2024-55591(3)	High	93.7%	FortinetFortiOS and FortiProxy	Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that may allow an unauthenticated, remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.	Jan 14, 2025	KEV
CVE-2023-48365	High	64.2%	QlikSense	Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.	Jan 13, 2025	KEV
CVE-2024-11680	High	93.5%	ProjectSendProjectSend	ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.	Dec 3, 2024	KEV
CVE-2024-47575	High	93.8%	FortinetFortiManager	Fortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.	Oct 23, 2024	KEV
CVE-2024-23113(1)	High	57.5%	FortinetMultiple Products	Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb contain a format string vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.	Oct 9, 2024	KEV
CVE-2020-0618	High	94.3%	MicrosoftSQL Server	Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in the context of the Report Server service account.	Sep 18, 2024	KEV
CVE-2024-39891	High	29.6%	TwilioAuthy	Twilio Authy contains an information disclosure vulnerability in its API that allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.	Jul 23, 2024	KEV
CVE-2024-23692	High	94.3%	RejettoHTTP File Server	Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability. This allows a remote, unauthenticated attacker to execute commands on the affected system by sending a specially crafted HTTP request.	Jul 9, 2024	KEV
CVE-2022-24816	High	93.7%	OSGeoJAI-EXT	OSGeo GeoServer JAI-EXT contains a code injection vulnerability that, when programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution.	Jun 26, 2024	KEV
CVE-2017-3506	High	94.4%	OracleWebLogic Server	Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document.	Jun 3, 2024	KEV
CVE-2023-43208	High	94.4%	NextGen HealthcareMirth Connect	NextGen Healthcare Mirth Connect contains a deserialization of untrusted data vulnerability that allows for unauthenticated remote code execution via a specially crafted request.	May 20, 2024	KEV
CVE-2014-100005	High	40.8%	D-LinkDIR-600 Router	D-Link DIR-600 routers contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to change router configurations by hijacking an existing administrator session.	May 16, 2024	KEV
CVE-2021-40655	High	92.6%	D-LinkDIR-605 Router	D-Link DIR-605 routers contain an information disclosure vulnerability that allows attackers to obtain a username and password by forging a post request to the /getcfg.php page.	May 16, 2024	KEV
CVE-2023-48788	High	94.1%	FortinetFortiClient EMS	Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.	Mar 25, 2024	KEV
CVE-2020-3259	High	69.7%	CiscoAdaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)	Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.	Feb 15, 2024	KEV
CVE-2024-21762	High	92.9%	FortinetFortiOS	Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP requests.	Feb 9, 2024	KEV
CVE-2024-21893	High	94.3%	IvantiConnect Secure, Policy Secure, and Neurons	Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.	Jan 31, 2024	KEV
CVE-2024-21887	High	94.4%	IvantiConnect Secure and Policy Secure	Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.	Jan 10, 2024	KEV
CVE-2023-41265	High	92.5%	QlikSense	Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.	Dec 7, 2023	KEV

CVE-2024-40890KEV

High

Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request.

ZyxelEPSS 45.9%

CVE-2024-55591KEV

High

Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that may allow an unauthenticated, remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

FortinetEPSS 93.7%

CVE-2023-48365KEV

High

Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.

QlikEPSS 64.2%

CVE-2024-11680KEV

High

ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

ProjectSendEPSS 93.5%

CVE-2024-47575KEV

High

Fortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

FortinetEPSS 93.8%

CVE-2024-23113KEV

High

Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb contain a format string vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

FortinetEPSS 57.5%

CVE-2020-0618KEV

High

Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in the context of the Report Server service account.

MicrosoftEPSS 94.3%

CVE-2024-39891KEV

High

Twilio Authy contains an information disclosure vulnerability in its API that allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.

TwilioEPSS 29.6%

CVE-2024-23692KEV

High

Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability. This allows a remote, unauthenticated attacker to execute commands on the affected system by sending a specially crafted HTTP request.

RejettoEPSS 94.3%

CVE-2022-24816KEV

High

OSGeo GeoServer JAI-EXT contains a code injection vulnerability that, when programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution.

OSGeoEPSS 93.7%

CVE-2017-3506KEV

High

Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document.

OracleEPSS 94.4%

CVE-2023-43208KEV

High

NextGen Healthcare Mirth Connect contains a deserialization of untrusted data vulnerability that allows for unauthenticated remote code execution via a specially crafted request.

NextGen HealthcareEPSS 94.4%

CVE-2014-100005KEV

High

D-Link DIR-600 routers contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to change router configurations by hijacking an existing administrator session.

D-LinkEPSS 40.8%

CVE-2021-40655KEV

High

D-Link DIR-605 routers contain an information disclosure vulnerability that allows attackers to obtain a username and password by forging a post request to the /getcfg.php page.

D-LinkEPSS 92.6%

CVE-2023-48788KEV

High

Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

FortinetEPSS 94.1%

CVE-2020-3259KEV

High

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.

CiscoEPSS 69.7%

CVE-2024-21762KEV

High

Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP requests.

FortinetEPSS 92.9%

CVE-2024-21893KEV

High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.

IvantiEPSS 94.3%

CVE-2024-21887KEV

High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.

IvantiEPSS 94.4%

CVE-2023-41265KEV

High

Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.

QlikEPSS 92.5%

1 2 3 4 5 6 7