Vulnerabilities (CVE)

Filtered by CWE-20
Total 11557 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-30110 1 Hcltech 1 Dryice Aex 2026-06-17 N/A 3.7 LOW
HCL DRYiCE AEX product is impacted by lack of input validation vulnerability in a particular web application. A malicious script can be injected into a system which can cause the system to behave in unexpected ways.
CVE-2024-30092 1 Microsoft 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more 2026-06-17 N/A 8.0 HIGH
Windows Hyper-V Remote Code Execution Vulnerability
CVE-2024-30087 1 Microsoft 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more 2026-06-17 N/A 7.8 HIGH
Win32k Elevation of Privilege Vulnerability
CVE-2024-30078 1 Microsoft 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more 2026-06-17 N/A 8.8 HIGH
Windows Wi-Fi Driver Remote Code Execution Vulnerability
CVE-2024-30054 1 Microsoft 1 Powerbi-javascript 2026-06-17 N/A 6.5 MEDIUM
Microsoft Power BI Client JavaScript SDK Information Disclosure Vulnerability
CVE-2024-30040 1 Microsoft 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more 2026-06-17 N/A 8.8 HIGH
Windows MSHTML Platform Security Feature Bypass Vulnerability
CVE-2024-30002 1 Microsoft 9 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 6 more 2026-06-17 N/A 6.8 MEDIUM
Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-2867 1 Properfraction 1 Profilepress 2026-06-17 N/A 6.4 MEDIUM
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 4.15.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-2756 2026-06-17 N/A 6.5 MEDIUM
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.
CVE-2024-2751 1 Exclusiveaddons 1 Exclusive Addons For Elementor 2026-06-17 N/A 6.4 MEDIUM
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘exad_infobox_animating_mask_style’ parameter in all versions up to, and including, 2.6.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-2746 2026-06-17 N/A 8.8 HIGH
Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started. The dnf5 library code does not check whether non-root users control the directory in question.  On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow. The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though. Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify a plethora of additional configuration options. This makes various additional code paths in libdnf5 accessible to the attacker.
CVE-2024-2650 1 Wpdeveloper 1 Essential Addons For Elementor 2026-06-17 N/A 6.4 MEDIUM
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the alignment parameter in the Woo Product Carousel widget in all versions up to, and including, 5.9.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-2536 1 Rankmath 1 Seo 2026-06-17 N/A 6.4 MEDIUM
The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HowTo block attributes in all versions up to, and including, 1.0.214 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-2513 1 Ninjateam 1 Wp Chat App 2026-06-17 N/A 6.4 MEDIUM
The WP Chat App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageAlt' block attribute in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-2469 1 Github 1 Enterprise Server 2026-06-17 N/A 8.0 HIGH
An attacker with an Administrator role in GitHub Enterprise Server could gain SSH root access via remote code execution. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.17, 3.9.12, 3.10.9, 3.11.7 and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program.
CVE-2024-2443 1 Github 1 Enterprise Server 2026-06-17 N/A 9.1 CRITICAL
A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring GeoJSON settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.13 and was fixed in versions 3.8.17, 3.9.12, 3.10.9, 3.11.7, and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program.
CVE-2024-2427 1 Rockwellautomation 2 Powerflex 527 Ac Drives, Powerflex 527 Ac Drives Firmware 2026-06-17 N/A 7.5 HIGH
A denial-of-service vulnerability exists in the Rockwell Automation PowerFlex® 527 due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.
CVE-2024-2426 1 Rockwellautomation 2 Powerflex 527 Ac Drives, Powerflex 527 Ac Drives Firmware 2026-06-17 N/A 7.5 HIGH
A denial-of-service vulnerability exists in the Rockwell Automation PowerFlex® 527 due to improper input validation in the device. If exploited, a disruption in the CIP communication will occur and a manual restart will be required by the user to recover it.
CVE-2024-2425 1 Rockwellautomation 2 Powerflex 527 Ac Drives, Powerflex 527 Ac Drives Firmware 2026-06-17 N/A 7.5 HIGH
A denial-of-service vulnerability exists in the Rockwell Automation PowerFlex® 527 due to improper input validation in the device. If exploited, the web server will crash and need a manual restart to recover it.
CVE-2024-2424 1 Rockwellautomation 2 5015-aenftxt, 5015-aenftxt Firmware 2026-06-17 N/A 7.5 HIGH
An input validation vulnerability exists in the Rockwell Automation 5015-AENFTXT that causes the secondary adapter to result in a major nonrecoverable fault (MNRF) when malicious input is entered. If exploited, the availability of the device will be impacted, and a manual restart is required. Additionally, a malformed PTP packet is needed to exploit this vulnerability.