Vulnerabilities (CVE)

Filtered by CWE-20
Total 11557 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-2339 1 Dalibo 1 Anonymizer 2026-06-17 N/A 8.0 HIGH
PostgreSQL Anonymizer v1.2 contains a vulnerability that allows a user who owns a table to elevate to superuser. A user can define a masking function for a column and place malicious code in that function. When a privileged user applies the masking rules using the static masking or the anonymous dump method, the malicious code is executed and can grant escalated privileges to the malicious user. PostgreSQL Anonymizer v1.2 does provide a protection against this risk with the restrict_to_trusted_schemas option, but that protection is incomplete. Users that don't own a table, especially masked users cannot exploit this vulnerability. The problem is resolved in v1.3.
CVE-2024-2257 2026-06-17 N/A 9.1 CRITICAL
This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to improper implementation of password policies. An attacker with physical access could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats.
CVE-2024-2248 2026-06-17 N/A 6.4 MEDIUM
A Header Injection vulnerability in the JFrog platform in versions below 7.85.0 (SaaS) and 7.84.7 (Self-Hosted) may allow threat actors to take over the end user's account when clicking on a specially crafted URL sent to the victim’s user email.
CVE-2024-2226 1 Themeisle 1 Otter Blocks 2026-06-17 N/A 6.4 MEDIUM
The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the id parameter in the google-map block in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access and higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-2165 1 Seopress 1 Seopress 2026-06-17 N/A 6.4 MEDIUM
The SEOPress – On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt parameter in all versions up to, and including, 7.5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-2027 1 Devowl 1 Real Media Library 2026-06-17 N/A 6.4 MEDIUM
The Real Media Library: Media Library Folder & File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its style attributes in all versions up to, and including, 4.22.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-29998 1 Microsoft 9 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 6 more 2026-06-17 N/A 6.8 MEDIUM
Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-29946 1 Splunk 1 Splunk 2026-06-17 N/A 8.1 HIGH
In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the Dashboard Examples Hub lacks protections for risky SPL commands. This could let attackers bypass SPL safeguards for risky commands in the Hub. The vulnerability would require the attacker to phish the victim by tricking them into initiating a request within their browser.
CVE-2024-29838 1 Cs-technologies 1 Evolution 2026-06-17 N/A 7.5 HIGH
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below does not proper sanitize user input, allowing for an unauthenticated attacker to crash the controller software
CVE-2024-29831 1 Apache 1 Dolphinscheduler 2026-06-17 N/A 8.8 HIGH
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.
CVE-2024-29461 1 Projectfloodlight 1 Open Sdn Controller 2026-06-17 N/A 6.3 MEDIUM
An issue in Floodlight SDN OpenFlow Controller v.1.2 allows a remote attacker to cause a denial of service via the datapath id component.
CVE-2024-29214 2026-06-17 N/A 7.5 HIGH
Improper input validation in UEFI firmware CseVariableStorageSmm for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2024-29074 1 Openatom 1 Openharmony 2026-06-17 N/A 6.5 MEDIUM
in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper input.
CVE-2024-29068 1 Canonical 1 Snapd 2026-06-17 N/A 5.8 MEDIUM
In snapd versions prior to 2.62, snapd failed to properly check the file type when extracting a snap. The snap format is a squashfs file-system image and so can contain files that are non-regular files (such as pipes or sockets etc). Various file entries within the snap squashfs image (such as icons etc) are directly read by snapd when it is extracted. An attacker who could convince a user to install a malicious snap which contained non-regular files at these paths could then cause snapd to block indefinitely trying to read from such files and cause a denial of service.
CVE-2024-29008 1 Apache 1 Cloudstack 2026-06-17 N/A 6.4 MEDIUM
A problem has been identified in the CloudStack additional VM configuration (extraconfig) feature which can be misused by anyone who has privilege to deploy a VM instance or configure settings of an already deployed VM instance, to configure additional VM configuration even when the feature is not explicitly enabled by the administrator. In a KVM based CloudStack environment, an attacker can exploit this issue to attach host devices such as storage disks, and PCI and USB devices such as network adapters and GPUs, in a regular VM instance that can be further exploited to gain access to the underlying network and storage infrastructure resources, and access any VM instance disks on the local storage. Users are advised to upgrade to version 4.18.1.1 or 4.19.0.1, which fixes this issue.
CVE-2024-28977 1 Dell 1 Repository Manager 2026-06-17 N/A 3.3 LOW
Dell Repository Manager, versions 3.4.2 through 3.4.4,contains a Path Traversal vulnerability in logger module. A local attacker with low privileges could potentially exploit this vulnerability to gain unauthorized read access to the files stored on the server filesystem with the privileges of the running web application.
CVE-2024-28976 1 Dell 1 Repository Manager 2026-06-17 N/A 8.8 HIGH
Dell Repository Manager, versions prior to 3.4.5, contains a Path Traversal vulnerability in API module. A local attacker with low privileges could potentially exploit this vulnerability to gain unauthorized write access to the files stored on the server filesystem with the privileges of the running web application.
CVE-2024-28947 1 Intel 1 Server Board S2600st Firmware 2026-06-17 N/A 8.2 HIGH
Improper input validation in kernel mode driver for some Intel(R) Server Board S2600ST Family firmware before version 02.01.0017 may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2024-28897 1 Microsoft 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more 2026-06-17 N/A 6.8 MEDIUM
Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28855 1 Zitadel 1 Zitadel 2026-06-17 N/A 8.1 HIGH
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the `text/template` instead of the `html/template` package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including JavaScript, the execution of such scripts would be prevented by the Content Security Policy. Versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a patch for this issue. No known workarounds are available.