Total
2370 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-1491 | 2026-06-17 | N/A | 7.5 HIGH | ||
| The devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial flash, or internal flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. | |||||
| CVE-2024-1076 | 1 Sslzen | 1 Ssl Zen | 2026-06-17 | N/A | 6.5 MEDIUM |
| The SSL Zen WordPress plugin before 4.6.0 does not properly prevent directory listing of the private keys folder, as it only relies on the use of .htaccess to prevent visitors from accessing the site's generated private keys, which allows an attacker to read them if the site runs on a server who doesn't support .htaccess files, like NGINX. | |||||
| CVE-2024-14007 | 2026-06-17 | N/A | N/A | ||
| Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) versions prior to 1.3.4 contain an authentication bypass in the NVMS-9000 control protocol. By sending a single crafted TCP payload to an exposed NVMS-9000 control port, an unauthenticated remote attacker can invoke privileged administrative query commands without valid credentials. Successful exploitation discloses sensitive information including administrator usernames and passwords in cleartext, network and service configuration, and other device details via commands such as queryBasicCfg, queryUserList, queryEmailCfg, queryPPPoECfg, and queryFTPCfg. | |||||
| CVE-2024-13772 | 1 Uxper | 1 Civi | 2026-06-17 | N/A | 5.6 MEDIUM |
| The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.6.1. This is due to a lack of password randomization and user validation through the fb_ajax_login_or_register and google_ajax_login_or_register actions. This makes it possible for unauthenticated attackers to login as any user as long as they have access to the email. | |||||
| CVE-2024-13771 | 1 Uxper | 1 Civi | 2026-06-17 | N/A | 9.8 CRITICAL |
| The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim. | |||||
| CVE-2024-13553 | 1 Cozyvision | 1 Sms Alert Order Notifications | 2026-06-17 | N/A | 9.8 CRITICAL |
| The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators. | |||||
| CVE-2024-13186 | 2026-06-17 | N/A | 7.5 HIGH | ||
| The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage. | |||||
| CVE-2024-13185 | 2026-06-17 | N/A | 7.5 HIGH | ||
| The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage. | |||||
| CVE-2024-13173 | 2026-06-17 | N/A | 7.5 HIGH | ||
| The health module has insufficient restrictions on loading URLs, which may lead to some information leakage. | |||||
| CVE-2024-12957 | 2026-06-17 | N/A | N/A | ||
| A file handling command vulnerability in certain versions of Armoury Crate may result in arbitrary file deletion. Refer to the '01/23/2025 Security Update for Armoury Crate App' section on the ASUS Security Advisory for more information. | |||||
| CVE-2024-12869 | 1 Infiniflow | 1 Ragflow | 2026-06-17 | N/A | 4.3 MEDIUM |
| In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite list. This can lead to a privacy breach where users' personal or private information, such as email addresses or usernames in the invite list, could be exposed without their consent. This data leakage can facilitate further attacks, such as phishing or spam, and result in loss of trust and potential regulatory issues. | |||||
| CVE-2024-12857 | 1 Scriptsbundle | 1 Adforest | 2026-06-17 | N/A | 9.8 CRITICAL |
| The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number. | |||||
| CVE-2024-12847 | 1 Netgear | 2 Dgn1000, Dgn1000 Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been observed to be exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC. | |||||
| CVE-2024-12757 | 2026-06-17 | N/A | 8.6 HIGH | ||
| Nedap Librix Ecoreader is missing authentication for critical functions that could allow an unauthenticated attacker to potentially execute malicious code. | |||||
| CVE-2024-12511 | 2026-06-17 | N/A | 7.6 HIGH | ||
| With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access. | |||||
| CVE-2024-12371 | 2026-06-17 | N/A | N/A | ||
| A device takeover vulnerability exists in the Rockwell Automation Power Monitor 1000. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset. | |||||
| CVE-2024-12106 | 1 Progress | 1 Whatsup Gold | 2026-06-17 | N/A | 9.4 CRITICAL |
| In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings. | |||||
| CVE-2024-11980 | 2026-06-17 | N/A | 8.6 HIGH | ||
| Certain modes of routers from Billion Electric have a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access the specific functionality to obtain partial device information, modify the WiFi SSID, and restart the device. | |||||
| CVE-2024-11680 | 1 Projectsend | 1 Projectsend | 2026-06-17 | N/A | 9.8 CRITICAL |
| ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. | |||||
| CVE-2024-11639 | 1 Ivanti | 1 Cloud Services Appliance | 2026-06-17 | N/A | 10.0 CRITICAL |
| An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access | |||||