6.9
CVE-2024-58302 - FoF Pretty Mail 1.1.2 Local File Inclusion via Email Template Settings
FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit the template settings by inserting file inclusion payloads to read sensitive system files like /etc/passwd during email geβ¦
9.3
CVE-2024-58301 - Purei CMS 1.0 SQL Injection via Multiple Vulnerable Endpoints
Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit vulnerable endpoints like getAllParks.php and events-ajax.php by injecting crafted SQL payloads to potentially eβ¦
8.7
CVE-2024-58300 - Siklu MultiHaul TG Series < 2.0.0 Unauthenticated Credential Disclosure Vulnerability
Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling diβ¦
8.8
CVE-2025-66419 - MaxKB vulnerable to privilege escalation through sandbox bypass
MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and escalate privileges under certain concurrent conditions. This issue is fixed in version 2.4.0.
9.2
CVE-2024-58298 - Compuware iStrobe Web 20.13 Pre-Auth Remote Code Execution via File Upload
Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute arbitrβ¦
5.3
CVE-2024-58297 - PyroCMS v3.0.1 Stored Cross-Site Scripting via Admin Redirects
PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the 'Redirect From' field to execute arbitrary JavaScript when administrators view the redirects page.
5.3
CVE-2024-58296 - CE Phoenix v3.0.1 Stored Cross-Site Scripting via admin/currencies.php
CE Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts. Attackers can insert XSS payloads in the title field to execute arbitrary JavaScript when administrators view the currencies page.
8.6
CVE-2024-58295 - ElkArte Forum 1.1.9 Authenticated Remote Code Execution via Theme Upload
ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process. Attackers can upload a ZIP archive with a PHP file containing system commands, which can then be executed by accessing thβ¦
8.7
CVE-2024-58294 - FreePBX 16 Authenticated Remote Code Execution via API Module
FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establiβ¦
8.6
CVE-2024-58293 - Akaunting 3.1.8 Server-Side Template Injection via Multiple Form Fields
Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operatioβ¦