Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2022-32119 — Arox School_erp_pro: School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities
Arox School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities via the Add Photo function at photogalleries.inc.php and the import staff excel function at 1finance_master.inc.php. CVSSv3.1 8.8 (HIGH) · EPSS 78th percentile
CVE-2022-30024 — Tp-link Tl-wr841_firmware: A buffer overflow in the httpd daemon on TP-Link TL-WR841N V12 (firmware version 3.16.9)
A buffer overflow in the httpd daemon on TP-Link TL-WR841N V12 (firmware version 3.16.9) devices allows an authenticated remote attacker to execute arbitrary code via a GET request to the page for the System Tools of the Wi-Fi network. This affects TL-WR841 V12 TL-WR841N(EU)_V12_160624 and TL-WR841 V11 TL-WR841N(EU)_V11_160325 , TL-WR841N_V11_150616 and TL-WR841 V10 TL-WR841N_V10_150310 are also affected. CVSSv3.1 8.8 (HIGH) · EPSS 80th percentile
CVE-2022-32114 — Strapi Strapi: An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12
An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can c CVSSv3.1 8.8 (HIGH) · EPSS 72th percentile
CVE-2021-38289 — Novastar Novaicare: An issue has been discovered in Novastar-VNNOX-iCare Novaicare 7.16.0 that gives attacker privilege escalation
An issue has been discovered in Novastar-VNNOX-iCare Novaicare 7.16.0 that gives attacker privilege escalation and allows attackers to view corporate information and SMTP server details, delete users, view roles, and other unspecified impacts. NOTE: As of April 2026, the vendor has officially decommissioned the affected legacy endpoints and associated services. The vulnerability is mitigated as the functional logic is no longer operational and the URLs have been removed from CVSSv3.1 8.8 (HIGH) · EPSS 59th percentile
CVE-2022-33098 — Magnolia-cms Magnolia_cms: Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the
Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted SVG document, with JavaScript, for a profile picture. CVSSv3.1 6.1 (MEDIUM) · EPSS 99th percentile
CVE-2022-33047 — Otfcc_project Otfcc: v0.10.4 was discovered to contain a heap buffer overflow after free via otfccbuild.c.
OTFCC v0.10.4 was discovered to contain a heap buffer overflow after free via otfccbuild.c. CVSSv3.1 9.8 (CRITICAL) · EPSS 60th percentile
CVE-2022-32386 — Tendacn Ac23_ac2100_firmware: Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan.
Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan. CVSSv3.1 9.8 (CRITICAL) · EPSS 95th percentile
CVE-2022-32385 — Tendacn Ac23_ac2100_firmware: Tenda AC23 v16.03.07.44 is vulnerable to Stack Overflow that will allow for the execution
Tenda AC23 v16.03.07.44 is vulnerable to Stack Overflow that will allow for the execution of arbitrary code (remote). CVSSv3.1 9.8 (CRITICAL) · EPSS 77th percentile
CVE-2022-34151 — Omron Nx701-1600_firmware: Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models
Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who succ CVSSv3.1 8.1 (HIGH) · EPSS 79th percentile
CVE-2022-32384 — Tendacn Ac23_ac2100_firmware: Tenda AC23 v16.03.07.44 was discovered to contain a stack overflow via the security_5g parameter
Tenda AC23 v16.03.07.44 was discovered to contain a stack overflow via the security_5g parameter in the function formWifiBasicSet. CVSSv3.1 8.8 (HIGH) · EPSS 50th percentile
CVE-2022-34835 — Denx U-boot: In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow
In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function. CVSSv3.1 9.8 (CRITICAL) · EPSS 62th percentile
CVE-2021-45024 — Rocketsoftware Ags-zena: ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1
ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE). CVSSv3.1 9.8 (CRITICAL) · EPSS 67th percentile
CVE-2022-26173 — Jforum Jforum: v2.8.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via http://target_host:port/jforum-2.8.0/jforum.page, which
JForum v2.8.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via http://target_host:port/jforum-2.8.0/jforum.page, which allows attackers to arbitrarily add admin accounts. CVSSv3.1 8.8 (HIGH) · EPSS 47th percentile
CVE-2022-24562 — Iobit Iotransfer: In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to
In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution. CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile
CVE-2022-31384 — Phpgurukul Directory_management_system: Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the fullname parameter in add-directory.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 77th percentile
CVE-2022-31383 — Phpgurukul Directory_management_system: Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in view-directory.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 77th percentile
CVE-2022-31382 — Phpgurukul Directory_management_system: Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the searchdata parameter in search-dirctory.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 77th percentile
CVE-2022-30023 — Tenda Hg9_firmware: ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection
Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. CVSSv3.1 8.8 (HIGH) · EPSS 99th percentile
CVE-2021-42675 — Kreado Kreasfero: One can upload a malicious PHP file and obtain remote code execution.
Kreado Kreasfero 1.5 does not properly sanitize uploaded files to the media directory. One can upload a malicious PHP file and obtain remote code execution. CVSSv3.1 9.8 (CRITICAL) · EPSS 86th percentile
CVE-2022-1969 — Script Mobile_browser_color_select: The Mobile browser color select plugin for WordPress is vulnerable to Cross-Site Request Forgery
The Mobile browser color select plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the admin_update_data() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 38th percentile
CVE-2022-1768 — Carrcommunications Rsvpmaker: The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficient
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficient escaping and parameterization on user supplied data passed to multiple SQL queries in the ~/rsvpmaker-email.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to, and including, 9.3.2. Please note that this is separate from CVE-2022-1453 & CVE-2022-1505. CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile
CVE-2022-1749 — Wpmk_ajax_finder_project Wpmk_ajax_finder: The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the
The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1. CVSSv3.1 8.8 (HIGH) · EPSS 41th percentile
CVE-2022-1918 — Toolbar_to_share_project Toolbar_to_share: The ToolBar to Share plugin for WordPress is vulnerable to Cross-Site Request Forgery in
The ToolBar to Share plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0. This is due to missing nonce validation on the plugin_toolbar_comparte page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 42th percentile
CVE-2022-1900 — Copify Copify: The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up
The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 34th percentile
CVE-2022-30075 — Tp-link Archer_ax50_firmware: In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file
In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper validation. CVSSv3.1 8.8 (HIGH) · EPSS 98th percentile