CVEs classified under CWE-424, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (29)
CVE-2025-48827 — CVSS 10.0 (critical): vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when…
CVE-2025-48828 — CVSS 9.0 (critical): Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By…
CVE-2023-52952 — CVSS 8.5 (high): A vulnerability has been identified in HiMed Cockpit 12 pro (J31032-K2017-H259) (All versions >= V11.5.1 < V11.6.2), HiMed Cockpit 14 pro+…
CVE-2024-3459 — CVSS 8.4 (high): KioWare for Windows (versions all through 8.34) allows to escape the environment by downloading PDF files, which then by default are opened…
CVE-2025-68939 — CVSS 8.2 (high): Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.
CVE-2024-3460 — CVSS 7.4 (high): In KioWare for Windows (versions all through 8.34) it is possible to exit this software and use other already opened applications utilizing…
CVE-2026-0237: An improper protection of alternate path vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to…
CVE-2023-0629 — CVSS 7.1 (high): Docker Desktop before 4.17.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions by setting the Docker…
CVE-2022-1742 — CVSS 6.8 (medium): The tested version of Dominion Voting Systems ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly…
CVE-2025-6250 — CVSS 6.7 (medium): Prior to 25.4.270.0, when wmic.exe is elevated with a full admin token the user can stop the Defendpoint service, bypassing anti-tamper…
CVE-2025-49163 — CVSS 6.7 (medium): Arris VIP1113 devices through 2025-05-30 with KreaTV SDK allow booting an arbitrary image via a crafted /usr/bin/gunzip file.
CVE-2023-20272 — CVSS 6.7 (medium): A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to…
CVE-2023-46176 — CVSS 6.7 (medium): IBM MQ Appliance 9.3 CD could allow a local attacker to gain elevated privileges on the system, caused by improper validation of security…
CVE-2024-8311 — CVSS 6.5 (medium): An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to…
CVE-2021-3793 — CVSS 6.5 (medium): An improper access control vulnerability was reported in some Motorola-branded Binatone Hubble Cameras which could allow an unauthenticated…
CVE-2025-49162 — CVSS 6.4 (medium): Arris VIP1113 devices through 2025-05-30 with KreaTV SDK allow file overwrite via TFTP because a remote filename with a space character…
CVE-2026-4913 — CVSS 5.7 (medium): Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access…
CVE-2026-4270 — CVSS 5.5 (medium): Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9…
CVE-2025-0113: A problem with the network isolation mechanism of the Palo Alto Networks Cortex XDR Broker VM allows attackers unauthorized access to…
CVE-2024-3927 — CVSS 5.3 (medium): The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is…
CVE-2025-46655 — CVSS 4.9 (medium): CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be…
CVE-2025-46654 — CVSS 4.9 (medium): CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by…
CVE-2022-28782 — CVSS 4.6 (medium): Improper access control vulnerability in Contents To Window prior to SMR May-2022 Release 1 allows physical attacker to install package…
CVE-2026-0268: A security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN…
CVE-2025-58079 — CVSS 4.3 (medium): Improper Protection of Alternate Path (CWE-424) in the AppSuite of desknet's NEO V4.0R1.0 to V9.0R2.0 allows an attacker to create…
CVE-2019-18997 — CVSS 4.3 (medium): The HMISimulator component of ABB PB610 Panel Builder 600 uses the readFile/writeFile interface to manipulate the work file. Path…
CVE-2022-24932 — CVSS 4.2 (medium): Improper Protection of Alternate Path vulnerability in Setup wizard process prior to SMR Mar-2022 Release 1 allows physical attacker…
CVE-2025-4617: An insufficient policy enforcement vulnerability in Palo Alto Networks Prisma® Browser on Windows allows a locally authenticated non-admin…