Every CVE whose affected-product data names Vanderbilt Redcap, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (41)
CVE-2013-4610 — CVSS 10.0 (critical): Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact…
CVE-2013-4611 — CVSS 10.0 (critical): Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the…
CVE-2020-26712 — CVSS 9.8 (critical): REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a…
CVE-2021-42136 — CVSS 9.0 (critical): A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers…
CVE-2017-10961 — CVSS 8.8 (high): REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components.
CVE-2017-7351 — CVSS 8.8 (high): A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload.
CVE-2024-56311 — CVSS 8.8 (high): REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF)…
CVE-2024-56310 — CVSS 8.8 (high): REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An…
CVE-2019-14937 — CVSS 7.5 (high): REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to…
CVE-2023-38825 — CVSS 6.5 (medium): SQL injection vulnerability in Vanderbilt REDCap before v.13.8.0 allows a remote attacker to obtain sensitive information via the password…
CVE-2013-4609 — CVSS 6.5 (medium): REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which…
CVE-2024-45527 — CVSS 6.1 (medium): REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via…
CVE-2025-23112 — CVSS 6.1 (medium): An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious…
CVE-2025-23110 — CVSS 6.1 (medium): An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while…
CVE-2022-42715 — CVSS 6.1 (medium): A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when…
CVE-2020-26713 — CVSS 6.1 (medium): REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is…
CVE-2024-56376 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious…
CVE-2019-15127 — CVSS 5.4 (medium): REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file.
CVE-2019-17121 — CVSS 5.4 (medium): REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values.
CVE-2022-24004 — CVSS 5.4 (medium): A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any…
CVE-2022-24127 — CVSS 5.4 (medium): A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue…
CVE-2023-37798 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers…
CVE-2024-37394 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute…
CVE-2024-37395 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute…
CVE-2024-37396 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary…
CVE-2024-56312 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to…
CVE-2024-56313 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject…
CVE-2024-56314 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject…
CVE-2024-56377 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts…
CVE-2024-55374 — CVSS 5.3 (medium): REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts.
CVE-2019-13029 — CVSS 4.8 (medium): Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow…
CVE-2025-23111 — CVSS 4.7 (medium): An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing…
CVE-2013-4612 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML…
CVE-2012-6564 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via…
CVE-2020-27358 — CVSS 4.3 (medium): An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation…
CVE-2013-4608 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors…
CVE-2012-6566 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via…
CVE-2012-6565 — CVSS 3.5 (low): Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML…
CVE-2025-23113 — CVSS 3.4 (low): An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of…
CVE-2023-37361 — CVSS 2.7 (low): REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.