CVE Watch
Every published CVE, mapped to engagement reality.
Crawled from cve.org every day. Each entry annotated with the QSearch coverage signal — how many of our agents, skills, and playbooks address the technique. Subscribe via RSS for SIEM pipe, or get the weekly digest by email.
The affected product is vulnerable to directory traversal due to mishandling of provided backup folder structure
The affected product is vulnerable to directory traversal due to mishandling of provided backup folder structure.
emersonCWE-22The affected product is vulnerable to a unsanitized extract folder for system configuration
The affected product is vulnerable to a unsanitized extract folder for system configuration. A low-privileged user can leverage this logic to overwrite the settings and other key functionality.
emersonCWE-123The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and...
The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and unapproved settings change.
emersonCWE-306The affected product is vulnerable to a parameter injection via passphrase, which enables the attacker to supply uncontrolled input
The affected product is vulnerable to a parameter injection via passphrase, which enables the attacker to supply uncontrolled input.
emersonCWE-77CWE-78The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables
The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables.
emersonCWE-200CWE-668The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite Free Source Code (by: oretnom23 ) is vulnerable from remote SQL-In...
The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite Free Source Code (by: oretnom23 ) is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
simple_payroll_system_with_dynamic_tax_bracket_projectCWE-89The affected product is vulnerable to improper input validation in the restore file
The affected product is vulnerable to improper input validation in the restore file. This enables an attacker to provide malicious config files to replace any file on disk.
emersonCWE-20ShowDoc 2.8.3 ihas a file upload vulnerability, where attackers can use the vulnerability to obtain server permissions
ShowDoc 2.8.3 ihas a file upload vulnerability, where attackers can use the vulnerability to obtain server permissions.
showdocCWE-434All versions of yongyou PLM are affected by a command injection issue
All versions of yongyou PLM are affected by a command injection issue. UFIDA PLM (Product Life Cycle Management) is a strategic management method. It applies a series of enterprise application systems to support the entire process from conceptual design to the end of product life, and the collaborative creation, distribution, application and management of product information across organizations. Yonyou PLM uses jboss by default, and you can access the management control background without authorization An attacker can use this vulnerability to gain server permissions.
yonyouCWE-77The scheduler service running on a specific TCP port enables the user to start and stop jobs
The scheduler service running on a specific TCP port enables the user to start and stop jobs. There is no sanitation of the supplied JOB ID provided to the function. An attacker may send a malicious payload that can enable the user to execute another SQL expression by sending a specific string.
auvesyCWE-89There are multiple API function codes that permit reading and writing data to or from files and directories, which could lead to the mani...
There are multiple API function codes that permit reading and writing data to or from files and directories, which could lead to the manipulation and/or the deletion of files.
auvesyCWE-73The database connection to the server is performed by calling a specific API, which could allow an unprivileged user to gain SYSDBA permi...
The database connection to the server is performed by calling a specific API, which could allow an unprivileged user to gain SYSDBA permissions.
auvesyCWE-732The affected product’s code base doesn’t properly control arguments for specific functions, which could lead to a stack overflow
The affected product’s code base doesn’t properly control arguments for specific functions, which could lead to a stack overflow.
auvesyCWE-119CWE-787There are multiple API function codes that permit data writing to any file, which may allow an attacker to modify existing files or creat...
There are multiple API function codes that permit data writing to any file, which may allow an attacker to modify existing files or create new files.
auvesyCWE-434Many of the services used by the affected product do not specify full paths for the DLLs they are loading
Many of the services used by the affected product do not specify full paths for the DLLs they are loading. An attacker can exploit the uncontrolled search path by implanting their own DLL near the affected product’s binaries, thus hijacking the loaded DLL.
auvesyCWE-427A specific function code receives a raw pointer supplied by the user and deallocates this pointer
A specific function code receives a raw pointer supplied by the user and deallocates this pointer. The user can then control what memory regions will be freed and cause use-after-free condition.
auvesyCWE-416The webinstaller is a Golang web server executable that enables the generation of an Auvesy image agent
The webinstaller is a Golang web server executable that enables the generation of an Auvesy image agent. Resource consumption can be achieved by generating large amounts of installations, which are then saved without limitation in the temp folder of the webinstaller executable.
auvesyCWE-400CWE-770The affected product does not properly control the allocation of resources
The affected product does not properly control the allocation of resources. A user may be able to allocate unlimited memory buffers using API functions.
auvesyCWE-400CWE-770The affected product uses a hard-coded blowfish key for encryption/decryption processes
The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.
auvesyCWE-321CWE-798The data of a network capture of the initial handshake phase can be used to authenticate at a SYSDBA level
The data of a network capture of the initial handshake phase can be used to authenticate at a SYSDBA level. If a specific .exe is not restarted often, it is possible to access the needed handshake packets between admin/client connections. Using the SYSDBA permission, an attacker can change user passwords or delete the database.
auvesyCWE-294
8.0 HIGH
9.8 CRITICALWeekly digest
Get the curated CVE digest every Monday
One email a week, sent Monday morning CET. The CVEs published or modified in the last seven days, severity-ordered, with the QSearch coverage signal. Unsubscribe with one click — included in every send.
Pipe the CVE feed into your stack.
CVE Watch publishes RSS, Atom, and JSON feeds — wire them into your SIEM, Slack, Discord, or your RSS reader of choice. Or get the curated weekly digest by email.