Total
5795 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-46640 | 1 Seacms | 1 Seacms | 2025-03-28 | N/A | 9.8 CRITICAL |
|
SeaCMS 13.2 has a remote code execution vulnerability located in the file sql.class.chp. Although the system has a check function, the check function is not executed during execution, allowing remote code execution by writing to the file through the MySQL slow query method.
|
|||||
| CVE-2024-50808 | 1 Seacms | 1 Seacms | 2025-03-28 | N/A | 8.8 HIGH |
|
SeaCms 13.1 is vulnerable to code injection in the notification module of the member message notification module in the backend user module, due to unsafe handling of the "notify" variable in admin_notify.php.
|
|||||
| CVE-2024-42598 | 1 Seacms | 1 Seacms | 2025-03-28 | N/A | 6.7 MEDIUM |
|
SeaCMS 13.0 has a remote code execution vulnerability. The reason for this vulnerability is that although admin_editplayer.php imposes restrictions on edited files, attackers can still bypass these restrictions and write code, allowing authenticated attackers to exploit the vulnerability to execute arbitrary commands and gain system privileges.
|
|||||
| CVE-2024-30565 | 1 Seacms | 1 Seacms | 2025-03-28 | N/A | 8.8 HIGH |
|
An issue was discovered in SeaCMS version 12.9, allows remote attackers to execute arbitrary code via admin notify.php.
|
|||||
| CVE-2022-48116 | 1 Ayacms Project | 1 Ayacms | 2025-03-28 | N/A | 7.2 HIGH |
|
AyaCMS v3.1.2 was discovered to contain a remote code execution (RCE) vulnerability via the component /admin/tpl_edit.inc.php.
|
|||||
| CVE-2024-27622 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-03-28 | N/A | 7.2 HIGH |
|
A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the 'Code' section of the module. As a result, authenticated users with administrative privileges can inject and execute arbitrary PHP code.
|
|||||
| CVE-2024-31666 | 1 Flusity | 1 Flusity | 2025-03-28 | N/A | 9.8 CRITICAL |
|
An issue in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via a crafted script to the edit_addon_post.php component.
|
|||||
| CVE-2022-48175 | 1 Rukovoditel | 1 Rukovoditel | 2025-03-28 | N/A | 9.8 CRITICAL |
|
Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request.
|
|||||
| CVE-2025-2361 | 2025-03-27 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability was found in Mercurial SCM 4.5.3/71.19.145.211. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument cmd leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-3787 | 1 Whitebearsolutions | 1 Wbsairback | 2025-03-27 | N/A | 6.6 MEDIUM |
|
Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through S3 disks (/admin/DeviceS3). Exploitation of this vulnerability could allow a remote user to execute arbitrary code.
|
|||||
| CVE-2022-25967 | 1 Eta.js | 1 Eta | 2025-03-27 | N/A | 8.1 HIGH |
|
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API.
**Note:** This is exploitable only for users who are rendering templates with user-defined data.
|
|||||
| CVE-2024-25249 | 1 He3app | 1 He3 App | 2025-03-27 | N/A | 9.8 CRITICAL |
|
An issue in He3 App for macOS version 2.0.17, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.
|
|||||
| CVE-2025-0185 | 1 Dify | 1 Dify | 2025-03-27 | N/A | 8.8 HIGH |
|
A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does not properly sanitize user inputs before executing queries using the Pandas library. This can potentially lead to Remote Code Execution (RCE) if exploited.
|
|||||
| CVE-2024-25291 | 1 Deskfiler | 1 Deskfiler | 2025-03-27 | N/A | 9.8 CRITICAL |
|
Deskfiler v1.2.3 allows attackers to execute arbitrary code via uploading a crafted plugin.
|
|||||
| CVE-2024-53604 | 1 Phpgurukul | 1 Covid19 Testing Management System | 2025-03-27 | N/A | 9.8 CRITICAL |
|
A SQL Injection vulnerability was found in /covid-tms/check_availability.php in PHPGurukul COVID 19 Testing Management System v1.0, which allows remote attackers to execute arbitrary code via the mobnumber POST request parameter.
|
|||||
| CVE-2024-31004 | 1 Axiosys | 1 Bento4 | 2025-03-27 | N/A | 9.8 CRITICAL |
|
An issue in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the Ap4StsdAtom.cpp,AP4_StsdAtom::AP4_StsdAtom,mp4fragment.
|
|||||
| CVE-2023-51770 | 1 Apache | 1 Dolphinscheduler | 2025-03-27 | N/A | 7.5 HIGH |
|
Arbitrary File Read Vulnerability in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.1.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
|
|||||
| CVE-2025-2715 | 2025-03-27 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability classified as problematic has been found in timschofield webERP up to 5.0.0.rc+13. This affects an unknown part of the file ConfirmDispatch_Invoice.php of the component Confirm Dispatch and Invoice Page. The manipulation of the argument Narrative leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The vendor was contacted early about this ...
Show More |
|||||
| CVE-2024-48818 | 2025-03-27 | N/A | 9.8 CRITICAL | ||
|
An issue in IIT Bombay, Mumbai, India Bodhitree of cs101 version allows a remote attacker to execute arbitrary code.
|
|||||
| CVE-2024-45480 | 2025-03-27 | N/A | N/A | ||
|
An improper control of generation of code ('Code Injection') vulnerability in the AprolCreateReport component of B&R APROL <4.4-00P5 may allow an unauthenticated network-based attacker to read files from the local system.
|
|||||
| CVE-2025-28893 | 2025-03-27 | N/A | 9.9 CRITICAL | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Visual Text Editor allows Remote Code Inclusion. This issue affects Visual Text Editor: from n/a through 1.2.1.
|
|||||
| CVE-2024-41643 | 2025-03-27 | N/A | 6.8 MEDIUM | ||
|
An issue in Arris NVG443B 9.3.0h3d36 allows a physically proximate attacker to execute arbitrary code via the cshell login component.
|
|||||
| CVE-2025-2650 | 1 Phpgurukul | 1 Medical Card Generation System | 2025-03-27 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in PHPGurukul Medical Card Generation System 1.0. This issue affects some unknown processing of the file /download-medical-cards.php. The manipulation of the argument searchdata leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-24525 | 1 Epoint | 1 Epointwebbuilder | 2025-03-27 | N/A | 9.8 CRITICAL |
|
An issue in EpointWebBuilder 5.1.0-sp1, 5.2.1-sp1, 5.4.1 and 5.4.2 allows a remote attacker to execute arbitrary code via the infoid parameter of the URL.
|
|||||
| CVE-2022-27537 | 1 Hp | 654 Dragonfly Folio G3 2-in-1, Dragonfly Folio G3 2-in-1 Firmware, Elite Dragonfly and 651 more | 2025-03-27 | N/A | 7.8 HIGH |
|
Potential vulnerabilities have been identified in the system BIOS of certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure. HP is releasing BIOS updates to mitigate these potential vulnerabilities.
|
|||||
| CVE-2022-48093 | 1 Seacms | 1 Seacms | 2025-03-27 | N/A | 7.2 HIGH |
|
Seacms v12.7 was discovered to contain a remote code execution (RCE) vulnerability via the ip parameter at admin_ ip.php.
|
|||||
| CVE-2024-25350 | 1 Phpgurukul | 1 Zoo Management System | 2025-03-27 | N/A | 9.8 CRITICAL |
|
SQL Injection vulnerability in /zms/admin/edit-ticket.php in PHPGurukul Zoo Management System 1.0 via tickettype and tprice parameters.
|
|||||
| CVE-2024-25202 | 1 Phpgurukul | 1 User Registration \& Login And User Management System | 2025-03-27 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Phpgurukul User Registration & Login and User Management System 1.0 allows attackers to run arbitrary code via the search bar.
|
|||||
| CVE-2024-22632 | 2025-03-26 | N/A | 9.8 CRITICAL | ||
|
Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hmsg parameter. This vulnerability is triggered via a crafted POST request.
|
|||||
| CVE-2024-40552 | 1 Publiccms | 1 Publiccms | 2025-03-26 | N/A | 8.8 HIGH |
|
PublicCMS v4.0.202302.e was discovered to contain a remote commande execution (RCE) vulnerability via the cmdarray parameter at /site/ScriptComponent.java.
|
|||||
| CVE-2025-2623 | 1 Westboy | 1 Cicadascms | 2025-03-26 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in westboy CicadasCMS 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /system/cms/content/save. The manipulation of the argument title/content/laiyuan leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2021-36424 | 1 Phpwcms | 1 Phpwcms | 2025-03-26 | N/A | 9.8 CRITICAL |
|
An issue discovered in phpwcms 1.9.25 allows remote attackers to run arbitrary code via DB user field during installation.
|
|||||
| CVE-2024-29202 | 1 Fit2cloud | 1 Jumpserver | 2025-03-25 | N/A | 9.9 CRITICAL |
|
JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.
|
|||||
| CVE-2024-29201 | 1 Fit2cloud | 1 Jumpserver | 2025-03-25 | N/A | 9.9 CRITICAL |
|
JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can bypass the input validation mechanism in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.
|
|||||
| CVE-2023-43651 | 1 Fit2cloud | 1 Jumpserver | 2025-03-25 | N/A | 8.5 HIGH |
|
JumpServer is an open source bastion host. An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the system. Through the WEB CLI interface provided by the koko component, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands. This vulnerability has been addressed in versions 2.28.20 and 3. ...
Show More |
|||||
| CVE-2024-24230 | 2025-03-25 | N/A | 7.5 HIGH | ||
|
Komm.One CMS 10.4.2.14 has a Server-Side Template Injection (SSTI) vulnerability via the Velocity template engine. It allows remote attackers to execute arbitrary code via a URL that specifies java.lang.Runtime in conjunction with getRuntime().exec followed by an OS command.
|
|||||
| CVE-2024-33442 | 1 Flusity | 1 Flusity | 2025-03-25 | N/A | 4.3 MEDIUM |
|
An issue in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the add_post.php component.
|
|||||
| CVE-2023-24333 | 1 Tenda | 2 Ac21, Ac21 Firmware | 2025-03-25 | N/A | 8.8 HIGH |
|
A stack overflow vulnerability in Tenda AC21 with firmware version US_AC21V1.0re_V16.03.08.15_cn_TDC01 allows attackers to run arbitrary commands via crafted POST request to /goform/openSchedWifi.
|
|||||
| CVE-2024-57061 | 2025-03-25 | N/A | 9.8 CRITICAL | ||
|
An issue in Termius Version 9.9.0 through v.9.16.0 allows a physically proximate attacker to execute arbitrary code via the insecure Electron Fuses configuration.
|
|||||
| CVE-2023-23912 | 1 Ui | 20 Er-10x, Er-10x Firmware, Er-12 and 17 more | 2025-03-24 | N/A | 8.8 HIGH |
|
A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability.
|
|||||