Total
5795 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-6512 | 2025-06-23 | N/A | 10.0 CRITICAL | ||
|
On a client with a non-admin user, a script can be integrated into a report. The reports could later be executed on the BRAIN2 server with administrator rights.
|
|||||
| CVE-2025-49132 | 2025-06-23 | N/A | 10.0 CRITICAL | ||
|
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issu ...
Show More |
|||||
| CVE-2025-3795 | 1 Daicuo | 1 Daicuo | 2025-06-23 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in DaiCuo 1.3.13. It has been rated as problematic. Affected by this issue is some unknown functionality of the component SEO Optimization Settings Section. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-42733 | 1 Docmosis | 1 Tornado | 2025-06-23 | N/A | 9.8 CRITICAL |
|
An issue in Docmosis Tornado v.2.9.7 and before allows a remote attacker to execute arbitrary code via a crafted script to the UNC path input
|
|||||
| CVE-2025-44022 | 1 Vvveb | 1 Vvveb | 2025-06-23 | N/A | 9.8 CRITICAL |
|
An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism.
|
|||||
| CVE-2025-2123 | 1 Qbnz | 1 Geshi | 2025-06-23 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in GeSHi up to 1.0.9.1. Affected by this issue is the function get_var of the file /contrib/cssgen.php of the component CSS Handler. The manipulation of the argument default-styles/keywords-1/keywords-2/keywords-3/keywords-4/comments leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-40446 | 1 Ctan | 1 Mimetex | 2025-06-23 | N/A | 9.8 CRITICAL |
|
An issue in forkosh Mime Tex before v.1.77 allows an attacker to execute arbitrary code via a crafted script
|
|||||
| CVE-2024-8523 | 1 Lmxcms | 1 Lmxcms | 2025-06-23 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was found in lmxcms up to 1.4 and classified as critical. Affected by this issue is the function formatData of the file /admin.php?m=Acquisi&a=testcj&lid=1 of the component SQL Command Execution Module. The manipulation of the argument data leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-28386 | 1 Openc3 | 1 Cosmos | 2025-06-23 | N/A | 9.8 CRITICAL |
|
A remote code execution (RCE) vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file.
|
|||||
| CVE-2025-3841 | 1 Wix | 1 Jam | 2025-06-23 | 1.7 LOW | 3.3 LOW |
|
A vulnerability, which was classified as problematic, was found in wix-incubator jam up to e87a6fd85cf8fb5ff37b62b2d68f917219d07ae9. This affects an unknown part of the file jam.py of the component Jinja2 Template Handler. The manipulation of the argument config['template'] leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. This product takes the appro ...
Show More |
|||||
| CVE-2023-51820 | 1 Blurams | 2 Lumi Security Camera A31c, Lumi Security Camera A31c Firmware | 2025-06-20 | N/A | 6.8 MEDIUM |
|
An issue in Blurams Lumi Security Camera (A31C) v.2.3.38.12558 allows a physically proximate attackers to execute arbitrary code.
|
|||||
| CVE-2024-23750 | 1 Deepwisdom | 1 Metagpt | 2025-06-20 | N/A | 8.8 HIGH |
|
MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.Popen.
|
|||||
| CVE-2024-31648 | 1 Munyweki | 1 Insurance Management System | 2025-06-20 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) in Insurance Management System v1.0, allows remote attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter at /core/new_category2.
|
|||||
| CVE-2024-56072 | 1 Pavel-odintsov | 1 Fastnetmon | 2025-06-20 | N/A | 7.5 HIGH |
|
An issue was discovered in FastNetMon Community Edition through 1.2.7. The sFlow v5 plugin allows remote attackers to cause a denial of service (application crash) via a crafted packet that specifies many sFlow samples.
|
|||||
| CVE-2024-37773 | 1 Sunbirddcim | 1 Dctrack | 2025-06-20 | N/A | 4.8 MEDIUM |
|
An HTML injection vulnerability in Sunbird DCIM dcTrack 9.1.2 allows attackers authenticated as administrators to inject arbitrary HTML code in an admin screen.
|
|||||
| CVE-2024-38396 | 1 Iterm2 | 1 Iterm2 | 2025-06-20 | N/A | 9.8 CRITICAL |
|
An issue was discovered in iTerm2 3.5.x before 3.5.2. Unfiltered use of an escape sequence to report a window title, in combination with the built-in tmux integration feature (enabled by default), allows an attacker to inject arbitrary code into the terminal, a different vulnerability than CVE-2024-38395.
|
|||||
| CVE-2025-47916 | 1 Invisioncommunity | 1 Invisioncommunity | 2025-06-20 | N/A | 10.0 CRITICAL |
|
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauth ...
Show More |
|||||
| CVE-2023-46226 | 1 Apache | 1 Iotdb | 2025-06-20 | N/A | 9.8 CRITICAL |
|
Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.
Users are recommended to upgrade to version 1.3.0, which fixes the issue.
|
|||||
| CVE-2023-22526 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2025-06-20 | N/A | 8.8 HIGH |
|
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 7.19.0 of Confluence Data Center.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do ...
Show More |
|||||
| CVE-2025-1155 | 1 Webkul | 1 Qloapps | 2025-06-20 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in Webkul QloApps 1.6.1. This affects an unknown part of the file /stores of the component Your Location Search. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. It is planned to remove this page in the long term.
|
|||||
| CVE-2025-1114 | 1 Newbee-mall Project | 1 Newbee-mall | 2025-06-20 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic has been found in newbee-mall 1.0. Affected is the function save of the file /admin/categories/save of the component Add Category Page. The manipulation of the argument categoryName leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases a ...
Show More |
|||||
| CVE-2023-32383 | 1 Apple | 1 Macos | 2025-06-20 | N/A | 7.8 HIGH |
|
This issue was addressed by forcing hardened runtime on the affected binaries at the system level. This issue is fixed in macOS Monterey 12.6.6, macOS Big Sur 11.7.7, macOS Ventura 13.4. An app may be able to inject code into sensitive binaries bundled with Xcode.
|
|||||
| CVE-2025-5886 | 1 Emlog | 1 Emlog | 2025-06-20 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in Emlog up to 2.5.7 and classified as problematic. This issue affects some unknown processing of the file /admin/article.php. The manipulation of the argument active_post leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-5138 | 2025-06-20 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability was found in Bitwarden up to 2.25.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-29058 | 1 Qimou Cms Project | 1 Qimou Cms | 2025-06-19 | N/A | 9.8 CRITICAL |
|
An issue in Qimou CMS v.3.34.0 allows a remote attacker to execute arbitrary code via the upgrade.php component.
|
|||||
| CVE-2024-38395 | 1 Iterm2 | 1 Iterm2 | 2025-06-18 | N/A | 9.8 CRITICAL |
|
In iTerm2 before 3.5.2, the "Terminal may report window title" setting is not honored, and thus remote code execution might occur but "is not trivially exploitable."
|
|||||
| CVE-2025-5420 | 1 Juzaweb | 1 Cms | 2025-06-18 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic was found in juzaweb CMS up to 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/file-manager/upload of the component Profile Page. The manipulation of the argument Upload leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2021-38243 | 1 Xunruicms | 1 Xunruicms | 2025-06-18 | N/A | 9.8 CRITICAL |
|
xunruicms up to v4.5.1 was discovered to contain a remote code execution (RCE) vulnerability in /index.php. This vulnerability allows attackers to execute arbitrary code via a crafted GET request.
|
|||||
| CVE-2025-32106 | 1 Audiocodes | 6 Mp-112, Mp-112 Firmware, Mp-114 and 3 more | 2025-06-18 | N/A | 9.8 CRITICAL |
|
In Audiocodes Mediapack MP-11x through 6.60A.369.002, a crafted POST request request may result in an unauthenticated remote user's ability to execute unauthorized code.
|
|||||
| CVE-2024-30845 | 1 Rainbow External Link Network Disk Project | 1 Rainbow External Link Network Disk | 2025-06-17 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Rainbow external link network disk v.5.5 allows a remote attacker to execute arbitrary code via the validation component of the input parameters.
|
|||||
| CVE-2023-6494 | 1 Wpclever | 1 Wpc Smart Quick View For Woocommerce | 2025-06-17 | N/A | 4.4 MEDIUM |
|
The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where u ...
Show More |
|||||
| CVE-2024-29500 | 1 Inteset | 1 Secure Lockdown | 2025-06-17 | N/A | 9.8 CRITICAL |
|
An issue in the kiosk mode of Secure Lockdown Multi Application Edition v2.00.219 allows attackers to execute arbitrary code via running a ClickOnce application instance.
|
|||||
| CVE-2024-31819 | 1 Wwbn | 1 Avideo | 2025-06-17 | N/A | 9.8 CRITICAL |
|
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component.
|
|||||
| CVE-2024-26362 | 3 Enpass, Linux, Microsoft | 3 Password Manager, Linux Kernel, Windows | 2025-06-17 | N/A | 8.8 HIGH |
|
HTML injection vulnerability in Enpass Password Manager Desktop Client 6.9.2 for Windows and Linux allows attackers to run arbitrary HTML code via creation of crafted note.
|
|||||
| CVE-2024-29937 | 2 Freebsd, Openbsd | 2 Freebsd, Openbsd | 2025-06-17 | N/A | 9.8 CRITICAL |
|
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug that is unrelated to memory corruption.
|
|||||
| CVE-2024-29399 | 1 Gnu | 1 Savane | 2025-06-17 | N/A | 7.6 HIGH |
|
An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the upload.php component.
|
|||||
| CVE-2024-25376 | 1 Thesycon | 1 Tusbaudio | 2025-06-17 | N/A | 7.8 HIGH |
|
An issue discovered in Thesycon Software Solutions Gmbh & Co. KG TUSBAudio MSI-based installers before 5.68.0 allows a local attacker to execute arbitrary code via the msiexec.exe repair mode.
|
|||||
| CVE-2025-5507 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2025-06-17 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component MAC Filtering Page. The manipulation of the argument Comment leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-5506 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2025-06-17 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011. It has been classified as problematic. Affected is an unknown function of the component NAT Mapping Page. The manipulation of the argument Comment leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-5505 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2025-06-17 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011 and classified as problematic. This issue affects some unknown processing of the file /boafrm/formPortFw of the component Virtual Server Page. The manipulation of the argument service_type leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||