Total
5795 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-30202 | 1 Gnu | 2 Emacs, Org Mode | 2025-05-01 | N/A | 7.8 HIGH |
|
In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23.
|
|||||
| CVE-2022-44089 | 1 Ecisp | 1 Espcms | 2025-05-01 | N/A | 9.8 CRITICAL |
|
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component IS_GETCACHE.
|
|||||
| CVE-2022-44088 | 1 Ecisp | 1 Espcms | 2025-05-01 | N/A | 9.8 CRITICAL |
|
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component INPUT_ISDESCRIPTION.
|
|||||
| CVE-2022-44087 | 1 Ecisp | 1 Espcms | 2025-05-01 | N/A | 9.8 CRITICAL |
|
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component UPFILE_PIC_ZOOM_HIGHT.
|
|||||
| CVE-2022-40127 | 1 Apache | 1 Airflow | 2025-04-30 | N/A | 8.8 HIGH |
|
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
|
|||||
| CVE-2025-45947 | 1 Phpgurukul | 1 Online Banquet Booking System | 2025-04-30 | N/A | 9.8 CRITICAL |
|
An issue in phpgurukul Online Banquet Booking System V1.2 allows an attacker to execute arbitrary code via the /obbs/change-password.php file of the My Account - Change Password component
|
|||||
| CVE-2025-3823 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-30 | 3.3 LOW | 2.4 LOW |
|
A vulnerability classified as problematic has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected is an unknown function of the file add-stock.php. The manipulation of the argument txttotalcost/txtproductID/txtprice/txtexpirydate leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3824 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-30 | 3.3 LOW | 2.4 LOW |
|
A vulnerability classified as problematic was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this vulnerability is an unknown functionality of the file add-product.php. The manipulation of the argument txtprice/txtproduct_name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3825 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-30 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this issue is some unknown functionality of the file add-category.php. The manipulation of the argument txtcategory_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3826 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-30 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, was found in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part of the file add-supplier.php. The manipulation of the argument txtsupplier_name/txtaddress leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-39331 | 1 Gnu | 1 Emacs | 2025-04-30 | N/A | 9.8 CRITICAL |
|
In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.
|
|||||
| CVE-2024-52945 | 1 Veritas | 1 Netbackup | 2025-04-30 | N/A | 7.8 HIGH |
|
An issue was discovered in Veritas NetBackup before 10.5. This only applies to NetBackup components running on a Windows Operating System. If a user executes specific NetBackup commands or an attacker uses social engineering techniques to impel the user to execute the commands, a malicious DLL could be loaded, resulting in execution of the attacker's code in the user's security context.
|
|||||
| CVE-2024-55662 | 1 Xwiki | 1 Xwiki | 2025-04-30 | N/A | 9.9 CRITICAL |
|
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply ...
Show More |
|||||
| CVE-2024-55877 | 1 Xwiki | 1 Xwiki | 2025-04-30 | N/A | 9.9 CRITICAL |
|
XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacro ...
Show More |
|||||
| CVE-2022-45132 | 1 Linaro | 1 Lava | 2025-04-30 | N/A | 9.8 CRITICAL |
|
In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server.
|
|||||
| CVE-2024-21682 | 1 Atlassian | 1 Assets Discovery Data Center | 2025-04-30 | N/A | 7.2 HIGH |
|
This High severity Injection vulnerability was introduced in Assets Discovery 1.0 - 6.2.0 (all versions).
Assets Discovery, which can be downloaded via Atlassian Marketplace, is a network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and extracts detailed information about each asset. This data can then be imported into Assets in Jira Service Management ...
Show More |
|||||
| CVE-2025-3472 | 1 Oceanwp | 1 Ocean Extra | 2025-04-30 | N/A | 6.5 MEDIUM |
|
The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes when WooCommerce is also installed and activated.
|
|||||
| CVE-2025-3563 | 1 Wuzhicms | 1 Wuzhicms | 2025-04-29 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was found in WuzhiCMS 4.1. It has been rated as critical. Affected by this issue is the function Set of the file /index.php?m=attachment&f=index&_su=wuzhicms&v=set&submit=1 of the component Setting Handler. The manipulation of the argument Setting leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-13069 | 1 Rems | 1 Multi Role Login System | 2025-04-29 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in SourceCodester Multi Role Login System 1.0. It has been classified as problematic. Affected is an unknown function of the file /endpoint/add-user.php. The manipulation of the argument name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-13021 | 1 Rems | 1 Road Accident Map Marker | 2025-04-29 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in SourceCodester Road Accident Map Marker 1.0. Affected by this issue is some unknown functionality of the file /endpoint/add-mark.php. The manipulation of the argument mark_name/details leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
|
|||||
| CVE-2025-3489 | 1 Nababur | 1 Simple-user-management-system | 2025-04-29 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in Nababur Simple-User-Management-System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /register.php. The manipulation of the argument name/username leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-3387 | 1 Renrenio | 1 Renren-security | 2025-04-29 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic has been found in renrenio renren-security up to 5.4.0. This affects an unknown part of the component JSON Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3386 | 1 Pb-cms Project | 1 Pb-cms | 2025-04-29 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in LinZhaoguan pb-cms 2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin#links of the component Friendship Link Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3385 | 1 Pb-cms Project | 1 Pb-cms | 2025-04-29 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in LinZhaoguan pb-cms 2.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Classification Management Page. The manipulation of the argument Classification name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3692 | 1 Oretnom23 | 1 Online Eyewear Shop | 2025-04-29 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /oews/classes/Master.php?f=save_product. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-29064 | 1 Totolink | 2 X18, X18 Firmware | 2025-04-29 | N/A | 9.8 CRITICAL |
|
An issue in TOTOLINK x18 v.9.1.0cu.2024_B20220329 allows a remote attacker to execute arbitrary code via the sub_410E54 function of the cstecgi.cgi.
|
|||||
| CVE-2022-44262 | 1 Ff4j | 1 Ff4j | 2025-04-29 | N/A | 9.8 CRITICAL |
|
ff4j 1.8.1 is vulnerable to Remote Code Execution (RCE).
|
|||||
| CVE-2025-31722 | 1 Jenkins | 1 Templating Engine | 2025-04-29 | N/A | 8.8 HIGH |
|
In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.
|
|||||
| CVE-2025-3776 | 2025-04-29 | N/A | 8.3 HIGH | ||
|
The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the 'targetvr_ajax_handler' function. This is due to a lack of validation on the type of function that can be called. This makes it possible for unauthenticated attackers to execute any callable function on the site, such as phpinfo().
|
|||||
| CVE-2025-4011 | 2025-04-29 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability has been found in Redmine 6.0.0/6.0.1/6.0.2/6.0.3 and classified as problematic. This vulnerability affects unknown code of the component Custom Query Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 6.0.4 is able to address this issue. It is recommended to upgrade the affected component.
|
|||||
| CVE-2025-2801 | 2025-04-29 | N/A | 7.3 HIGH | ||
|
The The Create custom forms for WordPress with a smart form plugin for smart businesses plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
|
|||||
| CVE-2025-3491 | 2025-04-29 | N/A | 7.2 HIGH | ||
|
The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acpt_validate_setting' function. This is due to insufficient sanitization of the 'template_name' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
|
|||||
| CVE-2024-13812 | 2025-04-29 | N/A | 6.5 MEDIUM | ||
|
The The Anps Theme plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
|
|||||
| CVE-2021-3661 | 1 Hp | 40 Z1 All-in-one G3, Z1 All-in-one G3 Firmware, Z238 Microtower and 37 more | 2025-04-29 | N/A | 8.4 HIGH |
|
A potential security vulnerability has been identified in certain HP Workstation BIOS (UEFI firmware) which may allow arbitrary code execution. HP is releasing firmware mitigations for the potential vulnerability.
|
|||||
| CVE-2025-32432 | 1 Craftcms | 1 Craft Cms | 2025-04-28 | N/A | 10.0 CRITICAL |
|
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
|
|||||
| CVE-2024-48579 | 1 Mayurik | 1 Best House Rental Management System | 2025-04-28 | N/A | 9.8 CRITICAL |
|
SQL Injection vulnerability in Best House rental management system project in php v.1.0 allows a remote attacker to execute arbitrary code via the username parameter of the login request.
|
|||||
| CVE-2024-47219 | 1 Vesoft | 1 Nebulagraph Database | 2025-04-28 | N/A | 9.8 CRITICAL |
|
An issue was discovered in vesoft NebulaGraph through 3.8.0. It allows shell command injection.
|
|||||
| CVE-2024-46080 | 1 Scriptcase | 1 Scriptcase | 2025-04-28 | N/A | 8.0 HIGH |
|
Scriptcase v9.10.023 and before is vulnerable to Remote Code Execution (RCE) via the nm_zip function.
|
|||||
| CVE-2024-40487 | 1 Lopalopa | 1 Live Membership System | 2025-04-28 | N/A | 7.6 HIGH |
|
A Stored Cross Site Scripting (XSS) vulnerability was found in "/view_type.php" of Kashipara Live Membership System v1.0, which allows remote attackers to execute arbitrary code via membershipType parameter.
|
|||||
| CVE-2022-39833 | 1 Filecloud | 1 Filecloud | 2025-04-25 | N/A | 7.2 HIGH |
|
FileCloud Versions 20.2 and later allows remote attackers to potentially cause unauthorized remote code execution and access to reported API endpoints via a crafted HTTP request.
|
|||||