Total
5795 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-50498 | 1 Lubus | 1 Wp Query Console | 2026-01-23 | N/A | 10.0 CRITICAL |
|
Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection.This issue affects WP Query Console: from n/a through 1.0.
|
|||||
| CVE-2026-22584 | 1 Salesforce | 1 Uni2ts | 2026-01-22 | N/A | 9.8 CRITICAL |
|
Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0.
|
|||||
| CVE-2026-0500 | 1 Sap | 1 Introscope Enterprise Manager | 2026-01-22 | N/A | 9.6 CRITICAL |
|
Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system.
|
|||||
| CVE-2026-0498 | 1 Sap | 1 S\/4 Hana | 2026-01-22 | N/A | 9.1 CRITICAL |
|
SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
|
|||||
| CVE-2025-11837 | 1 Qnap | 1 Malware Remover | 2026-01-22 | N/A | 9.8 CRITICAL |
|
An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism.
We have already fixed the vulnerability in the following version:
Malware Remover 6.6.8.20251023 and later
|
|||||
| CVE-2026-0580 | 1 Remyandrade | 1 Api Key Manager App | 2026-01-22 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in SourceCodester API Key Manager App 1.0. Affected by this vulnerability is an unknown functionality of the component Import Key Handler. Performing a manipulation results in cross site scripting. The attack can be initiated remotely.
|
|||||
| CVE-2026-0588 | 1 Rockoa | 1 Rockoa | 2026-01-22 | 4.0 MEDIUM | 3.5 LOW |
|
A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. This manipulation of the argument callback causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-0587 | 1 Rockoa | 1 Rockoa | 2026-01-22 | 4.0 MEDIUM | 3.5 LOW |
|
A security flaw has been discovered in Xinhu Rainrock RockOA up to 2.7.1. Affected is an unknown function of the file rock_page_gong.php of the component Cover Image Handler. The manipulation of the argument fengmian results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-0730 | 1 Phpgurukul | 1 Staff Leave Management System | 2026-01-22 | 3.3 LOW | 2.4 LOW |
|
A flaw has been found in PHPGurukul Staff Leave Management System 1.0. The affected element is the function ADD_STAFF/UPDATE_STAFF of the file /staffleave/slms/slms/adminviews.py of the component SVG File Handler. Executing a manipulation of the argument profile_pic can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used.
|
|||||
| CVE-2025-61937 | 1 Aveva | 1 Process Optimization | 2026-01-22 | N/A | 10.0 CRITICAL |
|
The vulnerability, if exploited, could allow an unauthenticated
miscreant to achieve remote code execution under OS system privileges of
“taoimr” service, potentially resulting in complete compromise of the model application server.
|
|||||
| CVE-2025-64691 | 1 Aveva | 1 Process Optimization | 2026-01-22 | N/A | 8.8 HIGH |
|
The vulnerability, if exploited, could allow an authenticated miscreant
(OS standard user) to tamper with TCL Macro scripts and escalate
privileges to OS system, potentially resulting in complete compromise of
the model application server.
|
|||||
| CVE-2025-39483 | 2026-01-22 | N/A | 6.5 MEDIUM | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in imithemes Eventer allows Code Injection.This issue affects Eventer: from n/a before 3.9.9.1.
|
|||||
| CVE-2025-14928 | 1 Huggingface | 1 Transformers | 2026-01-21 | N/A | 7.8 HIGH |
|
Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.
The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to ...
Show More |
|||||
| CVE-2025-68897 | 2026-01-20 | N/A | 9.9 CRITICAL | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in Mohammad I. Okfie IF AS Shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through 1.2.
|
|||||
| CVE-2025-66533 | 2026-01-20 | N/A | 7.8 HIGH | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1.
|
|||||
| CVE-2025-66078 | 2026-01-20 | N/A | 9.1 CRITICAL | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters Hotel Booking Lite motopress-hotel-booking-lite allows Remote Code Inclusion.This issue affects Hotel Booking Lite: from n/a through <= 5.2.3.
|
|||||
| CVE-2025-62959 | 2026-01-20 | N/A | 9.1 CRITICAL | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Remote Code Inclusion.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.3.22.
|
|||||
| CVE-2025-62023 | 2026-01-20 | N/A | 9.8 CRITICAL | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905.
|
|||||
| CVE-2025-60206 | 2026-01-20 | N/A | 10.0 CRITICAL | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through <= 7.8.3.
|
|||||
| CVE-2025-60070 | 2026-01-20 | N/A | 6.5 MEDIUM | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in The4 Molla molla allows Code Injection.This issue affects Molla: from n/a through <= 1.5.13.
|
|||||
| CVE-2025-60068 | 2026-01-20 | N/A | 6.5 MEDIUM | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in javothemes Javo Core javo-core allows Code Injection.This issue affects Javo Core: from n/a through <= 3.0.0.266.
|
|||||
| CVE-2025-52756 | 2026-01-20 | N/A | 7.4 HIGH | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in Sayan Datta WP Last Modified Info wp-last-modified-info allows Remote Code Inclusion.This issue affects WP Last Modified Info: from n/a through <= 1.9.2.
|
|||||
| CVE-2025-49926 | 2026-01-20 | N/A | 7.3 HIGH | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in Laborator Kalium kalium allows Code Injection.This issue affects Kalium: from n/a through <= 3.25.
|
|||||
| CVE-2025-49372 | 2026-01-20 | N/A | 10.0 CRITICAL | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.This issue affects HAPPY: from n/a through <= 1.0.7.
|
|||||
| CVE-2025-47588 | 2026-01-20 | N/A | 9.8 CRITICAL | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through <= 4.5.9.
|
|||||
| CVE-2025-32222 | 2026-01-20 | N/A | 9.8 CRITICAL | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.This issue affects Widget Logic: from n/a through <= 6.0.5.
|
|||||
| CVE-2026-21877 | 1 N8n | 1 N8n | 2026-01-20 | N/A | 9.9 CRITICAL |
|
n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.
|
|||||
| CVE-2025-10940 | 1 Totaljs | 1 Total.js | 2026-01-16 | 3.3 LOW | 2.4 LOW |
|
A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layouts_save of the file /admin/ of the component Layout Page. Performing manipulation of the argument HTML results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-11019 | 1 Totaljs | 1 Total.js | 2026-01-16 | 3.3 LOW | 2.4 LOW |
|
A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-65037 | 1 Microsoft | 1 Azure Container Apps | 2026-01-15 | N/A | 10.0 CRITICAL |
|
Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.
|
|||||
| CVE-2026-22244 | 1 Open-metadata | 1 Openmetadata | 2026-01-15 | N/A | 7.2 HIGH |
|
OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.
|
|||||
| CVE-2025-65026 | 1 Esm | 1 Esm.sh | 2026-01-15 | N/A | 6.1 MEDIUM |
|
esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using ${...} expres ...
Show More |
|||||
| CVE-2025-14927 | 1 Huggingface | 1 Transformers | 2026-01-15 | N/A | 7.8 HIGH |
|
Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.
The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to e ...
Show More |
|||||
| CVE-2025-14926 | 1 Huggingface | 1 Transformers | 2026-01-15 | N/A | 7.8 HIGH |
|
Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.
The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to exe ...
Show More |
|||||
| CVE-2025-3999 | 1 Seeyon | 1 Oa Web Application System | 2026-01-15 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. This issue affects some unknown processing of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\common\js\addDate\date.jsp of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-4000 | 1 Seeyon | 1 Oa Web Application System | 2026-01-15 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. Affected is an unknown function of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\ssoproxy\jsp\ssoproxy.jsp. The manipulation of the argument Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-4531 | 1 Seeyon | 1 Oa Web Application System | 2026-01-15 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. It has been rated as critical. Affected by this issue is the function postData of the file ROOT\WEB-INF\classes\com\ours\www\ehr\salary\service\data\EhrSalaryPayrollServiceImpl.class of the component Beetl Template Handler. The manipulation of the argument payrollId leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-15372 | 1 Youlai | 1 Vue3-element-admin | 2026-01-15 | 3.3 LOW | 2.4 LOW |
|
A weakness has been identified in youlaitech vue3-element-admin up to 3.4.0. This issue affects some unknown processing of the file src/views/system/notice/index.vue of the component Notice Handler. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2019-4716 | 1 Ibm | 1 Planning Analytics | 2026-01-14 | 10.0 HIGH | 9.8 CRITICAL |
|
IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094.
|
|||||
| CVE-2024-28893 | 1 Hp | 1 Softpaqs | 2026-01-14 | N/A | 7.7 HIGH |
|
Certain HP software packages (SoftPaqs) are potentially vulnerable to arbitrary code execution when the SoftPaq configuration file has been modified after extraction. HP has released updated software packages (SoftPaqs).
|
|||||