Total
860 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-4491 | 1 Acme | 1 Thttpd | 2025-04-09 | 5.0 MEDIUM | 9.8 CRITICAL |
| thttpd 2.25b0 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. | |||||
| CVE-2006-7105 | 1 Smarty | 1 Smarty | 2025-04-09 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** PHP remote file inclusion vulnerability in libs/Smarty.class.php in Smarty 2.6.9 allows remote attackers to execute arbitrary PHP code via a URL in the filename parameter. NOTE: in the original disclosure, filename is used in a function definition, so this report is probably incorrect. | |||||
| CVE-2006-5610 | 1 Fully Modded Phpbb | 1 Fully Modded Phpbb | 2025-04-09 | 7.5 HIGH | 9.8 CRITICAL |
| PHP remote file inclusion vulnerability in player/includes/common.php in Teake Nutma Foing, as modified in Fully Modded phpBB (phpbbfm) 2021.4.40, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. | |||||
| CVE-2007-5775 | 1 Bitdefender | 3 Antivirus, Internet Security, Total Security | 2025-04-09 | 9.3 HIGH | 9.8 CRITICAL |
| Unspecified vulnerability in BitDefender allows attackers to execute arbitrary code via unspecified vectors, aka EEYEB-20071024. NOTE: as of 20071029, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. | |||||
| CVE-2009-2512 | 1 Microsoft | 2 Windows Server 2008, Windows Vista | 2025-04-09 | 9.3 HIGH | 9.8 CRITICAL |
| The Web Services on Devices API (WSDAPI) in Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 does not properly process the headers of WSD messages, which allows remote attackers to execute arbitrary code via a crafted (1) message or (2) response, aka "Web Services on Devices API Memory Corruption Vulnerability." | |||||
| CVE-2009-2494 | 1 Microsoft | 5 Windows 2000, Windows Server 2003, Windows Server 2008 and 2 more | 2025-04-09 | 10.0 HIGH | 9.8 CRITICAL |
| The Active Template Library (ATL) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via vectors related to erroneous free operations after reading a variant from a stream and deleting this variant, aka "ATL Object Type Mismatch Vulnerability." | |||||
| CVE-2007-4290 | 1 Stadtaus | 1 Guestbook Script | 2025-04-09 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Guestbook Script 1.9 allow remote attackers to execute arbitrary PHP code via a URL in the script_root parameter to (1) delete.php, (2) edit.php, or (3) inc/common.inc.php; or (4) database.php, (5) entries.php, (6) index.php, (7) logout.php, or (8) settings.php in admin/. NOTE: a third party disputes this vulnerability, noting that these scripts defend against direct requests. | |||||
| CVE-2007-5097 | 1 Online Fantasy Football League | 1 Offl | 2025-04-09 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** PHP remote file inclusion vulnerability in lib/classes/offl_nflteam.php in Online Fantasy Football League (OFFL) 0.2.6 allows remote attackers to execute arbitrary PHP code via a URL in the DOC_ROOT parameter. NOTE: this issue is disputed by CVE because a __FILE__ test protects offl_nflteam.php against direct requests. | |||||
| CVE-2006-6975 | 1 Centipaid | 1 Centipaid | 2025-04-09 | 5.1 MEDIUM | 9.8 CRITICAL |
| ** DISPUTED ** PHP remote file inclusion vulnerability in centipaid_class.php in CentiPaid 1.4.3 allows remote attackers to execute arbitrary code via a URL in the class_pwd parameter. NOTE: this issue has been disputed by CVE and multiple third parties, who state that $class_pwd is set to a static value before the relevant include statement. | |||||
| CVE-2008-4835 | 1 Microsoft | 5 Windows 2000, Windows Server 2003, Windows Server 2008 and 2 more | 2025-04-09 | 10.0 HIGH | 9.8 CRITICAL |
| SMB in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via malformed values of unspecified "fields inside the SMB packets" in an NT Trans2 request, related to "insufficiently validating the buffer size," aka "SMB Validation Remote Code Execution Vulnerability." | |||||
| CVE-2025-26818 | 1 Netwrix | 1 Password Secure | 2025-04-08 | N/A | 9.8 CRITICAL |
| Netwrix Password Secure through 9.2 allows command injection. | |||||
| CVE-2025-27429 | 2025-04-08 | N/A | 9.9 CRITICAL | ||
| SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | |||||
| CVE-2025-31330 | 2025-04-08 | N/A | 9.9 CRITICAL | ||
| SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | |||||
| CVE-2025-2945 | 2025-04-07 | N/A | 9.9 CRITICAL | ||
| Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary code execution. This issue affects pgAdmin 4: before 9.2. | |||||
| CVE-2024-13645 | 2025-04-07 | N/A | 9.8 CRITICAL | ||
| The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. This makes it possible for unauthenticated attackers to Instantiate a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2024-30568 | 1 Netgear | 2 R6850, R6850 Firmware | 2025-04-04 | N/A | 9.8 CRITICAL |
| Netgear R6850 1.1.0.88 was discovered to contain a command injection vulnerability via the c4-IPAddr parameter. | |||||
| CVE-2024-30858 | 1 Netentsec | 2 Ns-asg, Ns-asg Firmware | 2025-04-04 | N/A | 9.8 CRITICAL |
| netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/edit_fire_wall.php. | |||||
| CVE-2024-30868 | 1 Netentsec | 2 Ns-asg, Ns-asg Firmware | 2025-04-04 | N/A | 9.8 CRITICAL |
| netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/add_getlogin.php. | |||||
| CVE-2024-6602 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-04-04 | N/A | 9.8 CRITICAL |
| A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. | |||||
| CVE-2024-46103 | 1 Sem-cms | 1 Semcms | 2025-04-04 | N/A | 9.8 CRITICAL |
| SEMCMS 4.8 is vulnerable to SQL Injection via SEMCMS_Main.php. | |||||