Total
860 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-35853 | 1 Oisf | 1 Suricata | 2024-12-11 | N/A | 9.8 CRITICAL |
| In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section. | |||||
| CVE-2024-51815 | 2024-12-06 | N/A | 9.0 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in WP Sharks s2Member Pro allows Code Injection.This issue affects s2Member Pro: from n/a through 241114. | |||||
| CVE-2021-31635 | 1 Jfinal | 1 Jfinal | 2024-12-05 | N/A | 9.8 CRITICAL |
| Server-Side Template Injection (SSTI) vulnerability in jFinal v.4.9.08 allows a remote attacker to execute arbitrary code via the template function. | |||||
| CVE-2024-48840 | 2024-12-05 | N/A | 10.0 CRITICAL | ||
| Unauthorized Access vulnerabilities allow Remote Code Execution. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 | |||||
| CVE-2024-48839 | 2024-12-05 | N/A | 10.0 CRITICAL | ||
| Improper Input Validation vulnerability allows Remote Code Execution. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 | |||||
| CVE-2024-39165 | 2024-12-04 | N/A | 9.8 CRITICAL | ||
| QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in the filename parameter. This occurs because an unnecessary QR/demoapp folder.is shipped with the product. | |||||
| CVE-2024-22116 | 1 Zabbix | 1 Zabbix | 2024-12-04 | N/A | 9.9 CRITICAL |
| An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure. | |||||
| CVE-2024-8672 | 2024-11-28 | N/A | 9.9 CRITICAL | ||
| The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This is due to the plugin allowing users to supply input that will be passed through eval() without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. Special note: We suggested the vendor implement an allowlist of functions and limit the ability to execute commands to just administrators, however, they did not take our advice. We are considering this patched, however, we believe it could still be further hardened and there may be residual risk with how the issue is currently patched. | |||||
| CVE-2024-8923 | 1 Servicenow | 1 Servicenow | 2024-11-27 | N/A | 9.8 CRITICAL |
| ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow deployed an update to hosted instances and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes. | |||||
| CVE-2024-44758 | 2024-11-27 | N/A | 9.8 CRITICAL | ||
| An arbitrary file upload vulnerability in the component /Production/UploadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to execute arbitrary code via uploading crafted files. | |||||
| CVE-2024-51367 | 2024-11-27 | N/A | 9.8 CRITICAL | ||
| An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers to execute arbitrary code via uploading a crafted .xml file. | |||||
| CVE-2023-36258 | 1 Langchain | 1 Langchain | 2024-11-22 | N/A | 9.8 CRITICAL |
| An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used. | |||||
| CVE-2024-25110 | 1 Microsoft | 1 Azure Uamqp | 2024-11-22 | N/A | 9.8 CRITICAL |
| The UAMQP is a general purpose C library for AMQP 1.0. During a call to open_get_offered_capabilities, a memory allocation may fail causing a use-after-free issue and if a client called it during connection communication it may cause a remote code execution. Users are advised to update the submodule with commit `30865c9c`. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-48694 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| File Upload vulnerability in Xi'an Daxi Information technology OfficeWeb365 v.8.6.1.0 and v7.18.23.0 allows a remote attacker to execute arbitrary code via the pw/savedraw component. | |||||
| CVE-2024-10094 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code | |||||
| CVE-2024-5826 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server. | |||||
| CVE-2024-5751 | 1 Litellm | 1 Litellm | 2024-11-21 | N/A | 9.8 CRITICAL |
| BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can exploit this by sending a malicious payload to the `/config/update` endpoint, which is then processed and executed by the server when the `get_secret` function is triggered. This requires the server to use Google KMS and a database to store a model. | |||||
| CVE-2024-5683 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Remote Code Inclusion.This issue affects Business Process Manangement (BPM): from 6.6.4.4 before 6.6.4.5. | |||||
| CVE-2024-4884 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The Apm.UI.Areas.APM.Controllers.CommunityController allows execution of commands with iisapppool\nmconsole privileges. | |||||
| CVE-2024-4883 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe. | |||||