Total
860 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-56145 | 1 Craftcms | 1 Craft Cms | 2025-06-03 | N/A | 9.8 CRITICAL |
| Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue. | |||||
| CVE-2022-1609 | 1 Weblizar | 1 School Management | 2025-06-02 | N/A | 9.8 CRITICAL |
| The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site. | |||||
| CVE-2025-44881 | 1 Wavlink | 2 Wl-wn579a3, Wl-wn579a3 Firmware | 2025-05-30 | N/A | 9.8 CRITICAL |
| A command injection vulnerability in the component /cgi-bin/qos.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input. | |||||
| CVE-2022-34715 | 1 Microsoft | 1 Windows Server 2022 | 2025-05-29 | N/A | 9.8 CRITICAL |
| Windows Network File System Remote Code Execution Vulnerability | |||||
| CVE-2024-51360 | 1 Phpgurukul | 1 Hospital Management System | 2025-05-29 | N/A | 9.8 CRITICAL |
| An issue in Hospital Management System In PHP V4.0 allows a remote attacker to execute arbitrary code via the hms/doctor/edit-profile.php file | |||||
| CVE-2022-41138 | 1 Zutty Project | 1 Zutty | 2025-05-29 | N/A | 9.8 CRITICAL |
| In Zutty before 0.13, DECRQSS in text written to the terminal can achieve arbitrary code execution. | |||||
| CVE-2024-48061 | 1 Langflow | 1 Langflow | 2025-05-28 | N/A | 9.8 CRITICAL |
| langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox. | |||||
| CVE-2025-28146 | 1 Edimax | 2 Br-6478ac V3, Br-6478ac V3 Firmware | 2025-05-28 | N/A | 9.8 CRITICAL |
| Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via fota_url in /boafrm/formLtefotaUpgradeQuectel | |||||
| CVE-2024-50704 | 1 Uniguest | 1 Tripleplay | 2025-05-28 | N/A | 10.0 CRITICAL |
| Unauthenticated remote code execution vulnerability in Uniguest Tripleplay before 24.2.1 allows remote attackers to execute arbitrary code via a specially crafted HTTP POST request. | |||||
| CVE-2024-50707 | 1 Uniguest | 1 Tripleplay | 2025-05-28 | N/A | 10.0 CRITICAL |
| Unauthenticated remote code execution vulnerability in Uniguest Tripleplay before 24.2.1 allows remote attackers to execute arbitrary code via the X-Forwarded-For header in an HTTP GET request. | |||||
| CVE-2022-26112 | 1 Apache | 1 Pinot | 2025-05-27 | N/A | 9.8 CRITICAL |
| In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. In order to avoid this, we disabled the groovy function support by default from Pinot release 0.11.0. See https://docs.pinot.apache.org/basics/releases/0.11.0 | |||||
| CVE-2024-25502 | 1 Flusity | 1 Flusity | 2025-05-23 | N/A | 9.8 CRITICAL |
| Directory Traversal vulnerability in flusity CMS v.2.4 allows a remote attacker to execute arbitrary code and obtain sensitive information via the download_backup.php component. | |||||
| CVE-2025-46191 | 1 Lerouxyxchire | 1 Client Database Management System | 2025-05-22 | N/A | 9.8 CRITICAL |
| Arbitrary File Upload in user_payment_update.php in SourceCodester Client Database Management System 1.0 allows unauthenticated users to upload arbitrary files via the uploaded_file_cancelled field. Due to the absence of proper file extension checks, MIME type validation, and authentication, attackers can upload executable PHP files to a web-accessible directory (/files/). This allows them to execute arbitrary commands remotely by accessing the uploaded script, resulting in full Remote Code Execution (RCE) without authentication. | |||||
| CVE-2023-48085 | 1 Nagios | 1 Nagios Xi | 2025-05-22 | N/A | 9.8 CRITICAL |
| Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php. | |||||
| CVE-2025-24977 | 1 Citeum | 1 Opencti | 2025-05-22 | N/A | 9.1 CRITICAL |
| OpenCTI is an open cyber threat intelligence (CTI) platform. Prior to version 6.4.11 any user with the capability `manage customizations` can execute commands on the underlying infrastructure where OpenCTI is hosted and can access internal server side secrets by misusing the web-hooks. Since the malicious user gets a root shell inside a container this opens up the the infrastructure environment for further attacks and exposures. Version 6.4.11 fixes the issue. | |||||
| CVE-2024-31022 | 1 Steve228uk | 1 Candycms | 2025-05-22 | N/A | 9.8 CRITICAL |
| An issue was discovered in CandyCMS version 1.0.0, allows remote attackers to execute arbitrary code via the install.php component. | |||||
| CVE-2024-50919 | 2 Jpress, Microsoft | 2 Jpress, Windows | 2025-05-21 | N/A | 9.8 CRITICAL |
| Jpress until v5.1.1 has arbitrary file uploads on the windows platform, and the construction of non-standard file formats such as .jsp. can lead to arbitrary command execution | |||||
| CVE-2025-22968 | 1 Dlink | 2 Dwr-m972v, Dwr-m972v Firmware | 2025-05-21 | N/A | 9.8 CRITICAL |
| An issue in D-Link DWR-M972V 1.05SSG allows a remote attacker to execute arbitrary code via SSH using root account without restrictions | |||||
| CVE-2024-44411 | 1 Dlink | 2 Di-8300, Di-8300 Firmware | 2025-05-21 | N/A | 9.8 CRITICAL |
| D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the msp_info_htm function. | |||||
| CVE-2022-38946 | 1 Divscorp | 1 Doctor-appointment | 2025-05-17 | N/A | 9.8 CRITICAL |
| Arbitrary File Upload vulnerability in Doctor-Appointment version 1.0 in /Frontend/signup_com.php, allows attackers to execute arbitrary code. | |||||