Total
860 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-26845 | 1 Znuny | 1 Znuny | 2025-05-16 | N/A | 9.8 CRITICAL |
| An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script. | |||||
| CVE-2025-32363 | 2025-05-16 | N/A | 9.8 CRITICAL | ||
| mediDOK before 2.5.18.43 allows remote attackers to achieve remote code execution on a target system via deserialization of untrusted data. | |||||
| CVE-2022-40871 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2025-05-15 | N/A | 9.8 CRITICAL |
| Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval. | |||||
| CVE-2024-46076 | 1 Ruoyi | 1 Ruoyi | 2025-05-15 | N/A | 9.8 CRITICAL |
| RuoYi v4.7.9 and before has a security flaw that allows escaping from comments within the code generation feature, enabling the injection of malicious code. | |||||
| CVE-2019-10173 | 2 Oracle, Xstream | 10 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 7 more | 2025-05-14 | 7.5 HIGH | 9.8 CRITICAL |
| It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285) | |||||
| CVE-2015-2079 | 1 Webmin | 1 Usermin | 2025-05-14 | N/A | 9.9 CRITICAL |
| Usermin 0.980 through 1.x before 1.660 allows uconfig_save.cgi sig_file_free remote code execution because it uses the two argument (not three argument) form of Perl open. | |||||
| CVE-2023-43958 | 1 Kishan0725 | 1 Hospital Management System | 2025-05-14 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the component /jquery-file-upload/server/php/index.php of Hospital Management System v4.0 allows an unauthenticated attacker to upload any file to the server and execute arbitrary code. | |||||
| CVE-2022-41544 | 1 Get-simple | 1 Getsimple Cms | 2025-05-13 | N/A | 9.8 CRITICAL |
| GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php. | |||||
| CVE-2025-44071 | 1 Seacms | 1 Seacms | 2025-05-13 | N/A | 9.8 CRITICAL |
| SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component phomebak.php. This vulnerability allows attackers to execute arbitrary code via a crafted request. | |||||
| CVE-2024-57099 | 1 Classcms | 1 Classcms | 2025-05-13 | N/A | 9.8 CRITICAL |
| ClassCMS v4.8 has a code execution vulnerability. Attackers can exploit this vulnerability by constructing a payload in the classview parameter of the model management feature, allowing them to execute arbitrary code and potentially take control of the server. | |||||
| CVE-2024-25180 | 1 Pdfmake Project | 1 Pdfmake | 2025-05-13 | N/A | 9.8 CRITICAL |
| An issue discovered in pdfmake 0.2.9 allows remote attackers to run arbitrary code via crafted POST request to the /pdf endpoint. NOTE: this is disputed because the behavior of the /pdf endpoint is intentional. The /pdf endpoint is only available after installing a test framework (that lives outside of the pdfmake applicaton). Anyone installing this is responsible for ensuring that it is only available to authorized testers. | |||||
| CVE-2024-25293 | 1 Mjml | 1 Mjml App | 2025-05-13 | N/A | 9.3 CRITICAL |
| mjml-app versions 3.0.4 and 3.1.0-beta were discovered to contain a remote code execution (RCE) via the href attribute. | |||||
| CVE-2025-46661 | 1 Ipwsystems | 1 Metazo | 2025-05-12 | N/A | 10.0 CRITICAL |
| IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the attacker to provide template expressions, aka Server-Side Template-Injection. All instances have been patched by the Supplier. | |||||
| CVE-2025-23211 | 1 Tandoor | 1 Recipes | 2025-05-08 | N/A | 9.9 CRITICAL |
| Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24. | |||||
| CVE-2025-24893 | 1 Xwiki | 1 Xwiki | 2025-05-07 | N/A | 9.8 CRITICAL |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed. | |||||
| CVE-2025-3248 | 1 Langflow | 1 Langflow | 2025-05-07 | N/A | 9.8 CRITICAL |
| Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. | |||||
| CVE-2024-48168 | 1 Dlink | 2 Dcs-960l, Dcs-960l Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| A stack overflow vulnerability exists in the sub_402280 function of the HNAP service of D-Link DCS-960L 1.09, allowing an attacker to execute arbitrary code. | |||||
| CVE-2020-21016 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary code as root via HNAP1/control/SetGuestWLanSettings.php. | |||||
| CVE-2024-48581 | 1 Mayurik | 1 Best Courier Management System | 2025-05-06 | N/A | 9.8 CRITICAL |
| File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. | |||||
| CVE-2024-31864 | 1 Apache | 1 Zeppelin | 2025-05-05 | N/A | 9.8 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | |||||