Total
1049 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-11036 | 1 Gamipress | 1 Gamipress | 2025-02-04 | N/A | 7.3 HIGH |
| The The GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipress_get_user_earnings AJAX action in all versions up to, and including, 7.1.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-42911 | 2025-02-03 | N/A | 7.4 HIGH | ||
| ECOVACS Robotics Deebot T20 OMNI and T20e OMNI before 1.24.0 was discovered to contain a WiFi Remote Code Execution vulnerability. | |||||
| CVE-2024-37061 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | N/A | 8.8 HIGH |
| Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run. | |||||
| CVE-2024-11600 | 1 Visualmodo | 1 Borderless | 2025-01-31 | N/A | 7.2 HIGH |
| The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.9 via the 'write_config' function. This is due to a lack of sanitization on an imported JSON file. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. | |||||
| CVE-2024-53561 | 2025-01-31 | N/A | 8.7 HIGH | ||
| A remote code execution (RCE) vulnerability in Arcadyan Meteor 2 CPE FG360 Firmware ETV2.10 allows attackers to execute arbitrary code via a crafted request. | |||||
| CVE-2023-26546 | 1 Echa.europa | 1 Iuclid | 2025-01-30 | N/A | 8.8 HIGH |
| European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection (SSTI) with a crafted template file. The attacker must have template manager permission. | |||||
| CVE-2023-6743 | 1 Unlimited-elements | 1 Unlimited Elements For Elementor | 2025-01-30 | N/A | 8.8 HIGH |
| The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.89 via the template import functionality. This makes it possible for authenticated attackers, with contributor access and above, to execute code on the server. | |||||
| CVE-2023-39469 | 1 Papercut | 2 Papercut Mf, Papercut Ng | 2025-01-30 | N/A | 7.2 HIGH |
| PaperCut NG External User Lookup Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PaperCut NG. Authentication is required to exploit this vulnerability. The specific flaw exists within the External User Lookup functionality. The issue results from the lack of proper validation of a user-supplied string before using it to execute Java code. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21013. | |||||
| CVE-2023-29963 | 1 S-cms | 1 S-cms | 2025-01-29 | N/A | 7.2 HIGH |
| S-CMS v5.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /admin/ajax.php. | |||||
| CVE-2024-10261 | 1 Cozmoslabs | 1 Membership \& Content Restriction - Paid Member Subscriptions | 2025-01-29 | N/A | 7.3 HIGH |
| The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2023-31414 | 1 Elastic | 1 Kibana | 2025-01-29 | N/A | 8.8 HIGH |
| Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process. | |||||
| CVE-2023-31415 | 1 Elastic | 1 Kibana | 2025-01-29 | N/A | 8.8 HIGH |
| Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process. | |||||
| CVE-2025-21292 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2025-01-24 | N/A | 8.8 HIGH |
| Windows Search Service Elevation of Privilege Vulnerability | |||||
| CVE-2024-13495 | 1 Gamipress | 1 Gamipress | 2025-01-24 | N/A | 7.3 HIGH |
| The The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via the gamipress_ajax_get_logs() function in all versions up to, and including, 7.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-13499 | 1 Gamipress | 1 Gamipress | 2025-01-24 | N/A | 7.3 HIGH |
| The The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipress_do_shortcode() function in all versions up to, and including, 7.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2023-29400 | 1 Golang | 1 Go | 2025-01-24 | N/A | 7.3 HIGH |
| Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. | |||||
| CVE-2023-24539 | 1 Golang | 1 Go | 2025-01-24 | N/A | 7.3 HIGH |
| Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input. | |||||
| CVE-2023-30130 | 1 Craftcms | 1 Craft Cms | 2025-01-24 | N/A | 8.8 HIGH |
| An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. | |||||
| CVE-2022-47879 | 1 Jedox | 2 Jedox, Jedox Cloud | 2025-01-24 | N/A | 7.5 HIGH |
| A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods. | |||||
| CVE-2025-23051 | 2025-01-23 | N/A | 7.2 HIGH | ||
| An authenticated parameter injection vulnerability exists in the web-based management interface of the AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated user to leverage parameter injection to overwrite arbitrary system files. | |||||