Total
4542 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-28593 | 1 Moodle | 1 Moodle | 2025-05-01 | N/A | 5.4 MEDIUM |
| The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text." This page also says "Chat is due to be removed from standard Moodle." | |||||
| CVE-2024-24520 | 1 Lepton-cms | 1 Leptoncms | 2025-05-01 | N/A | 7.8 HIGH |
| An issue in Lepton CMS v.7.0.0 allows a local attacker to execute arbitrary code via the upgrade.php file in the languages place. | |||||
| CVE-2024-23921 | 1 Chargepoint | 6 Home Flex Hardwired, Home Flex Hardwired Firmware, Home Flex Nema 14-50 Plug and 3 more | 2025-05-01 | N/A | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the wlanapp module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. | |||||
| CVE-2024-30202 | 1 Gnu | 2 Emacs, Org Mode | 2025-05-01 | N/A | 7.8 HIGH |
| In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23. | |||||
| CVE-2022-44089 | 2025-05-01 | N/A | 9.8 CRITICAL | ||
| ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component IS_GETCACHE. | |||||
| CVE-2022-44088 | 2025-05-01 | N/A | 9.8 CRITICAL | ||
| ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component INPUT_ISDESCRIPTION. | |||||
| CVE-2022-44087 | 2025-05-01 | N/A | 9.8 CRITICAL | ||
| ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component UPFILE_PIC_ZOOM_HIGHT. | |||||
| CVE-2024-13080 | 1 Phpgurukul | 1 Land Record System | 2025-04-30 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in PHPGurukul Land Record System 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/aboutus.php. The manipulation of the argument Page Description leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-40127 | 1 Apache | 1 Airflow | 2025-04-30 | N/A | 8.8 HIGH |
| A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. | |||||
| CVE-2025-45947 | 1 Phpgurukul | 1 Online Banquet Booking System | 2025-04-30 | N/A | 9.8 CRITICAL |
| An issue in phpgurukul Online Banquet Booking System V1.2 allows an attacker to execute arbitrary code via the /obbs/change-password.php file of the My Account - Change Password component | |||||
| CVE-2025-3823 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-30 | 3.3 LOW | 2.4 LOW |
| A vulnerability classified as problematic has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected is an unknown function of the file add-stock.php. The manipulation of the argument txttotalcost/txtproductID/txtprice/txtexpirydate leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3824 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-30 | 3.3 LOW | 2.4 LOW |
| A vulnerability classified as problematic was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this vulnerability is an unknown functionality of the file add-product.php. The manipulation of the argument txtprice/txtproduct_name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3825 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-30 | 3.3 LOW | 2.4 LOW |
| A vulnerability, which was classified as problematic, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this issue is some unknown functionality of the file add-category.php. The manipulation of the argument txtcategory_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3826 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-30 | 3.3 LOW | 2.4 LOW |
| A vulnerability, which was classified as problematic, was found in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part of the file add-supplier.php. The manipulation of the argument txtsupplier_name/txtaddress leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-39331 | 1 Gnu | 1 Emacs | 2025-04-30 | N/A | 9.8 CRITICAL |
| In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5. | |||||
| CVE-2024-53920 | 1 Gnu | 1 Emacs | 2025-04-30 | N/A | 7.8 HIGH |
| In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.) | |||||
| CVE-2024-52945 | 1 Veritas | 1 Netbackup | 2025-04-30 | N/A | 7.8 HIGH |
| An issue was discovered in Veritas NetBackup before 10.5. This only applies to NetBackup components running on a Windows Operating System. If a user executes specific NetBackup commands or an attacker uses social engineering techniques to impel the user to execute the commands, a malicious DLL could be loaded, resulting in execution of the attacker's code in the user's security context. | |||||
| CVE-2024-55662 | 1 Xwiki | 1 Xwiki | 2025-04-30 | N/A | 9.9 CRITICAL |
| XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`. | |||||
| CVE-2024-55877 | 1 Xwiki | 1 Xwiki | 2025-04-30 | N/A | 9.9 CRITICAL |
| XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround. | |||||
| CVE-2022-45132 | 1 Linaro | 1 Lava | 2025-04-30 | N/A | 9.8 CRITICAL |
| In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server. | |||||