Total
4866 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2802 | 2025-05-07 | N/A | 7.3 HIGH | ||
| The LayoutBoxx plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.3.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-49362 | 1 Joplin Project | 1 Joplin | 2025-05-07 | N/A | 7.7 HIGH |
| Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. The issue arises due to insufficient sanitization of <a> tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution. | |||||
| CVE-2024-31003 | 1 Axiosys | 1 Bento4 | 2025-05-07 | N/A | 8.8 HIGH |
| Buffer Overflow vulnerability in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the AP4_MemoryByteStream::WritePartial at Ap4ByteStream.cpp. | |||||
| CVE-2024-31005 | 1 Axiosys | 1 Bento4 | 2025-05-07 | N/A | 8.1 HIGH |
| An issue in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the Ap4MdhdAtom.cpp,AP4_MdhdAtom::AP4_MdhdAtom,mp4fragment | |||||
| CVE-2024-53268 | 1 Joplin Project | 1 Joplin | 2025-05-07 | N/A | 7.2 HIGH |
| Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution in Windows environments. This issue has been addressed in version 3.0.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-48581 | 1 Mayurik | 1 Best Courier Management System | 2025-05-06 | N/A | 9.8 CRITICAL |
| File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. | |||||
| CVE-2024-51243 | 1 Eladmin | 1 Eladmin | 2025-05-06 | N/A | 7.2 HIGH |
| The eladmin v2.7 and before contains a remote code execution (RCE) vulnerability that can control all application deployment servers of this management system via DeployController.java. | |||||
| CVE-2024-0220 | 1 Br-automation | 2 Automation Studio, Technology Guarding | 2025-05-06 | N/A | 8.3 HIGH |
| B&R Automation Studio Upgrade Service and B&R Technology Guarding use insufficient cryptography for communication to the upgrade and the licensing servers. A network-based attacker could exploit the vulnerability to execute arbitrary code on the products or sniff sensitive data. | |||||
| CVE-2024-13808 | 1 Wpxpro | 1 Xpro Addons For Elementor | 2025-05-06 | N/A | 8.8 HIGH |
| The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.4.9 via the custom PHP widget. This is due to their only being client side controls when determining who can access the widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. | |||||
| CVE-2024-13420 | 1 G5plus | 4 April, Auteur, Benaa and 1 more | 2025-05-06 | N/A | 4.3 MEDIUM |
| Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access due to a missing capability check on several AJAX actions like 'gsf_reset_section_options', 'gsf_reset_section_options', 'gsf_create_preset_options' and more in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset and modify some of the plugin/theme settings. This issue was escalated to Envato over two months from the date of this disclosure and the issues, while partially patched, are still vulnerable. | |||||
| CVE-2022-32924 | 1 Apple | 5 Ipad Os, Iphone Os, Macos and 2 more | 2025-05-06 | N/A | 7.8 HIGH |
| The issue was addressed with improved memory handling. This issue is fixed in tvOS 16.1, macOS Big Sur 11.7, macOS Ventura 13, watchOS 9.1, iOS 16.1 and iPadOS 16, macOS Monterey 12.6. An app may be able to execute arbitrary code with kernel privileges. | |||||
| CVE-2023-50379 | 1 Apache | 1 Ambari | 2025-05-05 | N/A | 8.8 HIGH |
| Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue. Impact: A Cluster Operator can manipulate the request by adding a malicious code injection and gain a root over the cluster main host. | |||||
| CVE-2025-4257 | 2025-05-05 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability, which was classified as problematic, has been found in SeaCMS 13.2. This issue affects some unknown processing of the file /admin_pay.php. The manipulation of the argument cstatus leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4261 | 2025-05-05 | 4.3 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in GAIR-NLP factool up to 3f3914bc090b644be044b7e0005113c135d8b20f. It has been classified as critical. This affects the function run_single of the file factool/factool/math/tool.py. The manipulation leads to code injection. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | |||||
| CVE-2024-13738 | 2025-05-05 | N/A | 7.3 HIGH | ||
| The The Motors - Car Dealer, Rental & Listing WordPress theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.6.65. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. *It is unclear exactly which version the issue was patched in from the changelog. Therefore, we used the latest version at the time of verification. | |||||
| CVE-2024-31864 | 1 Apache | 1 Zeppelin | 2025-05-05 | N/A | 9.8 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | |||||
| CVE-2020-20124 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 6.5 MEDIUM | 8.8 HIGH |
| Wuzhi CMS v4.1.0 contains a remote code execution (RCE) vulnerability in \attachment\admin\index.php. | |||||
| CVE-2024-28424 | 1 Zenml | 1 Zenml | 2025-05-05 | N/A | 8.8 HIGH |
| zenml v0.55.4 was discovered to contain an arbitrary file upload vulnerability in the load function at /materializers/cloudpickle_materializer.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted file. | |||||
| CVE-2021-21480 | 1 Sap | 1 Manufacturing Integration And Intelligence | 2025-05-05 | 9.0 HIGH | 8.8 HIGH |
| SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). An attacker can intercept a request to the server, inject malicious JSP code in the request and forward to server. When this dashboard is opened by users having at least SAP_XMII Developer role, malicious content in the dashboard gets executed, leading to remote code execution in the server, which allows privilege escalation. The malicious JSP code can contain certain OS commands, through which an attacker can read sensitive files in the server, modify files or even delete contents in the server thus compromising the confidentiality, integrity and availability of the server hosting the SAP MII application. Also, an attacker authenticated as a developer can use the application to upload and execute a file which will permit them to execute operating systems commands completely compromising the server hosting the application. | |||||
| CVE-2023-41503 | 1 Code-projects | 1 Student Enrollment | 2025-05-05 | N/A | 9.8 CRITICAL |
| Student Enrollment In PHP v1.0 was discovered to contain a SQL injection vulnerability via the Login function. | |||||