Total
5280 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6602 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-03 | N/A | 9.8 CRITICAL |
| A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. | |||||
| CVE-2024-54529 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 7.8 HIGH |
| A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to execute arbitrary code with kernel privileges. | |||||
| CVE-2025-24243 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-11-03 | N/A | 7.8 HIGH |
| The issue was addressed with improved memory handling. This issue is fixed in visionOS 2.4, macOS Ventura 13.7.5, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5. Processing a maliciously crafted file may lead to arbitrary code execution. | |||||
| CVE-2024-35226 | 2025-11-03 | N/A | 7.3 HIGH | ||
| Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-22123 | 1 Zabbix | 1 Zabbix | 2025-11-03 | N/A | 2.7 LOW |
| Setting SMS media allows to set GSM modem file. Later this file is used as Linux device. But due everything is a file for Linux, it is possible to set another file, e.g. log file and zabbix_server will try to communicate with it as modem. As a result, log file will be broken with AT commands and small part for log file content will be leaked to UI. | |||||
| CVE-2024-22116 | 1 Zabbix | 1 Zabbix | 2025-11-03 | N/A | 9.9 CRITICAL |
| An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure. | |||||
| CVE-2024-11699 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-03 | N/A | 8.8 HIGH |
| Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. | |||||
| CVE-2024-11697 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-03 | N/A | 8.8 HIGH |
| When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. | |||||
| CVE-2023-39333 | 2025-11-03 | N/A | 5.3 MEDIUM | ||
| Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option. | |||||
| CVE-2023-37466 | 1 Vm2 Project | 1 Vm2 | 2025-11-03 | N/A | 9.8 CRITICAL |
| vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. | |||||
| CVE-2021-23358 | 4 Debian, Fedoraproject, Tenable and 1 more | 4 Debian Linux, Fedora, Tenable.sc and 1 more | 2025-11-03 | 6.5 MEDIUM | 3.3 LOW |
| The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized. | |||||
| CVE-2025-24159 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2025-11-03 | N/A | 7.8 HIGH |
| A validation issue was addressed with improved logic. This issue is fixed in iPadOS 17.7.4, macOS Sonoma 14.7.3, visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. An app may be able to execute arbitrary code with kernel privileges. | |||||
| CVE-2025-1011 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-03 | N/A | 8.8 HIGH |
| A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. | |||||
| CVE-2024-53920 | 1 Gnu | 1 Emacs | 2025-11-03 | N/A | 7.8 HIGH |
| In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.) | |||||
| CVE-2024-43363 | 1 Cacti | 1 Cacti | 2025-11-03 | N/A | 7.2 HIGH |
| Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-8030 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-03 | N/A | 8.1 HIGH |
| Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. | |||||
| CVE-2025-27678 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-11-03 | N/A | 9.8 CRITICAL |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Client Remote Code Execution V-2023-001. | |||||
| CVE-2025-27657 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-11-03 | N/A | 9.8 CRITICAL |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Remote Code Execution V-2023-008. | |||||
| CVE-2025-27407 | 2025-11-03 | N/A | 9.0 CRITICAL | ||
| graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use GraphQL::Client to load external schemas via GraphQL introspection. Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch for the issue. | |||||
| CVE-2024-58258 | 2025-11-03 | N/A | 7.2 HIGH | ||
| SugarCRM before 13.0.4 and 14.x before 14.0.1 allows SSRF in the API module because a limited type of code injection can occur. | |||||