Total
3602 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-39020 | 1 Stanford | 1 Stanford Parser | 2024-10-10 | N/A | 9.8 CRITICAL |
| stanford-parser v3.9.2 and below was discovered to contain a code injection vulnerability in the component edu.stanford.nlp.io.getBZip2PipedInputStream. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2012-1661 | 1 Esri | 1 Arcmap | 2024-10-10 | 9.3 HIGH | N/A |
| ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file. | |||||
| CVE-2024-45874 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
| A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe. | |||||
| CVE-2024-46076 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
| RuoYi v4.7.9 and before has a security flaw that allows escaping from comments within the code generation feature, enabling the injection of malicious code. | |||||
| CVE-2024-25706 | 2024-10-10 | N/A | 6.1 MEDIUM | ||
| There is an HTML injection vulnerability in Esri Portal for ArcGIS <=11.0 that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks. | |||||
| CVE-2024-45873 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
| A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe. | |||||
| CVE-2024-41651 | 1 Prestashop | 1 Prestashop | 2024-10-09 | N/A | 8.1 HIGH |
| An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server). | |||||
| CVE-2023-43364 | 1 Arjunsharda | 1 Searchor | 2024-10-09 | N/A | 9.8 CRITICAL |
| main.py in Searchor before 2.4.2 uses eval on CLI input, which may cause unexpected code execution. | |||||
| CVE-2022-0845 | 1 Lightningai | 1 Pytorch Lightning | 2024-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0. | |||||
| CVE-2023-34468 | 2024-10-08 | N/A | 8.8 HIGH | ||
| The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue. | |||||
| CVE-2024-45933 | 2024-10-08 | N/A | 6.6 MEDIUM | ||
| OnlineNewsSite v1.0 is vulnerable to Cross Site Scripting (XSS) which allows attackers to execute arbitrary code via the Title and summary fields in the /admin/post/edit/ endpoint. | |||||
| CVE-2024-8254 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-10-08 | N/A | 6.3 MEDIUM |
| The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. | |||||
| CVE-2023-39445 | 2024-10-08 | N/A | 8.8 HIGH | ||
| Hidden functionality vulnerability in LAN-WH300N/RE all versions provided by LOGITEC CORPORATION allows an unauthenticated attacker to execute arbitrary code by sending a specially crafted file to the product's certain management console. | |||||
| CVE-2023-38576 | 2024-10-08 | N/A | 8.0 HIGH | ||
| Hidden functionality vulnerability in LAN-WH300N/RE all versions provided by LOGITEC CORPORATION allows an authenticated user to execute arbitrary OS commands on a certain management console. | |||||
| CVE-2023-32626 | 2024-10-08 | N/A | 9.8 CRITICAL | ||
| Hidden functionality vulnerability in LAN-W300N/RS all versions, and LAN-W300N/PR5 all versions allows an unauthenticated attacker to log in to the product's certain management console and execute arbitrary OS commands. | |||||
| CVE-2015-9298 | 1 Pixelite | 1 Events Manager | 2024-10-08 | 7.5 HIGH | 9.8 CRITICAL |
| The events-manager plugin before 5.6 for WordPress has code injection. | |||||
| CVE-2023-40313 | 2024-10-08 | N/A | 8.8 HIGH | ||
| A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in related Meridian versions which could allow arbitrary remote Java code execution. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2024-22188 | 2024-10-07 | N/A | 7.2 HIGH | ||
| TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, and 13.0.1. | |||||
| CVE-2023-39660 | 2024-10-07 | N/A | 9.8 CRITICAL | ||
| An issue in Gaberiele Venturi pandasai v.0.8.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the prompt function. | |||||
| CVE-2023-31447 | 2024-10-07 | N/A | 9.8 CRITICAL | ||
| user_login.cgi on Draytek Vigor2620 devices before 3.9.8.4 (and on all versions of Vigor2925 devices) allows attackers to send a crafted payload to modify the content of the code segment, insert shellcode, and execute arbitrary code. | |||||