Total
4475 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-0193 | 2 Apache, Debian | 2 Solr, Debian Linux | 2025-03-21 | 9.0 HIGH | 7.2 HIGH |
| In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true. | |||||
| CVE-2024-11740 | 1 W3eden | 1 Download Manager | 2025-03-21 | N/A | 7.3 HIGH |
| The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2023-0788 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-03-21 | N/A | 8.1 HIGH |
| Code Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11. | |||||
| CVE-2024-52393 | 1 Podlove | 1 Podlove Podcast Publisher | 2025-03-21 | N/A | 9.1 CRITICAL |
| Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Podlove Podlove Podcast Publisher.This issue affects Podlove Podcast Publisher: from n/a through 4.1.15. | |||||
| CVE-2025-29807 | 2025-03-21 | N/A | 8.7 HIGH | ||
| Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network. | |||||
| CVE-2024-32680 | 1 Pluginus | 1 Husky - Products Filter Professional For Woocommerce | 2025-03-20 | N/A | 8.8 HIGH |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in PluginUS HUSKY – Products Filter for WooCommerce (formerly WOOF) allows Using Malicious Files, Code Inclusion.This issue affects HUSKY – Products Filter for WooCommerce (formerly WOOF): from n/a through 1.3.5.2. | |||||
| CVE-2024-42936 | 2025-03-20 | N/A | 9.8 CRITICAL | ||
| The mqlink.elf is service component in Ruijie RG-EW300N with firmware ReyeeOS 1.300.1422 is vulnerable to Remote Code Execution via a modified MQTT broker message. | |||||
| CVE-2024-24421 | 2025-03-20 | N/A | 9.8 CRITICAL | ||
| A type confusion in the nas_message_decode function of Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted NAS packet. | |||||
| CVE-2024-9439 | 2025-03-20 | N/A | 8.8 HIGH | ||
| SuperAGI is vulnerable to remote code execution in the latest version. The `agent template update` API allows attackers to control certain parameters, which are then fed to the eval function without any sanitization or checks in place. This vulnerability can lead to full system compromise. | |||||
| CVE-2024-8581 | 2025-03-20 | N/A | 9.1 CRITICAL | ||
| A vulnerability in the `upload_app` function of parisneo/lollms-webui V12 (Strawberry) allows an attacker to delete any file or directory on the system. The function does not implement user input filtering with the `filename` value, causing a Path Traversal error. | |||||
| CVE-2024-6982 | 2025-03-20 | N/A | 8.4 HIGH | ||
| A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10. | |||||
| CVE-2024-10950 | 2025-03-20 | N/A | 8.8 HIGH | ||
| In binary-husky/gpt_academic version <= 3.83, the plugin `CodeInterpreter` is vulnerable to code injection caused by prompt injection. The root cause is the execution of user-provided prompts that generate untrusted code without a sandbox, allowing the execution of parts of the LLM-generated code. This vulnerability can be exploited by an attacker to achieve remote code execution (RCE) on the application backend server, potentially gaining full control of the server. | |||||
| CVE-2024-10252 | 2025-03-20 | N/A | 8.8 HIGH | ||
| A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the deletion of the entire sandbox service and causing irreversible damage. | |||||
| CVE-2025-26260 | 2025-03-19 | N/A | 8.8 HIGH | ||
| Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution. | |||||
| CVE-2023-22855 | 1 Kardex | 1 Kardex Control Center | 2025-03-19 | N/A | 9.8 CRITICAL |
| Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed to a path-concatenation method (Path.Combine from .NET) without proper sanitisation. This yields the possibility of including local files, as well as remote files on SMB shares. If one provides a file with the extension .t4, it is rendered with the .NET templating engine mono/t4, which can execute code. | |||||
| CVE-2024-39864 | 1 Apache | 1 Cloudstack | 2025-03-19 | N/A | 9.8 CRITICAL |
| The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue. | |||||
| CVE-2025-26264 | 2025-03-19 | N/A | 8.8 HIGH | ||
| GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. An authenticated attacker with "System Settings" privileges in ASWeb can exploit this flaw to execute arbitrary commands on the server, leading to a full system compromise. | |||||
| CVE-2025-24159 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2025-03-19 | N/A | 7.8 HIGH |
| A validation issue was addressed with improved logic. This issue is fixed in iPadOS 17.7.4, macOS Sonoma 14.7.3, visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. An app may be able to execute arbitrary code with kernel privileges. | |||||
| CVE-2024-41623 | 1 D3dsecurity | 2 D8801, D8801 Firmware | 2025-03-18 | N/A | 9.8 CRITICAL |
| An issue in D3D Security D3D IP Camera (D8801) v.V9.1.17.1.4-20180428 allows a local attacker to execute arbitrary code via a crafted payload | |||||
| CVE-2021-33949 | 1 Wms Project | 1 Wms | 2025-03-18 | N/A | 9.8 CRITICAL |
| An issue in FeMiner WMS v1.1 allows attackers to execute arbitrary code via the filename parameter and the exec function. | |||||