Vulnerabilities (CVE)

Filtered by CWE-94
Total 6425 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2009-3890 1 Wordpress 1 Wordpress 2026-06-16 6.0 MEDIUM N/A
Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code by posting an attachment with a multiple-extension filename, and then accessing this attachment via a direct request to a wp-content/uploads/ pathname, as demonstrated by a .php.jpg filename.
CVE-2009-3865 1 Sun 2 Jdk, Jre 2026-06-16 9.3 HIGH N/A
The launch method in the Deployment Toolkit plugin in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 6 before Update 17 allows remote attackers to execute arbitrary commands via a crafted web page, aka Bug Id 6869752.
CVE-2009-3850 1 Blender 1 Blender 2026-06-16 9.3 HIGH N/A
Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrary code via a .blend file that contains Python statements in the onLoad action of a ScriptLink SDNA.
CVE-2009-3822 2 Fijiwebdesign, Joomla 2 Com Ajaxchat, Joomla\! 2026-06-16 7.5 HIGH N/A
PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat (com_ajaxchat) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path] parameter to tests/ajcuser.php.
CVE-2009-3817 2 Joomla, Ordasoft 2 Joomla\!, Com Booklibrary 2026-06-16 7.5 HIGH N/A
PHP remote file inclusion vulnerability in doc/releasenote.php in the BookLibrary (com_booklibrary) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter, a different vector than CVE-2009-2637. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-3814 1 Runcms 1 Runcms 2026-06-16 6.5 MEDIUM N/A
Static code injection vulnerability in RunCMS 2M1 allows remote authenticated administrators to execute arbitrary PHP code via the "Filter/Banning" feature, as demonstrated by modifying modules/system/cache/bademails.php using the "Prohibited: Emails" action, and other unspecified filters.
CVE-2009-3796 1 Adobe 2 Adobe Air, Flash Player 2026-06-16 9.3 HIGH N/A
Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 might allow attackers to execute arbitrary code via unspecified vectors, related to a "data injection vulnerability."
CVE-2009-3760 1 Citrix 1 Xencenterweb 2026-06-16 7.5 HIGH N/A
Static code injection vulnerability in config/writeconfig.php in the sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to inject arbitrary PHP code into include/config.ini.php via the pool1 parameter. NOTE: some of these details are obtained from third party information.
CVE-2009-3737 2 Microsoft, Oracle 2 Internet Explorer, Siebel Option Pack Ie Activex Control 2026-06-16 9.3 HIGH N/A
The Oracle Siebel Option Pack for IE ActiveX control does not properly initialize memory that is used by the NewBusObj method, which allows remote attackers to execute arbitrary code via a crafted HTML document.
CVE-2009-3735 1 Panda 1 Panda Activescan 2026-06-16 9.3 HIGH N/A
The ActiveScan Installer ActiveX control in as2stubie.dll before 1.3.3.0 in PandaActiveScan Installer 2.0 in Panda ActiveScan downloads software in an as2guiie.cab archive located at an arbitrary URL, and does not verify the archive's digital signature before installation, which allows remote attackers to execute arbitrary code via a URL argument to an unspecified method.
CVE-2009-3705 1 Achievo 1 Achievo 2026-06-16 7.5 HIGH N/A
PHP remote file inclusion vulnerability in debugger.php in Achievo before 1.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the config_atkroot parameter.
CVE-2009-3677 1 Microsoft 5 Windows 2000, Windows Server 2003, Windows Server 2008 and 2 more 2026-06-16 10.0 HIGH N/A
The Internet Authentication Service (IAS) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold and SP1, and Server 2008 Gold does not properly verify the credentials in an MS-CHAP v2 Protected Extensible Authentication Protocol (PEAP) authentication request, which allows remote attackers to access network resources via a malformed request, aka "MS-CHAP Authentication Bypass Vulnerability."
CVE-2009-3673 1 Microsoft 7 Internet Explorer, Windows 2000, Windows 7 and 4 more 2026-06-16 9.3 HIGH N/A
Microsoft Internet Explorer 7 and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability."
CVE-2009-3672 1 Microsoft 6 Internet Explorer, Windows 2000, Windows Server 2003 and 3 more 2026-06-16 9.3 HIGH N/A
Microsoft Internet Explorer 6 and 7 does not properly handle objects in memory that (1) were not properly initialized or (2) are deleted, which allows remote attackers to execute arbitrary code via vectors involving a call to the getElementsByTagName method for the STYLE tag name, selection of the single element in the returned list, and a change to the outerHTML property of this element, related to Cascading Style Sheets (CSS) and mshtml.dll, aka "HTML Object Memory Corruption Vulnerability." NOTE: some of these details are obtained from third party information. NOTE: this issue was originally assigned CVE-2009-4054, but Microsoft assigned a duplicate identifier of CVE-2009-3672. CVE consumers should use this identifier instead of CVE-2009-4054.
CVE-2009-3660 1 Efrontlearning 1 Efront 2026-06-16 6.8 MEDIUM N/A
PHP remote file inclusion vulnerability in libraries/database.php in Efront 3.5.4 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's security documentation.
CVE-2009-3631 1 Typo3 1 Typo3 2026-06-16 8.5 HIGH N/A
The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.
CVE-2009-3578 1 Autodesk 2 Alias Wavefront Maya, Autodesk Maya 2026-06-16 9.3 HIGH N/A
Autodesk Maya 8.0, 8.5, 2008, 2009, and 2010 and Alias Wavefront Maya 6.5 and 7.0 allow remote attackers to execute arbitrary code via a (1) .ma or (2) .mb file that uses the Maya Embedded Language (MEL) python command or unspecified other MEL commands, related to "Script Nodes."
CVE-2009-3577 1 Autodesk 1 3ds Max 2026-06-16 9.3 HIGH N/A
Autodesk 3D Studio Max (3DSMax) 6 through 9 and 2008 through 2010 allows remote attackers to execute arbitrary code via a .max file with a MAXScript statement that calls the DOSCommand method, related to "application callbacks."
CVE-2009-3576 1 Autodesk 2 Autodesk Softimage, Autodesk Softimage Xsi 2026-06-16 9.3 HIGH N/A
Autodesk Softimage 7.x and Softimage XSI 6.x allow remote attackers to execute arbitrary JavaScript code via a scene package containing a Scene Table of Contents (aka .scntoc) file with a Script_Content element, as demonstrated by code that loads the WScript.Shell ActiveX control.
CVE-2009-3541 1 Phpgenealogy 1 Phpgenealogy 2026-06-16 7.5 HIGH N/A
PHP remote file inclusion vulnerability in CoupleDB.php in PHPGenealogy 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the DataDirectory parameter.