Total
5229 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-8356 | 1 Xerox | 1 Freeflow Core | 2025-08-18 | N/A | 9.8 CRITICAL |
| In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the system. | |||||
| CVE-2025-8976 | 1 Vvveb | 1 Vvveb | 2025-08-18 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in givanz Vvveb up to 1.0.5. This vulnerability affects unknown code of the file /vadmin123/index.php?module=content/post&type=post of the component Endpoint. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.6 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-8975 | 1 Vvveb | 1 Vvveb | 2025-08-18 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was identified in givanz Vvveb up to 1.0.5. This affects an unknown part of the file admin/template/content/edit.tpl. The manipulation of the argument slug leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.6 is able to address this issue. The patch is named 84c11d69df8452dc378feecd17e2a62ac10dac66. It is recommended to upgrade the affected component. | |||||
| CVE-2025-8905 | 2025-08-15 | N/A | 6.3 MEDIUM | ||
| The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters. | |||||
| CVE-2025-50692 | 1 Foxcms | 1 Foxcms | 2025-08-14 | N/A | 9.8 CRITICAL |
| FoxCMS <=v1.2.5 is vulnerable to Code Execution in admin/template_file/editFile.html. | |||||
| CVE-2011-10018 | 1 Mybb | 1 Mybb | 2025-08-14 | N/A | 9.8 CRITICAL |
| myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application. | |||||
| CVE-2025-55346 | 2025-08-14 | N/A | 9.8 CRITICAL | ||
| User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request. | |||||
| CVE-2025-50706 | 1 Thinkphp | 1 Thinkphp | 2025-08-14 | N/A | 9.8 CRITICAL |
| An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function | |||||
| CVE-2025-50707 | 1 Thinkphp | 1 Thinkphp | 2025-08-14 | N/A | 9.8 CRITICAL |
| An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component | |||||
| CVE-2011-10011 | 2025-08-14 | N/A | N/A | ||
| WeBid 1.0.2 contains a remote code injection vulnerability in the converter.php script, where unsanitized input in the to parameter of a POST request is written directly into includes/currencies.php. This allows unauthenticated attackers to inject arbitrary PHP code, resulting in persistent remote code execution when the modified script is accessed or included by the application. | |||||
| CVE-2025-52385 | 2025-08-14 | N/A | 9.8 CRITICAL | ||
| An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module | |||||
| CVE-2025-23296 | 2025-08-14 | N/A | 7.8 HIGH | ||
| NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2025-23298 | 2025-08-14 | N/A | 7.8 HIGH | ||
| NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2011-10013 | 2025-08-14 | N/A | N/A | ||
| Traq versions 2.0 through 2.3 contain a remote code execution vulnerability in the admincp/common.php script. The flawed authorization logic fails to halt execution after a failed access check, allowing unauthenticated users to reach admin-only functionality. This can be exploited via plugins.php to inject and execute arbitrary PHP code. | |||||
| CVE-2025-39483 | 2025-08-14 | N/A | 6.5 MEDIUM | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in imithemes Eventer allows Code Injection. This issue affects Eventer: from n/a through 3.9.6. | |||||
| CVE-2025-49887 | 2025-08-14 | N/A | 9.9 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in WPFactory Product XML Feed Manager for WooCommerce allows Remote Code Inclusion. This issue affects Product XML Feed Manager for WooCommerce: from n/a through 2.9.3. | |||||
| CVE-2025-8918 | 1 Portabilis | 1 I-educar | 2025-08-14 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in Portabilis i-Educar up to 2.10. This issue affects some unknown processing of the file /intranet/educar_instituicao_cad.php of the component Editar Page. The manipulation of the argument neighborhood name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-4056 | 2 Gnome, Microsoft | 2 Glib, Windows | 2025-08-13 | N/A | 3.7 LOW |
| A flaw was found in GLib. A denial of service on Windows platforms may occur if an application attempts to spawn a program using long command lines. | |||||
| CVE-2025-54997 | 1 Openbao | 1 Openbao | 2025-08-13 | N/A | 9.1 CRITICAL |
| OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way. | |||||
| CVE-2025-6000 | 1 Hashicorp | 1 Vault | 2025-08-13 | N/A | 9.1 CRITICAL |
| A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | |||||