Total
5219 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8644 | 1 Playsms | 1 Playsms | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| PlaySMS before 1.4.3 does not sanitize inputs from a malicious string. | |||||
| CVE-2019-9082 | 3 Opensourcebms, Thinkphp, Zzzcms | 3 Open Source Background Management System, Thinkphp, Zzzphp | 2025-10-22 | 9.3 HIGH | 8.8 HIGH |
| ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command. | |||||
| CVE-2019-7609 | 2 Elastic, Redhat | 2 Kibana, Openshift Container Platform | 2025-10-22 | 10.0 HIGH | 10.0 CRITICAL |
| Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. | |||||
| CVE-2019-16759 | 1 Vbulletin | 1 Vbulletin | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | |||||
| CVE-2018-7602 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. | |||||
| CVE-2018-14667 | 1 Redhat | 2 Enterprise Linux, Richfaces | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData. | |||||
| CVE-2017-9841 | 2 Oracle, Phpunit Project | 2 Communications Diameter Signaling Router, Phpunit | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI. | |||||
| CVE-2017-9822 | 1 Dnnsoftware | 1 Dotnetnuke | 2025-10-22 | 6.5 MEDIUM | 8.8 HIGH |
| DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites." | |||||
| CVE-2017-8759 | 1 Microsoft | 11 .net Framework, Windows 10 1507, Windows 10 1511 and 8 more | 2025-10-22 | 9.3 HIGH | 7.8 HIGH |
| Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to execute code remotely via a malicious document or application, aka ".NET Framework Remote Code Execution Vulnerability." | |||||
| CVE-2017-7494 | 2 Debian, Samba | 2 Debian Linux, Samba | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. | |||||
| CVE-2024-4040 | 1 Crushftp | 1 Crushftp | 2025-10-21 | N/A | 9.8 CRITICAL |
| A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. | |||||
| CVE-2025-11851 | 2025-10-21 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability has been found in Apeman ID71 EN75.8.53.20. The affected element is an unknown function of the file /set_alias.cgi. Such manipulation of the argument alias leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-57567 | 2025-10-21 | N/A | 9.1 CRITICAL | ||
| A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands. | |||||
| CVE-2025-11945 | 2025-10-21 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was identified in toeverything AFFiNE up to 0.24.1. This vulnerability affects unknown code of the component Avatar Upload Image Endpoint. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-62429 | 2025-10-21 | N/A | 7.2 HIGH | ||
| ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 #147, ClipBucket v5 is vulnerable to arbitrary PHP code execution. In /upload/admin_area/actions/update_launch.php, the "type" parameter from a POST request is embedded into PHP tags and executed. Proper sanitization is not performed, and by injecting malicious code an attacker can execute arbitrary PHP code. This allows an attacker to achieve RCE. This issue has been resolved in version 5.5.2 #147. | |||||
| CVE-2025-11946 | 2025-10-21 | 4.0 MEDIUM | 3.5 LOW | ||
| A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-61488 | 2025-10-21 | N/A | 7.6 HIGH | ||
| An issue in Senayan Library Management System (SLiMS) 9 Bulian v.9.6.1 allows a remote attacker to execute arbitrary code via the scrap_image.php component and the imageURL parameter | |||||
| CVE-2024-45201 | 1 Llamaindex | 1 Llamaindex | 2025-10-21 | N/A | 8.8 HIGH |
| An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}. | |||||
| CVE-2025-1742 | 1 Pihome | 1 Maxair | 2025-10-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in pihome-shc PiHome 2.0. Affected by this issue is some unknown functionality of the file /home.php. The manipulation of the argument page_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-4181 | 1 Llamaindex | 1 Llamaindex | 2025-10-21 | N/A | 8.8 HIGH |
| A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models (LLMs). The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised LLM hosting provider to execute arbitrary commands on the client's machine. This issue was fixed in version 0.10.13. The exploitation of this vulnerability could lead to a hosting provider gaining full control over client machines. | |||||