Total
5346 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5661 | 1 Carmelo | 1 Traffic Offense Reporting System | 2025-11-13 | 3.3 LOW | 2.4 LOW |
| A vulnerability, which was classified as problematic, was found in code-projects Traffic Offense Reporting System 1.0. This affects an unknown part of the file /save-settings.php of the component Setting Handler. The manipulation of the argument site_name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-62959 | 2025-11-13 | N/A | 9.1 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Remote Code Inclusion.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.3.22. | |||||
| CVE-2025-62023 | 2025-11-13 | N/A | 9.8 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905. | |||||
| CVE-2025-60206 | 2025-11-13 | N/A | 10.0 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through <= 7.8.3. | |||||
| CVE-2025-52756 | 2025-11-13 | N/A | 7.4 HIGH | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Sayan Datta WP Last Modified Info wp-last-modified-info allows Remote Code Inclusion.This issue affects WP Last Modified Info: from n/a through <= 1.9.2. | |||||
| CVE-2025-49926 | 2025-11-13 | N/A | 7.3 HIGH | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Laborator Kalium kalium allows Code Injection.This issue affects Kalium: from n/a through <= 3.25. | |||||
| CVE-2025-49372 | 2025-11-13 | N/A | 10.0 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.This issue affects HAPPY: from n/a through <= 1.0.7. | |||||
| CVE-2025-47588 | 2025-11-13 | N/A | 9.8 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through <= 4.5.9. | |||||
| CVE-2025-32222 | 2025-11-13 | N/A | 9.8 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.This issue affects Widget Logic: from n/a through <= 6.0.5. | |||||
| CVE-2024-12729 | 1 Sophos | 2 Firewall, Firewall Firmware | 2025-11-12 | N/A | 8.8 HIGH |
| A post-auth code injection vulnerability in the User Portal allows authenticated users to execute code remotely in Sophos Firewall older than version 21.0 MR1 (21.0.1). | |||||
| CVE-2025-42895 | 2025-11-12 | N/A | 6.9 MEDIUM | ||
| Due to insufficient validation of connection property values, the SAP HANA JDBC Client allows a high-privilege locally authenticated user to supply crafted parameters that lead to unauthorized code loading, resulting in low impact on confidentiality and integrity and high impact on availability of the application. | |||||
| CVE-2025-9334 | 2025-11-12 | N/A | 8.8 HIGH | ||
| The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions. | |||||
| CVE-2025-42887 | 2025-11-12 | N/A | 9.9 CRITICAL | ||
| Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system. | |||||
| CVE-2025-23357 | 2025-11-12 | N/A | 7.8 HIGH | ||
| NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering. | |||||
| CVE-2025-12637 | 2025-11-12 | N/A | 8.8 HIGH | ||
| The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-12813 | 2025-11-12 | N/A | 9.8 CRITICAL | ||
| The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server. | |||||
| CVE-2025-46818 | 1 Redis | 1 Redis | 2025-11-12 | N/A | 6.0 MEDIUM |
| Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families. | |||||
| CVE-2025-3115 | 1 Tibco | 6 Spotfire Analyst, Spotfire Analytics Platform, Spotfire Deployment Kit and 3 more | 2025-11-11 | N/A | 9.8 CRITICAL |
| Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions. Additionally, insufficient validation of filenames during file uploads can enable attackers to upload and execute malicious files, leading to arbitrary code execution | |||||
| CVE-2025-48984 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-11-11 | N/A | 8.8 HIGH |
| A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. | |||||
| CVE-2025-5407 | 1 Chaitak-gorai | 1 Blogbook | 2025-11-10 | 3.3 LOW | 2.4 LOW |
| A vulnerability has been found in chaitak-gorai Blogbook up to 92f5cf90f8a7e6566b576fe0952e14e1c6736513 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /register_script.php. The manipulation of the argument fullname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way. | |||||