Total
4632 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-54724 | 2025-01-21 | N/A | 9.8 CRITICAL | ||
| PHPYun before 7.0.2 is vulnerable to code execution through backdoor-restricted arbitrary file writing and file inclusion. | |||||
| CVE-2025-0581 | 2025-01-20 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability classified as problematic has been found in CampCodes School Management Software 1.0. This affects an unknown part of the file /chat/group/send of the component Chat History. The manipulation of the argument message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-0578 | 2025-01-20 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in Facile Sistemas Cloud Apps up to 20250107. It has been classified as problematic. Affected is an unknown function of the file /account/forgotpassword of the component Password Reset Handler. The manipulation of the argument reterros leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-0576 | 2025-01-20 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in Mobotix M15 4.3.4.83 and classified as problematic. This issue affects some unknown processing of the file /control/player?center&eventlist&pda&dummy_for_reload=1736177631&p_evt. The manipulation of the argument p_qual leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0917 | 1 Paddlepaddle | 1 Paddlepaddle | 2025-01-19 | N/A | 9.8 CRITICAL |
| remote code execution in paddlepaddle/paddle 2.6.0 | |||||
| CVE-2025-0557 | 2025-01-18 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability classified as problematic has been found in Hyland Alfresco Community Edition and Alfresco Enterprise Edition up to 6.2.2. This affects an unknown part of the file /share/s/ of the component URL Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2023-25953 | 1 Worksmobile | 1 Drive Explorer | 2025-01-17 | N/A | 9.8 CRITICAL |
| Code injection vulnerability in Drive Explorer for macOS versions 3.5.4 and earlier allows an attacker who can login to the client where the affected product is installed to inject arbitrary code while processing the product execution. Since a full disk access privilege is required to execute LINE WORKS Drive Explorer, the attacker may be able to read and/or write to arbitrary files without the access privileges. | |||||
| CVE-2023-47542 | 1 Fortinet | 1 Fortimanager | 2025-01-17 | N/A | 6.7 MEDIUM |
| A improper neutralization of special elements used in a template engine [CWE-1336] in FortiManager versions 7.4.1 and below, versions 7.2.4 and below, and 7.0.10 and below allows attacker to execute unauthorized code or commands via specially crafted templates. | |||||
| CVE-2023-45590 | 1 Fortinet | 1 Forticlient | 2025-01-17 | N/A | 9.6 CRITICAL |
| An improper control of generation of code ('code injection') in Fortinet FortiClientLinux version 7.2.0, 7.0.6 through 7.0.10 and 7.0.3 through 7.0.4 allows attacker to execute unauthorized code or commands via tricking a FortiClientLinux user into visiting a malicious website | |||||
| CVE-2025-0530 | 2025-01-17 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as problematic. This vulnerability affects unknown code of the file /_parse/_feedback_system.php. The manipulation of the argument type leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-29991 | 1 Microsoft | 1 Edge Chromium | 2025-01-17 | N/A | 5.0 MEDIUM |
| Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | |||||
| CVE-2024-4202 | 1 Progress | 1 Telerik Reporting | 2025-01-16 | N/A | 7.7 HIGH |
| In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure instantiation vulnerability. | |||||
| CVE-2023-30145 | 1 Tuzitio | 1 Camaleon Cms | 2025-01-16 | N/A | 9.8 CRITICAL |
| Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter. | |||||
| CVE-2024-10970 | 2025-01-16 | N/A | 5.4 MEDIUM | ||
| The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. | |||||
| CVE-2025-0485 | 2025-01-15 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in Fanli2012 native-php-cms 1.0. It has been classified as problematic. Affected is an unknown function of the file /fladmin/sysconfig_doedit.php. The manipulation of the argument info leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-23061 | 2025-01-15 | N/A | 9.0 CRITICAL | ||
| Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900. | |||||
| CVE-2023-33440 | 1 Faculty Evaluation System Project | 1 Faculty Evaluation System | 2025-01-14 | N/A | 7.2 HIGH |
| Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user. | |||||
| CVE-2024-49375 | 2025-01-14 | N/A | 9.0 CRITICAL | ||
| Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: 1. The HTTP API must be enabled on the Rasa instance eg with `--enable-api`. This is not the default configuration. 2. For unauthenticated RCE to be exploitable, the user must not have configured any authentication or other security controls recommended in our documentation. 3. For authenticated RCE, the attacker must posses a valid authentication token or JWT to interact with the Rasa API. This issue has been addressed in rasa version 3.6.21 and all users are advised to upgrade. Users unable to upgrade should ensure that they require authentication and that only trusted users are given access. | |||||
| CVE-2024-21541 | 1 Matthewmueller | 1 Dom-iterator | 2025-01-14 | N/A | 7.3 HIGH |
| Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval. | |||||
| CVE-2025-0458 | 2025-01-14 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability classified as problematic was found in Virtual Computer Vysual RH Solution 2024.12.1. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login Panel. The manipulation of the argument page leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||