Vulnerabilities (CVE)

Filtered by CWE-94
Total 4615 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-9807 1 Openwebif Project 1 Openwebif 2025-04-20 10.0 HIGH 9.8 CRITICAL
An issue was discovered in the OpenWebif plugin through 1.2.4 for E2 open devices. The saveConfig function of "plugin/controllers/models/config.py" performs an eval() call on the contents of the "key" HTTP GET parameter. This allows an unauthenticated remote attacker to execute arbitrary Python code or OS commands via api/saveconfig.
CVE-2017-11421 1 Gnome-exe-thumbnailer Project 1 Gnome-exe-thumbnailer 2025-04-20 4.6 MEDIUM 7.8 HIGH
gnome-exe-thumbnailer before 0.9.5 is prone to a VBScript Injection when generating thumbnails for MSI files, aka the "Bad Taste" issue. There is a local attack if the victim uses the GNOME Files file manager, and navigates to a directory containing a .msi file with VBScript code in its filename.
CVE-2017-14146 1 Helpdezk 1 Helpdezk 2025-04-20 6.5 MEDIUM 8.8 HIGH
HelpDEZk 1.1.1 allows remote authenticated users to execute arbitrary PHP code by uploading a .php attachment and then requesting it in the helpdezk\app\uploads\helpdezk\attachments\ directory.
CVE-2016-5713 1 Puppet 1 Puppet Agent 2025-04-20 7.5 HIGH 9.8 CRITICAL
Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0.
CVE-2017-1001002 1 Mathjs 1 Math.js 2025-04-20 7.5 HIGH 9.8 CRITICAL
math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
CVE-2017-10844 1 Basercms 1 Basercms 2025-04-20 6.5 MEDIUM 8.8 HIGH
baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspecified vectors.
CVE-2016-5072 1 Oxidforge 1 Oxid Eshop 2025-04-20 6.5 MEDIUM 8.8 HIGH
OXID eShop before 2016-06-13 allows remote attackers to execute arbitrary code via a GET or POST request to the oxuser class. Fixed versions are Enterprise Edition v5.1.12, Enterprise Edition v5.2.9, Professional Edition v4.8.12, Professional Edition v4.9.9, Community Edition v4.8.12, Community Edition v4.9.9.
CVE-2016-8354 1 Schneider-electric 1 Unity Pro 2025-04-20 5.1 MEDIUM 7.0 HIGH
An issue was discovered in Schneider Electric Unity PRO prior to V11.1. Unity projects can be compiled as x86 instructions and loaded onto the PLC Simulator delivered with Unity PRO. These x86 instructions are subsequently executed directly by the simulator. A specially crafted patched Unity project file can make the simulator execute malicious code by redirecting the control flow of these instructions.
CVE-2017-8402 1 Pivotx 1 Pivotx 2025-04-20 6.5 MEDIUM 8.8 HIGH
PivotX 2.3.11 allows remote authenticated users to execute arbitrary PHP code via vectors involving an upload of a .htaccess file.
CVE-2016-1602 1 Suse 3 Linux Enterprise Desktop, Linux Enterprise Server, Suse Linux Enterprise Server 2025-04-20 7.2 HIGH 7.8 HIGH
A code injection in the supportconfig data collection tool in supportutils in SUSE Linux Enterprise Server 12 and 12-SP1 and SUSE Linux Enterprise Desktop 12 and 12-SP1 could be used by local attackers to execute code as the user running supportconfig (usually root).
CVE-2017-1000196 1 Octobercms 1 October 2025-04-20 7.5 HIGH 9.8 CRITICAL
October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromise and possibly other applications on the server.
CVE-2017-14077 1 Phpcaptcha 1 Securimage 2025-04-20 4.3 MEDIUM 6.1 MEDIUM
HTML Injection in Securimage 3.6.4 and earlier allows remote attackers to inject arbitrary HTML into an e-mail message body via the $_SERVER['HTTP_USER_AGENT'] parameter to example_form.ajax.php or example_form.php.
CVE-2017-16783 1 Cmsmadesimple 1 Cms Made Simple 2025-04-20 7.5 HIGH 9.8 CRITICAL
In CMS Made Simple 2.1.6, there is Server-Side Template Injection via the cntnt01detailtemplate parameter.
CVE-2014-8677 1 Soplanning 1 Soplanning 2025-04-20 3.5 LOW 5.3 MEDIUM
The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being used, the configuration database is down, and smarty/templates_c is not writable to execute arbitrary php code via a crafted database name.
CVE-2017-7691 1 Sap 1 Trex 2025-04-20 7.5 HIGH 9.8 CRITICAL
A code injection vulnerability exists in SAP TREX / Business Warehouse Accelerator (BWA). The vendor response is SAP Security Note 2419592.
CVE-2024-12238 1 Ninjaforms 1 Ninja Forms 2025-04-18 N/A 6.3 MEDIUM
The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.22. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
CVE-2025-29662 2025-04-18 N/A 9.8 CRITICAL
A RCE vulnerability in the core application in LandChat 3.25.12.18 allows an unauthenticated attacker to execute system code via remote network access.
CVE-2024-40673 1 Google 1 Android 2025-04-18 N/A 6.5 MEDIUM
In Source of ZipFile.java, there is a possible way for an attacker to execute arbitrary code by manipulating Dynamic Code Loading due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2024-48236 1 Ofcms Project 1 Ofcms 2025-04-18 N/A 6.5 MEDIUM
An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the FileOutputStream function in the write String method of the ofcms-admin\src\main\java\com\ofsoft\cms\core\uitle\FileUtils.java file
CVE-2024-48235 1 Ofcms Project 1 Ofcms 2025-04-18 N/A 6.5 MEDIUM
An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the save method of the TemplateController.java file.