Vulnerabilities (CVE)

Filtered by CWE-94
Total 4672 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-3164 1 Tencentmusic 1 Supersonic 2025-04-23 5.8 MEDIUM 4.7 MEDIUM
A vulnerability was found in Tencent Music Entertainment SuperSonic up to 0.9.8. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/semantic/database/testConnect of the component H2 Database Connection Handler. The manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-1949 1 Zzcms 1 Zzcms 2025-04-23 5.0 MEDIUM 4.3 MEDIUM
A vulnerability, which was classified as problematic, has been found in ZZCMS 2025. This issue affects some unknown processing of the file /3/ucenter_api/code/register_nodb.php of the component URL Handler. The manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-3252 1 Xujiangfei 1 Admintwo 2025-04-23 4.0 MEDIUM 3.5 LOW
A vulnerability has been found in xujiangfei admintwo 1.0 and classified as problematic. This vulnerability affects unknown code of the file /resource/add. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-3253 1 Xujiangfei 1 Admintwo 2025-04-23 4.0 MEDIUM 3.5 LOW
A vulnerability was found in xujiangfei admintwo 1.0 and classified as problematic. This issue affects some unknown processing of the file /ztree/insertTree. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2022-43660 1 Sixapart 1 Movable Type 2025-04-23 N/A 7.2 HIGH
Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authenticated attacker with Privilege of 'Manage of Content Types' may execute an arbitrary Perl script and/or an arbitrary OS command. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier.
CVE-2025-0618 2025-04-23 N/A 6.5 MEDIUM
A malicious third party could invoke a persistent denial of service vulnerability in FireEye EDR agent by sending a specially-crafted tamper protection event to the HX service to trigger an exception. This exception will prevent any further tamper protection events from being processed, even after a reboot of HX.
CVE-2025-3842 2025-04-23 6.5 MEDIUM 6.3 MEDIUM
A vulnerability was found in panhainan DS-Java 1.0 and classified as critical. This issue affects the function uploadUserPic.action of the file src/com/phn/action/FileUpload.java. The manipulation of the argument fileUpload leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-23251 2025-04-23 N/A 7.6 HIGH
NVIDIA NeMo Framework contains a vulnerability where a user could cause an improper control of generation of code by remote code execution. A successful exploit of this vulnerability might lead to code execution and data tampering.
CVE-2023-51313 1 Phpjabbers 1 Restaurant Booking System 2025-04-23 N/A 8.8 HIGH
PHPJabbers Restaurant Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
CVE-2024-54803 1 Netgear 2 Wnr854t, Wnr854t Firmware 2025-04-22 N/A 9.8 CRITICAL
Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter pppoe_peer_mac and forcing a reboot. This will result in command injection.
CVE-2025-3115 1 Tibco 6 Spotfire Analyst, Spotfire Analytics Platform, Spotfire Deployment Kit and 3 more 2025-04-22 N/A 9.8 CRITICAL
Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions. Additionally, insufficient validation of filenames during file uploads can enable attackers to upload and execute malicious files, leading to arbitrary code execution
CVE-2022-37155 1 Spip 1 Spip 2025-04-22 N/A 8.8 HIGH
RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.
CVE-2024-36694 1 Opencart 1 Opencart 2025-04-22 N/A 7.2 HIGH
OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function.
CVE-2024-56518 2025-04-22 N/A 9.8 CRITICAL
Hazelcast Management Center through 6.0 allows remote code execution via a JndiLoginModule user.provider.url in a hazelcast-client XML document (aka a client configuration file), which can be uploaded at the /cluster-connections URI.
CVE-2024-53924 2025-04-22 N/A 9.8 CRITICAL
Pycel through 1.0b30, when operating on an untrusted spreadsheet, allows code execution via a crafted formula in a cell, such as one beginning with the =IF(A1=200, eval("__import__('os').system( substring.
CVE-2013-4813 1 Hp 2 Identity Driven Manager, Procurve Manager 2025-04-22 10.0 HIGH N/A
The Agent (aka AgentController) servlet in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 allows remote attackers to execute arbitrary commands via a HEAD request, aka ZDI-CAN-1745.
CVE-2024-43771 1 Google 1 Android 2025-04-22 N/A 8.8 HIGH
In gatts_process_read_req of gatt_sr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2024-43770 1 Google 1 Android 2025-04-22 N/A 8.8 HIGH
In gatts_process_find_info of gatt_sr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2024-49747 1 Google 1 Android 2025-04-22 N/A 9.8 CRITICAL
In gatts_process_read_by_type_req of gatt_sr.cc, there is a possible out of bounds write due to a logic error in the code. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2023-51317 1 Phpjabbers 1 Restaurant Booking System 2025-04-22 N/A 6.5 MEDIUM
PHPJabbers Restaurant Booking System v3.0 is vulnerable to Multiple HTML Injection in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key, title" parameters.