Total
4708 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8581 | 1 Lollms | 1 Lollms Web Ui | 2025-07-08 | N/A | 9.1 CRITICAL |
| A vulnerability in the `upload_app` function of parisneo/lollms-webui V12 (Strawberry) allows an attacker to delete any file or directory on the system. The function does not implement user input filtering with the `filename` value, causing a Path Traversal error. | |||||
| CVE-2025-6551 | 1 Java-aodeng | 1 Hope-boot | 2025-07-08 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in java-aodeng Hope-Boot 1.0.0 and classified as problematic. This issue affects the function Login of the file /src/main/java/com/hope/controller/WebController.java. The manipulation of the argument errorMsg leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-39002 | 1 Richardrodger | 1 Jsonic | 2025-07-07 | N/A | 6.3 MEDIUM |
| rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function util.clone. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-56518 | 1 Hazelcast | 1 Management Center | 2025-07-07 | N/A | 9.8 CRITICAL |
| Hazelcast Management Center through 6.0 allows remote code execution via a JndiLoginModule user.provider.url in a hazelcast-client XML document (aka a client configuration file), which can be uploaded at the /cluster-connections URI. | |||||
| CVE-2025-25680 | 1 Lsc | 2 Ptz Dual Band Camera, Ptz Dual Band Camera Firmware | 2025-07-07 | N/A | 7.7 HIGH |
| LSC Smart Connect LSC Indoor PTZ Camera 7.6.32 is contains a RCE vulnerability in the tuya_ipc_direct_connect function of the anyka_ipc process. The vulnerability allows arbitrary code execution through the Wi-Fi configuration process when a specially crafted QR code is presented to the camera. | |||||
| CVE-2024-35314 | 1 Mitel | 2 Micollab, Mivoice Business Solution Virtual Instance | 2025-07-07 | N/A | 9.8 CRITICAL |
| A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user interaction and could allow an attacker to execute arbitrary scripts. | |||||
| CVE-2024-35315 | 1 Mitel | 2 Micollab, Mivoice Business Solution Virtual Instance | 2025-07-07 | N/A | 5.6 MEDIUM |
| A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an authenticated attacker to conduct a privilege escalation attack due to improper file validation. A successful exploit could allow an attacker to run arbitrary code with elevated privileges. | |||||
| CVE-2024-33394 | 1 Kubevirt | 1 Kubevirt | 2025-07-07 | N/A | 5.9 MEDIUM |
| An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component. | |||||
| CVE-2024-3892 | 1 Progress | 1 Telerik Ui For Winforms | 2025-07-03 | N/A | 7.2 HIGH |
| A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system. | |||||
| CVE-2025-37099 | 2025-07-03 | N/A | 9.8 CRITICAL | ||
| A remote code execution vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646. | |||||
| CVE-2025-49029 | 2025-07-03 | N/A | 9.1 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0. | |||||
| CVE-2025-49521 | 2025-07-03 | N/A | 8.8 HIGH | ||
| A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft. | |||||
| CVE-2025-34079 | 2025-07-03 | N/A | N/A | ||
| An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise. This capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors. | |||||
| CVE-2025-34075 | 2025-07-03 | N/A | N/A | ||
| An authenticated virtual machine escape vulnerability exists in HashiCorp Vagrant when using the default synced folder configuration. By design, Vagrant automatically mounts the host system’s project directory into the guest VM under /vagrant (or C:\vagrant on Windows). This includes the Vagrantfile configuration file, which is a Ruby script evaluated by the host every time a vagrant command is executed in the project directory. If a low-privileged attacker obtains shell access to the guest VM, they can append arbitrary Ruby code to the mounted Vagrantfile. When a user on the host later runs any vagrant command, the injected code is executed on the host with that user’s privileges. While this shared-folder behavior is well-documented by Vagrant, the security implications of Vagrantfile execution from guest-writable storage are not explicitly addressed. This effectively enables guest-to-host code execution in multi-tenant or adversarial VM scenarios. | |||||
| CVE-2025-34074 | 2025-07-03 | N/A | N/A | ||
| An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354. | |||||
| CVE-2025-29807 | 1 Microsoft | 1 Dataverse | 2025-07-03 | N/A | 8.7 HIGH |
| Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network. | |||||
| CVE-2024-42902 | 1 Limesurvey | 1 Limesurvey | 2025-07-03 | N/A | 8.8 HIGH |
| An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function | |||||
| CVE-2024-24421 | 1 Linuxfoundation | 1 Magma | 2025-07-03 | N/A | 9.8 CRITICAL |
| A type confusion in the nas_message_decode function of Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted NAS packet. | |||||
| CVE-2024-36622 | 1 Raspap | 1 Raspap-webgui | 2025-07-02 | N/A | 9.8 CRITICAL |
| In RaspAP raspap-webgui 3.0.9 and earlier, a command injection vulnerability exists in the clearlog.php script. The vulnerability is due to improper sanitization of user input passed via the logfile parameter. | |||||
| CVE-2025-2714 | 1 Joomlaux | 1 Jux Real Estate | 2025-07-02 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /extensions/realestate/index.php/agents/agent-register/addagent. The manipulation of the argument plan_id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||