Total
4578 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-3942 | 1 Typo3 | 1 Typo3 | 2025-04-12 | 6.0 MEDIUM | N/A |
| The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object. | |||||
| CVE-2013-1850 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 6.5 MEDIUM | N/A |
| Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file. | |||||
| CVE-2015-4726 | 1 Audiosharescript | 1 Audioshare | 2025-04-12 | 7.5 HIGH | N/A |
| PHP remote file inclusion vulnerability in ajax/myajaxphp.php in AudioShare 2.0.2 allows remote attackers to execute arbitrary PHP code via a URL in the config['basedir'] parameter. | |||||
| CVE-2012-6141 | 1 Stephen Adkins | 1 App\ | 2025-04-12 | 7.5 HIGH | N/A |
| The App::Context module 0.01 through 0.968 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request to (1) App::Session::Cookie or (2) App::Session::HTMLHidden, which is not properly handled when it is deserialized. | |||||
| CVE-2012-6143 | 1 Ingy | 1 Spoon | 2025-04-12 | 7.5 HIGH | N/A |
| Spoon::Cookie in the Spoon module 0.24 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request, which is not properly handled when it is deserialized. | |||||
| CVE-2014-2996 | 1 Xcloner | 1 Xcloner | 2025-04-12 | 7.1 HIGH | N/A |
| XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the dbbackup_comp parameter in a generate action to index2.php. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have the privileges to execute code. NOTE: this can be leveraged by remote attackers using CVE-2014-2579. | |||||
| CVE-2014-5112 | 1 Netfortris | 1 Trixbox | 2025-04-12 | 7.5 HIGH | N/A |
| maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter. | |||||
| CVE-2014-2720 | 1 Izarc | 1 Izarc | 2025-04-12 | 6.8 MEDIUM | N/A |
| IZArc 4.1.8 displays a file's name on the basis of a ZIP archive's Central Directory entry, but launches this file on the basis of a ZIP archive's local file header, which allows user-assisted remote attackers to conduct file-extension spoofing attacks via a modified Central Directory, as demonstrated by unintended code execution prompted by a .jpg extension in the Central Directory and a .exe extension in the local file header. | |||||
| CVE-2014-3496 | 1 Redhat | 2 Openshift, Openshift Origin | 2025-04-12 | 10.0 HIGH | N/A |
| cartridge_repository.rb in OpenShift Origin and Enterprise 1.2.8 through 2.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a Source-Url ending with a (1) .tar.gz, (2) .zip, (3) .tgz, or (4) .tar file extension in a cartridge manifest file. | |||||
| CVE-2015-7381 | 1 Refbase | 1 Refbase | 2025-04-12 | 7.5 HIGH | N/A |
| Multiple PHP remote file inclusion vulnerabilities in install.php in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary PHP code via the (1) pathToMYSQL or (2) databaseStructureFile parameter, a different issue than CVE-2015-6008. | |||||
| CVE-2013-0724 | 1 Wpshopstyling | 1 Wp-ecommerce-shop-styling | 2025-04-12 | 7.5 HIGH | N/A |
| PHP remote file inclusion vulnerability in includes/generate-pdf.php in the WP ecommerce Shop Styling plugin for WordPress before 1.8 allows remote attackers to execute arbitrary PHP code via a URL in the dompdf parameter. | |||||
| CVE-2025-30067 | 1 Apache | 1 Kylin | 2025-04-11 | N/A | 7.2 HIGH |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2 or above, which fixes the issue. | |||||
| CVE-2025-29306 | 1 Foxcms | 1 Foxcms | 2025-04-11 | N/A | 9.8 CRITICAL |
| An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component. | |||||
| CVE-2024-35581 | 1 Oretnom23 | 1 Computer Laboratory Management System | 2025-04-11 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Borrower Name input field. | |||||
| CVE-2025-32383 | 2025-04-11 | N/A | 4.3 MEDIUM | ||
| MaxKB (Max Knowledge Base) is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). A reverse shell vulnerability exists in the module of function library. The vulnerability allow privileged‌ users to create a reverse shell. This vulnerability is fixed in v1.10.4-lts. | |||||
| CVE-2025-2805 | 2025-04-11 | N/A | 7.3 HIGH | ||
| The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2025-2809 | 2025-04-11 | N/A | 7.3 HIGH | ||
| The azurecurve Shortcodes in Comments plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2023-45673 | 1 Joplin Project | 1 Joplin | 2025-04-11 | N/A | 8.9 HIGH |
| Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. This is a remote code execution vulnerability that impacts anyone who attaches untrusted PDFs to notes and has the icon enabled. This issue has been addressed in version 2.13.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-36568 | 1 Mayurik | 1 Gas Agency Management System | 2025-04-11 | N/A | 9.8 CRITICAL |
| Sourcecodester Gas Agency Management System v1.0 is vulnerable to SQL Injection via /gasmark/editbrand.php?id=. | |||||
| CVE-2024-41304 | 1 Wondercms | 1 Wondercms | 2025-04-11 | N/A | 5.4 MEDIUM |
| An arbitrary file upload vulnerability in the uploadFileAction() function of WonderCMS v3.4.3 allows attackers to execute arbitrary code via a crafted SVG file. | |||||