Vulnerabilities (CVE)

Filtered by CWE-94
Total 4711 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-5138 2025-06-20 4.0 MEDIUM 3.5 LOW
A vulnerability was found in Bitwarden up to 2.25.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-29058 1 Qimou Cms Project 1 Qimou Cms 2025-06-19 N/A 9.8 CRITICAL
An issue in Qimou CMS v.3.34.0 allows a remote attacker to execute arbitrary code via the upgrade.php component.
CVE-2025-3509 2025-06-18 N/A N/A
A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute arbitrary code by exploiting the pre-receive hook functionality, potentially leading to privilege escalation and system compromise. The vulnerability involves using dynamically allocated ports that become temporarily available, such as during a hot patch upgrade. This means the vulnerability is only exploitable during specific operational conditions, which limits the attack window. Exploitation required either site administrator permissions to enable and configure pre-receive hooks or a user with permissions to modify repositories containing pre-receive hooks where this functionality was already enabled. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.17.1, 3.16.4, 3.15.8, 3.14.13, 3.13.16. This vulnerability was reported via the GitHub Bug Bounty program.
CVE-2024-38395 1 Iterm2 1 Iterm2 2025-06-18 N/A 9.8 CRITICAL
In iTerm2 before 3.5.2, the "Terminal may report window title" setting is not honored, and thus remote code execution might occur but "is not trivially exploitable."
CVE-2024-42936 1 Ruijie 2 Reyee Os, Rg-ew300n 2025-06-18 N/A 9.8 CRITICAL
The mqlink.elf is service component in Ruijie RG-EW300N with firmware ReyeeOS 1.300.1422 is vulnerable to Remote Code Execution via a modified MQTT broker message.
CVE-2025-5420 1 Juzaweb 1 Cms 2025-06-18 4.0 MEDIUM 3.5 LOW
A vulnerability classified as problematic was found in juzaweb CMS up to 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/file-manager/upload of the component Profile Page. The manipulation of the argument Upload leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2021-38243 1 Xunruicms 1 Xunruicms 2025-06-18 N/A 9.8 CRITICAL
xunruicms up to v4.5.1 was discovered to contain a remote code execution (RCE) vulnerability in /index.php. This vulnerability allows attackers to execute arbitrary code via a crafted GET request.
CVE-2024-23692 1 Rejetto 1 Http File Server 2025-06-18 N/A 9.8 CRITICAL
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.
CVE-2025-32106 1 Audiocodes 6 Mp-112, Mp-112 Firmware, Mp-114 and 3 more 2025-06-18 N/A 9.8 CRITICAL
In Audiocodes Mediapack MP-11x through 6.60A.369.002, a crafted POST request request may result in an unauthenticated remote user's ability to execute unauthorized code.
CVE-2024-30845 1 Rainbow External Link Network Disk Project 1 Rainbow External Link Network Disk 2025-06-17 N/A 6.1 MEDIUM
Cross Site Scripting vulnerability in Rainbow external link network disk v.5.5 allows a remote attacker to execute arbitrary code via the validation component of the input parameters.
CVE-2023-6494 1 Wpclever 1 Wpc Smart Quick View For Woocommerce 2025-06-17 N/A 4.4 MEDIUM
The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2024-29500 1 Inteset 1 Secure Lockdown 2025-06-17 N/A 9.8 CRITICAL
An issue in the kiosk mode of Secure Lockdown Multi Application Edition v2.00.219 allows attackers to execute arbitrary code via running a ClickOnce application instance.
CVE-2024-31819 1 Wwbn 1 Avideo 2025-06-17 N/A 9.8 CRITICAL
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component.
CVE-2024-26362 3 Enpass, Linux, Microsoft 3 Password Manager, Linux Kernel, Windows 2025-06-17 N/A 8.8 HIGH
HTML injection vulnerability in Enpass Password Manager Desktop Client 6.9.2 for Windows and Linux allows attackers to run arbitrary HTML code via creation of crafted note.
CVE-2024-29937 2 Freebsd, Openbsd 2 Freebsd, Openbsd 2025-06-17 N/A 9.8 CRITICAL
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug that is unrelated to memory corruption.
CVE-2024-29399 1 Gnu 1 Savane 2025-06-17 N/A 7.6 HIGH
An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the upload.php component.
CVE-2024-25376 1 Thesycon 1 Tusbaudio 2025-06-17 N/A 7.8 HIGH
An issue discovered in Thesycon Software Solutions Gmbh & Co. KG TUSBAudio MSI-based installers before 5.68.0 allows a local attacker to execute arbitrary code via the msiexec.exe repair mode.
CVE-2025-6131 2025-06-17 3.3 LOW 2.4 LOW
A vulnerability, which was classified as problematic, was found in CodeAstro Food Ordering System 1.0. Affected is an unknown function of the file /admin/store/edit/ of the component POST Request Parameter Handler. The manipulation of the argument Restaurant Name/Address leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-5309 2025-06-17 N/A N/A
The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server-Side Template Injection vulnerability which can lead to remote code execution.
CVE-2025-5507 1 Totolink 2 A3002ru, A3002ru Firmware 2025-06-17 3.3 LOW 2.4 LOW
A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component MAC Filtering Page. The manipulation of the argument Comment leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.