Export limit exceeded: 341091 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2928 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-1471 | 2 Redhat, Snakeyaml Project | 14 Amq Clients, Amq Streams, Enterprise Linux and 11 more | 2025-06-18 | 8.3 High |
| SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. | ||||
| CVE-2024-24590 | 1 Clear | 1 Clearml | 2025-06-17 | 8 High |
| Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with. | ||||
| CVE-2024-30850 | 1 Tiagorlampert | 1 Chaos | 2025-06-17 | 8.8 High |
| An issue in tiagorlampert CHAOS v5.0.1 allows a remote attacker to execute arbitrary code via the BuildClient function within client_service.go | ||||
| CVE-2024-31839 | 1 Tiagorlampert | 1 Chaos | 2025-06-17 | 4.8 Medium |
| Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the handler.go component. | ||||
| CVE-2024-31819 | 1 Wwbn | 1 Avideo | 2025-06-17 | 9.8 Critical |
| An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component. | ||||
| CVE-2024-25852 | 1 Linksys | 2 Re7000, Re7000 Firmware | 2025-06-17 | 8.8 High |
| Linksys RE7000 v2.0.9, v2.0.11, and v2.0.15 have a command execution vulnerability in the "AccessControlList" parameter of the access control function point. An attacker can use the vulnerability to obtain device administrator rights. | ||||
| CVE-2024-21650 | 1 Xwiki | 1 Xwiki | 2025-06-17 | 10 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have user registration enabled for guests. This vulnerability has been patched in XWiki 14.10.17, 15.5.3 and 15.8 RC1. | ||||
| CVE-2024-21644 | 1 Pyload | 1 Pyload | 2025-06-17 | 7.5 High |
| pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77. | ||||
| CVE-2024-0195 | 1 Ssssssss | 1 Spider-flow | 2025-06-17 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Affected is the function FunctionService.saveFunction of the file src/main/java/org/spiderflow/controller/FunctionController.java. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249510 is the identifier assigned to this vulnerability. | ||||
| CVE-2024-34982 | 1 Lylme | 1 Lylme Spage | 2025-06-17 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-46506 | 1 Netalertx | 1 Netalertx | 2025-06-17 | 10 Critical |
| NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php. | ||||
| CVE-2024-28000 | 1 Litespeedtech | 1 Litespeed Cache | 2025-06-17 | 9.8 Critical |
| Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1. | ||||
| CVE-2024-29269 | 1 Telesquare | 2 Tlr-2005ksh, Tlr-2005ksh Firmware | 2025-06-17 | 8.8 High |
| An issue discovered in Telesquare TLR-2005Ksh 1.0.0 and 1.1.4 allows attackers to run arbitrary system commands via the Cmd parameter. | ||||
| CVE-2024-34470 | 1 Hsclabs | 1 Mailinspector | 2025-06-17 | 8.6 High |
| An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An Unauthenticated Path Traversal vulnerability exists in the /public/loader.php file. The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server. | ||||
| CVE-2023-52251 | 1 Provectus | 1 Ui | 2025-06-17 | 8.8 High |
| An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages. | ||||
| CVE-2022-45699 | 1 Apsystems | 2 Ecu-r, Ecu-r Firmware | 2025-06-17 | 9.8 Critical |
| Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter. | ||||
| CVE-2024-37759 | 1 Datagear | 1 Datagear | 2025-06-13 | 9.8 Critical |
| DataGear v5.0.0 and earlier was discovered to contain a SpEL (Spring Expression Language) expression injection vulnerability via the Data Viewing interface. | ||||
| CVE-2024-24329 | 1 Totolink | 2 A3300r, A3300r Firmware | 2025-06-12 | 9.8 Critical |
| TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setPortForwardRules function. | ||||
| CVE-2023-6623 | 1 Wpdeveloper | 1 Essential Blocks | 2025-06-11 | 9.8 Critical |
| The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks. | ||||
| CVE-2024-33752 | 1 Emlog | 1 Emlog | 2025-06-11 | 6.3 Medium |
| An arbitrary file upload vulnerability exists in emlog pro 2.3.0 and pro 2.3.2 at admin/views/plugin.php that could be exploited by a remote attacker to submit a special request to upload a malicious file to execute arbitrary code. | ||||