Export limit exceeded: 10428 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10428 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-42928 | 1 Sap | 1 Jconnect | 2026-04-15 | 9.1 Critical |
| Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable when specially crafted input is used to exploit the vulnerability resulting in high impact on confidentiality, integrity and availability of the system. | ||||
| CVE-2025-0868 | 1 Arc53 | 1 Docsgpt | 2026-04-15 | N/A |
| A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint.. This issue affects DocsGPT: from 0.8.1 through 0.12.0. | ||||
| CVE-2024-9162 | 1 Yaniiliev | 1 All In One Wp Migration And Backup | 2026-04-15 | 7.2 High |
| The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible. | ||||
| CVE-2025-58358 | 2026-04-15 | 7.5 High | ||
| Markdownify is a Model Context Protocol server for converting almost anything to Markdown. Versions below 0.0.2 contain a command injection vulnerability, caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). This issue is fixed in version 0.0.2. | ||||
| CVE-2024-5565 | 1 Vanna-ai | 1 Vanna | 2026-04-15 | 8.1 High |
| The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution. | ||||
| CVE-2024-21546 | 1 Unisharp | 1 Laravel-filemanager | 2026-04-15 | 9.8 Critical |
| Versions of the package unisharp/laravel-filemanager before 2.9.1 are vulnerable to Remote Code Execution (RCE) through using a valid mimetype and inserting the . character after the php file extension. This allows the attacker to execute malicious code. | ||||
| CVE-2024-36072 | 2026-04-15 | 9.8 Critical | ||
| Netwrix CoSoSys Endpoint Protector through 5.9.3 and CoSoSys Unify through 7.0.6 contain a remote code execution vulnerability in the logging component of the Endpoint Protector and Unify server application which allows an unauthenticated remote attacker to send a malicious request, resulting in the ability to execute system commands with root privileges. | ||||
| CVE-2025-62381 | 1 Sveltekit-superforms | 1 Sveltekit-superforms | 2026-04-15 | N/A |
| sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service, type confusion, and potential remote code execution in downstream applications that rely on polluted objects. This vulnerability is fixed in 2.27.4. | ||||
| CVE-2025-34153 | 1 Hyland | 1 Onbase | 2026-04-15 | N/A |
| Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\SYSTEM. | ||||
| CVE-2025-34113 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2026-04-15 | N/A |
| An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user. | ||||
| CVE-2025-34104 | 2 Matomo, Piwik | 2 Matomo, Piwik | 2026-04-15 | N/A |
| An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file. | ||||
| CVE-2025-53867 | 2026-04-15 | 9.8 Critical | ||
| Island Lake WebBatch before 2025C allows Remote Code Execution via a crafted URL. | ||||
| CVE-2024-8502 | 1 Modelscope | 1 Agentscope | 2026-04-15 | N/A |
| A vulnerability in the RpcAgentServerLauncher class of modelscope/agentscope v0.0.6a3 allows for remote code execution (RCE) via deserialization of untrusted data using the dill library. The issue occurs in the AgentServerServicer.create_agent method, where serialized input is deserialized using dill.loads, enabling an attacker to execute arbitrary commands on the server. | ||||
| CVE-2024-6310 | 2026-04-15 | 8.8 High | ||
| The Advanced AJAX Page Loader plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.7.7. This is due to missing nonce validation in the 'admin_init_AAPL' function and missing file type validation in the 'AAPL_options_validate' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-6320 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The ScrollTo Top plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.2.2. This is due to missing nonce validation and missing file type validation in the 'options_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-6333 | 1 Xerox | 4 Altalink Firmware, Versalink Firmware, Workcentre Firmware and 1 more | 2026-04-15 | 7.2 High |
| Authenticated Remote Code Execution in Altalink, Versalink & WorkCentre Products. | ||||
| CVE-2024-6365 | 1 Woobewoo | 1 Product Table By Wbw | 2026-04-15 | 9.8 Critical |
| The Product Table by WBW plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'saveCustomTitle' function. This is due to missing authorization and lack of sanitization of appended data in the languages/customTitle.php file. This makes it possible for unauthenticated attackers to execute code on the server. | ||||
| CVE-2024-6431 | 1 Medianet | 1 Ads Manager | 2026-04-15 | 8.8 High |
| The Media.net Ads Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and missing capability check in the 'sendMail' function in all versions up to, and including, 2.10.13. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability is only exploitable if anyone has ever logged in through the API. | ||||
| CVE-2024-6618 | 2 Aveva, Ocean Data Systems | 2 Reports For Operations 2023, Dream Report 2023 | 2026-04-15 | N/A |
| In Ocean Data Systems Dream Report, a path traversal vulnerability could allow an attacker to perform remote code execution through the injection of a malicious dynamic-link library (DLL). | ||||
| CVE-2024-6675 | 1 Ni | 1 Veristand | 2026-04-15 | 7.8 High |
| A deserialization of untrusted data vulnerability exists in NI VeriStand that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects VeriStand 2024 Q2 and prior versions. | ||||