Total
5446 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-54815 | 2 Ppress, Yandaozi | 2 Cms, Ppress | 2025-09-25 | 8.8 High |
| Server-side template injection (SSTI) vulnerability in PPress 0.0.9 allows attackers to execute arbitrary code via crafted themes. | ||||
| CVE-2025-10794 | 1 Phpgurukul | 2 Car Rental Portal, Car Rental Project | 2025-09-25 | 4.3 Medium |
| A flaw has been found in PHPGurukul Car Rental Project 3.0. Affected by this issue is some unknown functionality of the file /carrental/search.php. Executing manipulation of the argument autofocus can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2025-10827 | 1 Phpjabbers | 1 Restaurant Menu Maker | 2025-09-25 | 4.3 Medium |
| A weakness has been identified in PHPJabbers Restaurant Menu Maker up to 1.1. Affected by this issue is some unknown functionality of the file /preview.php. This manipulation of the argument theme causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-49521 | 1 Redhat | 3 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside | 2025-09-25 | 8.8 High |
| A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft. | ||||
| CVE-2024-31982 | 1 Xwiki | 2 Xwiki, Xwiki-platform | 2025-09-25 | 10 Critical |
| XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki. | ||||
| CVE-2025-10837 | 2 Code-projects, Fabian | 2 Simple Food Ordering System, Simple Food Ordering System | 2025-09-25 | 3.5 Low |
| A security vulnerability has been detected in code-projects Simple Food Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file /ordersimple/order.php. The manipulation of the argument ID leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2024-13199 | 1 Mtons | 1 Mblog | 2025-09-24 | 3.5 Low |
| A vulnerability classified as problematic was found in langhsu Mblog Blog System 3.5.0. Affected by this vulnerability is an unknown functionality of the file /search of the component Search Bar. The manipulation of the argument kw leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-58159 | 1 Wegia | 1 Wegia | 2025-09-24 | 10 Critical |
| WeGIA is a Web manager for charitable institutions. Prior to version 3.4.11, a remote code execution vulnerability was identified, caused by improper validation of uploaded files. The application allows an attacker to upload files with arbitrary filenames, including those with a .php extension. Because the uploaded file is written directly to disk without adequate sanitization or extension restrictions, a spreadsheet file followed by PHP code can be uploaded and executed on the server, leading to arbitrary code execution. This is due to insufficient mitigation of CVE-2025-22133. This issue has been patched in version 3.4.11. | ||||
| CVE-2025-9321 | 2 Wordpress, Wpsight | 2 Wordpress, Wpcasa | 2025-09-24 | 9.8 Critical |
| The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code. | ||||
| CVE-2025-23251 | 4 Apple, Linux, Microsoft and 1 more | 4 Macos, Linux Kernel, Windows and 1 more | 2025-09-24 | 7.6 High |
| NVIDIA NeMo Framework contains a vulnerability where a user could cause an improper control of generation of code by remote code execution. A successful exploit of this vulnerability might lead to code execution and data tampering. | ||||
| CVE-2025-23304 | 4 Apple, Linux, Microsoft and 1 more | 4 Macos, Linux Kernel, Windows and 1 more | 2025-09-24 | 7.8 High |
| NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by loading .nemo files with maliciously crafted metadata. A successful exploit of this vulnerability may lead to remote code execution and data tampering. | ||||
| CVE-2011-10019 | 1 Spreecommerce | 1 Spree | 2025-09-24 | 9.8 Critical |
| Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication. | ||||
| CVE-2011-10026 | 1 Spreecommerce | 1 Spree | 2025-09-24 | 9.8 Critical |
| Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby’s send method. This flaw enables unauthenticated attackers to execute commands on the server. | ||||
| CVE-2025-59528 | 1 Flowiseai | 1 Flowise | 2025-09-23 | 10 Critical |
| Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6. | ||||
| CVE-2025-58673 | 1 Wordpress | 1 Wordpress | 2025-09-23 | 5.4 Medium |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Tareq Hasan WP User Frontend allows Code Injection. This issue affects WP User Frontend: from n/a through 4.1.11. | ||||
| CVE-2024-3660 | 2 Keras, Tensorflow | 2 Keras, Tensorflow | 2025-09-23 | 9.8 Critical |
| A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application. | ||||
| CVE-2024-31822 | 1 Ecommerce-codeigniter-bootstrap Project | 1 Ecommerce-codeigniter-bootstrap | 2025-09-23 | 9.8 Critical |
| An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the saveLanguageFiles method of the Languages.php component. | ||||
| CVE-2024-33445 | 1 Hisiphp | 1 Hisiphp | 2025-09-22 | 9.8 Critical |
| An issue in hisiphp v2.0.111 allows a remote attacker to execute arbitrary code via a crafted script to the SystemPlugins::mkInfo parameter in the SystemPlugins.php component. | ||||
| CVE-2025-10710 | 1 07fly | 3 07fly-cms, 07flycms, 07flycrm | 2025-09-22 | 4.3 Medium |
| A flaw has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This affects an unknown part of the file /index.php. This manipulation of the argument Name causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10711 | 1 07fly | 3 07fly-cms, 07flycms, 07flycrm | 2025-09-22 | 4.3 Medium |
| A vulnerability has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This vulnerability affects unknown code of the file /index.php/sysmanage/Login. Such manipulation of the argument Name leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. | ||||