Export limit exceeded: 366301 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 366301 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 366301 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (6988 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-54594 1 React-native-bottom-tabs Project 1 React-native-bottom-tabs 2026-04-15 9.1 Critical
react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released.
CVE-2024-54756 2026-04-15 9.8 Critical
A remote code execution (RCE) vulnerability in the ZScript function of ZDoom Team GZDoom v4.13.1 allows attackers to execute arbitrary code via supplying a crafted PK3 file containing a malicious ZScript source file.
CVE-2025-6092 2026-04-15 4.3 Medium
A vulnerability was found in comfyanonymous comfyui up to 0.3.39. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /upload/image of the component Incomplete Fix CVE-2024-10099. The manipulation of the argument image leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-48908 2026-04-15 N/A
lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2.
CVE-2024-46639 1 Evolutionscript 1 Helpdeskz 2026-04-15 7.6 High
A cross-site scripting (XSS) vulnerability in HelpDeskZ v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field of Custom Fields message box.
CVE-2024-4662 2 Soflyy, Wordpress 2 Oxygen, Wordpress 2026-04-15 8.8 High
The Oxygen Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.8.2 via post metadata. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for lower privileged users, such as contributors, to inject arbitrary PHP code via the WordPress user interface and gain elevated privileges.
CVE-2024-45480 2026-04-15 N/A
An improper control of generation of code ('Code Injection') vulnerability in the AprolCreateReport component of B&R APROL <4.4-00P5 may allow an unauthenticated network-based attacker to read files from the local system.
CVE-2024-54724 2026-04-15 9.8 Critical
PHPYun before 7.0.2 is vulnerable to code execution through backdoor-restricted arbitrary file writing and file inclusion.
CVE-2024-42911 2026-04-15 7.4 High
ECOVACS Robotics Deebot T20 OMNI and T20e OMNI before 1.24.0 was discovered to contain a WiFi Remote Code Execution vulnerability.
CVE-2024-42041 1 Apptool-browser-video 1 Video Downloader 2026-04-15 8.1 High
The com.videodownload.browser.videodownloader (aka AppTool-Browser-Video All Video Downloader) application 20-30.05.24 for Android allows an attacker to execute arbitrary JavaScript code via the acr.browser.lightning.DefaultBrowserActivity component.
CVE-2024-41997 1 Warp Terminal 1 Warp Terminal 2026-04-15 6.6 Medium
An issue was discovered in version of Warp Terminal prior to 2024.07.18 (v0.2024.07.16.08.02). A command injection vulnerability exists in the Docker integration functionality. An attacker can create a specially crafted hyperlink using the `warp://action/docker/open_subshell` intent that when clicked by the victim results in command execution on the victim's machine.
CVE-2024-41961 1 Sapcc 1 Elektra 2026-04-15 9.2 Critical
Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. An authenticated user can craft a search term containing Ruby code, which later flows into an `eval` sink which executes the code. Fixed in commit 8bce00be93b95a6512ff68fe86bf9554e486bc02.
CVE-2024-40516 1 H3c 1 Rc3000 Firmware 2026-04-15 8.8 High
An issue in H3C Technologies Co., Limited H3C Magic RC3000 RC3000V100R009 allows a remote attacker to execute arbitrary code via the Routing functionality.
CVE-2024-40442 1 Doccano 2 Auto Labeling Pipeline, Doccano 2026-04-15 7.2 High
An issue in Doccano Open source annotation tools for machine learning practitioners v.1.8.4 and Doccano Auto Labeling Pipeline module to annotate a document automatically v.0.1.23 allows a remote attacker to escalate privileges via a crafted REST Request.
CVE-2024-4039 2 Villatheme, Wordpress 2 Orders Tracking For Woocommerce, Wordpress 2026-04-15 6.5 Medium
The The Orders Tracking for WooCommerce plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.10. This is due to the plugin allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. A partial patch was released in 1.2.10, and a complete patch was released in 1.2.11.
CVE-2024-4038 2026-04-15 6.5 Medium
The The Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.3.1. This is due to the plugin for WordPress allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVE-2024-39071 1 Fujiankelixun 1 Command And Dispatch Platform 2026-04-15 9.8 Critical
Fujian Kelixun <=7.6.6.4391 is vulnerable to SQL Injection in send_event.php.
CVE-2024-39017 1 Agreejs Shared 1 Agreejs Shared 2026-04-15 9.8 Critical
agreejs shared v0.0.1 was discovered to contain a prototype pollution via the function mergeInternalComponents. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-39015 1 Cafebazaar 1 Hod 2026-04-15 9.8 Critical
cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-38990 1 Tada5hi 1 Sp Common 2026-04-15 6.3 Medium
Tada5hi sp-common v0.5.4 was discovered to contain a prototype pollution via the function mergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.