Export limit exceeded: 366589 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (6995 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-70830 | 1 Running-elephant | 1 Datart | 2026-04-15 | 9.9 Critical |
| A Server-Side Template Injection (SSTI) vulnerability in the Freemarker template engine of Datart v1.0.0-rc.3 allows authenticated attackers to execute arbitrary code via injecting crafted Freemarker template syntax into the SQL script field. | ||||
| CVE-2024-3995 | 1 Perforce | 1 Helix Alm | 2026-04-15 | N/A |
| In Helix ALM versions prior to 2024.2.0, a local command injection was identified. Reported by Bryan Riggins. | ||||
| CVE-2024-39915 | 2026-04-15 | 10 Critical | ||
| Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation. The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the script /script/html2pdf.sh is called. The vulnerability can be exploited by an authorized user with network access. This issue has been addressed in version 3.16. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-7800 | 2026-04-15 | 3.5 Low | ||
| A vulnerability classified as problematic was found in cgpandey hotelmis up to c572198e6c4780fccc63b1d3e8f3f72f825fc94e. This vulnerability affects unknown code of the file admin.php of the component HTTP GET Request Handler. The manipulation of the argument Search leads to cross site scripting. The attack can be initiated remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | ||||
| CVE-2025-7803 | 2026-04-15 | 3.5 Low | ||
| A vulnerability was found in descreekert wx-discuz up to 12bd4745c63ec203cb32119bf77ead4a923bf277. It has been classified as problematic. This affects the function validToken of the file /wx.php. The manipulation of the argument echostr leads to cross site scripting. It is possible to initiate the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | ||||
| CVE-2024-39844 | 1 Znc | 1 Znc | 2026-04-15 | 9.8 Critical |
| In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK. | ||||
| CVE-2024-3924 | 2026-04-15 | N/A | ||
| A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head_ref` user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0. | ||||
| CVE-2024-39209 | 1 Luci App Sms Tool | 1 Luci App Sms Tool | 2026-04-15 | 6.3 Medium |
| luci-app-sms-tool v1.9-6 was discovered to contain a command injection vulnerability via the score parameter. | ||||
| CVE-2024-38448 | 2026-04-15 | 9.1 Critical | ||
| htags in GNU Global through 6.6.12 allows code execution in situations where dbpath (aka -d) is untrusted, because shell metacharacters may be used. | ||||
| CVE-2024-37862 | 1 Open Robotic | 3 Navigation2 Humble, Ros2 Humble, Ros2 Navigation2 | 2026-04-15 | 7.3 High |
| Buffer Overflow vulnerability in Open Robotic Robotic Operating System 2 ROS2 navigation2- ROS2-humble&& navigation2-humble allows a local attacker to execute arbitrary code via a crafted .yaml file to the nav2_planner process. | ||||
| CVE-2024-37860 | 1 Open Robotics | 3 Nav2 Humble, Ros2 Humble, Ros2 Navigation2 | 2026-04-15 | 7.3 High |
| Buffer Overflow vulnerability in Open Robotic Operating System 2 ROS2 navigation2- ROS2-humble&& navigation2-humble allows a local attacker to execute arbitrary code via a crafted .yaml file to the nav2_amcl process | ||||
| CVE-2024-37855 | 1 Nepstech | 1 Ntpl-xpon1gfevn Firmware | 2026-04-15 | 8.4 High |
| An issue in Nepstech Wifi Router xpon (terminal) NTPL-Xpon1GFEVN, hardware verstion 1.0 firmware 2.0.1 allows a remote attacker to execute arbitrary code via the router's Telnet port 2345 without requiring authentication credentials. | ||||
| CVE-2024-37779 | 1 Woodwing Elvis Dam | 1 Woodwing Elvis Dam | 2026-04-15 | 8.8 High |
| WoodWing Elvis DAM v6.98.1 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the Apache Ant script functionality. | ||||
| CVE-2024-37124 | 2026-04-15 | 9.8 Critical | ||
| Use of potentially dangerous function issue exists in Ricoh Streamline NX PC Client. If this vulnerability is exploited, an attacker may create an arbitrary file in the PC where the product is installed. | ||||
| CVE-2024-35515 | 1 Sqlitedict | 1 Sqlitedict | 2026-04-15 | 9.8 Critical |
| Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code. | ||||
| CVE-2021-41527 | 2026-04-15 | N/A | ||
| An error related to the 2-factor authorization (2FA) on the RISC Platform prior to the saas-2021-12-29 release can potentially be exploited to bypass the 2FA. The vulnerability requires that the 2FA setup hasn’t been completed. | ||||
| CVE-2024-44722 | 1 Anolis | 1 Sysak | 2026-04-14 | 9.8 Critical |
| SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd. | ||||
| CVE-2026-33943 | 1 Capricorn86 | 2 Happy-dom, Happy Dom | 2026-04-14 | 8.8 High |
| Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue. | ||||
| CVE-2026-35171 | 2 Kedro-org, Linuxfoundation | 2 Kedro, Kedro | 2026-04-14 | 9.8 Critical |
| Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0. | ||||
| CVE-2026-35643 | 1 Openclaw | 1 Openclaw | 2026-04-14 | 8.8 High |
| OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context. | ||||