Search Results (2598 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-30041 1 Cgm 1 Clininet 2026-04-15 N/A
The paths "/cgi-bin/CliniNET.prd/utils/userlogstat.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl" expose data containing session IDs.
CVE-2025-30055 1 Cgm 1 Clininet 2026-04-15 N/A
The "system" function receives untrusted input from the user. If the "EnableJSCaching" option is enabled, it is possible to execute arbitrary code provided as the "Module" parameter.
CVE-2025-30056 1 Cgm 1 Clininet 2026-04-15 N/A
The RunCommand function accepts any parameter, which is then passed for execution in the shell. This allows an attacker to execute arbitrary code on the system.
CVE-2025-30057 1 Cgm 1 Clininet 2026-04-15 N/A
In UHCRTFDoc, the filename parameter can be exploited to execute arbitrary code via command injection into the system() call in the ConvertToPDF function.
CVE-2025-30063 2026-04-15 N/A
The configuration file containing database logins and passwords is readable by any local user.
CVE-2025-30085 2026-04-15 N/A
Remote code execution vulnerability in RSForm!pro component 3.0.0 - 3.3.14 for Joomla was discovered. The issue occurs within the submission export feature and requires administrative access to the export feature.
CVE-2025-30091 2026-04-15 N/A
In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be inserted into config.php, and InstallCommand is available after an installation has completed.
CVE-2025-3022 2026-04-15 N/A
Os command injection vulnerability in e-solutions e-management. This vulnerability allows an attacker to execute arbitrary commands on the server via the ‘client’ parameter in the /data/apache/e-management/api/api3.php endpoint.
CVE-2025-30247 1 Western Digital 1 My Cloud 2026-04-15 N/A
An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST.
CVE-2025-30519 1 Doverfuelingsolutions 1 Progauge Maglink Lx Console 2026-04-15 9.8 Critical
Dover Fueling Solutions ProGauge MagLink LX4 Devices have default root credentials that cannot be changed through standard administrative means. An attacker with network access to the device can gain administrative access to the system.
CVE-2025-3096 2026-04-15 N/A
Clinic’s Patient Management System versions 2.0 suffers from a SQL injection vulnerability in the login page.
CVE-2025-31122 2026-04-15 N/A
scratch-coding-hut.github.io is the website for Coding Hut. In 1.0-beta3 and earlier, the login link can be used to login to any account by changing the username in the username field.
CVE-2025-3114 2026-04-15 N/A
Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise. Sandbox Bypass Vulnerability: A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.
CVE-2025-3128 1 Mitsubishielectric 1 Smartrtu 2026-04-15 9.8 Critical
A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product.
CVE-2025-31342 1 Galaxy Software Services Corporation 1 Vitals Esp 2026-04-15 N/A
An unrestricted upload of file with dangerous type vulnerability in the upload file function of Galaxy Software Services Corporation Vitals ESP Forum Module through 1.3 version allows remote authenticated users to execute arbitrary system commands via a malicious file.
CVE-2025-31340 2026-04-15 N/A
A improper control of filename for include/require statement in PHP program vulnerability in the retrieve course Information function of Wisdom Master Pro versions 5.0 through 5.2 allows remote attackers to perform arbitrary system commands by running a malicious file.
CVE-2025-31484 2026-04-15 N/A
conda-forge infrastructure holds common configurations and settings for key pieces of the conda-forge infrastructure. Between 2025-02-10 and 2025-04-01, conda-forge infrastructure used the wrong token for Azure's cf-staging access. This bug meant that any feedstock maintainer could upload a package to the conda-forge channel, bypassing our feedstock-token + upload process. The security logs on anaconda.org were check for any packages that were not copied from the cf-staging to the conda-forge channel and none were found.
CVE-2025-27509 1 Fleetdm 1 Fleet 2026-04-15 N/A
fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time (JIT) provisioning is enabled, or create new accounts tied to forged assertions if f MDM enrollment is enabled. This vulnerability is fixed in 4.64.2, 4.63.2, 4.62.4, and 4.58.1.
CVE-2025-27510 2026-04-15 N/A
conda-forge-metadata provides programatic access to conda-forge's metadata. conda-forge-metadata uses an optional dependency - "conda-oci-mirror" which was neither present on the PyPi repository nor registered by any entity. If conda-oci-mirror is taken over by a threat actor, it can result in remote code execution.
CVE-2025-27517 2026-04-15 N/A
Volt is an elegantly crafted functional API for Livewire. Malicious, user-crafted request payloads could potentially lead to remote code execution within Volt components. This vulnerability is fixed in 1.7.0.