CVE Daily
← All tags

Tag: Remote Code Execution

All CVEs associated with "Remote Code Execution". Page 34/345 • 41319 CVEs.

Subscribe CVEs: RSS for “Remote Code Execution”  ·  RSS (High+Critical only)

About “Remote Code Execution”

A curated feed of “Remote Code Execution”-related CVEs appears below. We currently track 41319 CVEs for this tag (all time). In the last 365 days, 4661 were published. Average CVSS is 8.3 (all time; 8.2 over 365d), and 86% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-94 - Improper Control of Generation of Code ('Code Injection'), CWE-434 - Unrestricted Upload of File with Dangerous Type, CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

In our taxonomy this topic maps to a VERY HIGH impact class. Common exploitation patterns for this weakness can lead to very high. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-08-06
Medium

CVE-2025-8646

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8645

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8644

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8643

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8642

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8641

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8640

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8639

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected Kenwood DMX958XR devices. Authentication…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8638

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8637

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8636

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8635

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8634

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8633

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8632

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8631

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8630

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8629

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-8628

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR device…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2025-54594

react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used t…

CVSS: 9.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2025-08-05
High

CVE-2025-53534

RatPanel is a server operation and maintenance management panel. In versions 2.3.19 through 2.5.5, when an attacker obtains the backend login path of RatPanel (including but not limited to weak defau…

CVSS: 7.7 CWE: CWE-305 - Authentication Bypass by Primary Weakness View on NVD
Medium

CVE-2025-51541

A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The c_database_schema field fails to properly sanitize…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2013-10070

PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. A remote attacker can exploi…

CVSS: 10.0 CWE: CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') View on NVD
Critical

CVE-2013-10068

Foxit Reader versions through 5.4.5.0114, including the bundled Foxit Reader Plugin 2.2.1.530, contains a stack-based buffer overflow vulnerability in the npFoxitReaderPlugin.dll module. When a PDF f…

CVSS: 9.4 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Critical

CVE-2013-10067

Glossword versions 1.8.8 through 1.8.12 contain an authenticated arbitrary file upload vulnerability. When deployed as a standalone application, the administrative interface (gw_admin.php) allows use…

CVSS: 9.4 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2013-10066

An unauthenticated arbitrary file upload vulnerability exists in Kordil EDMS v2.2.60rc3. The application exposes an upload endpoint (users_add.php) that allows attackers to upload files to the /userp…

CVSS: 10.0 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2013-10064

A stack-based buffer overflow vulnerability exists in ActFax Server version 5.01. The server's RAW protocol interface fails to safely process user-supplied data in @F506 fax header fields due to inse…

CVSS: 9.3 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Critical

CVE-2012-10035

Turbo FTP Server versions 1.30.823 and 1.30.826 contain a buffer overflow vulnerability in the handling of the PORT command. By sending a specially crafted payload, an unauthenticated remote attacker…

CVSS: 10.0 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
Critical

CVE-2012-10033

Narcissus is vulnerable to remote code execution via improper input handling in its image configuration workflow. Specifically, the backend.php script fails to sanitize the release parameter before p…

CVSS: 9.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2012-10031

BlazeVideo HDTV Player Pro v6.6.0.3 is vulnerable to a stack-based buffer overflow due to improper handling of user-supplied input embedded in .plf playlist files. When parsing a crafted .plf file, t…

CVSS: 8.6 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Critical

CVE-2012-10030

FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credential…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2012-10029

Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized pa…

CVSS: 8.6 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2012-10028

Netwin SurgeFTP version 23c8 and prior contains a vulnerability in its web-based administrative console that allows authenticated users to execute arbitrary system commands via crafted POST requests…

CVSS: 8.6 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2012-10027

WP-Property plugin for WordPress up to and including version 1.35.0 contains an unauthenticated file upload vulnerability in the third-party `uploadify.php` script. A remote attacker can upload arbit…

CVSS: 9.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2012-10026

The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded f…

CVSS: 10.0 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2012-10025

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_u…

CVSS: 10.0 CWE: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') View on NVD
Critical

CVE-2012-10023

A stack-based buffer overflow vulnerability exists in FreeFloat FTP Server version 1.0.0. The server fails to properly validate input passed to the USER command, allowing remote attackers to overwrit…

CVSS: 9.8 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Medium

CVE-2025-45512

A lack of signature verification in the bootloader of DENX Software Engineering Das U-Boot (U-Boot) v1.1.3 allows attackers to install crafted firmware files, leading to arbitrary code execution.

CVSS: 6.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2025-50688

A command injection vulnerability exists in TwistedWeb (version 14.0.0) due to improper input sanitization in the file upload functionality. An attacker can exploit this vulnerability by sending a sp…

CVSS: 6.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Critical

CVE-2025-54253

Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to b…

CVSS: 10.0 CWE: CWE-863 - Incorrect Authorization View on NVD
Critical

CVE-2025-50707

An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2025-50706

An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2025-2611

The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results…

CVSS: 9.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2025-6207

The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_tempalte_import' function in all versions up to, and including,…

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2025-5061

The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and includin…

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2025-54802

pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package para…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-08-04
Critical

CVE-2025-46093

LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as root by leveraging the Actionscript feature and the sudoers…

CVSS: 9.9 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Critical

CVE-2025-51387

The GitKraken Desktop 10.8.0 and 11.1.0 is susceptible to code injection due to misconfigured Electron Fuses. Specifically, the following insecure settings were observed: RunAsNode is enabled and Ena…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2025-50754

Unisite CMS version 5.0 contains a stored Cross-Site Scripting (XSS) vulnerability in the "Report" functionality. A malicious script submitted by an attacker is rendered in the admin panel when viewe…

CVSS: 9.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-53395

Paramount Macrium Reflect through 2025-06-26 allows local attackers to execute arbitrary code with administrator privileges via a crafted .mrimgx backup file and a malicious VSSSvr.dll located in the…

CVSS: 7.7 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
High

CVE-2025-53394

Paramount Macrium Reflect through 2025-06-26 allows attackers to execute arbitrary code with administrator privileges via a crafted .mrimgx or .mrbax backup file and a renamed executable placed in th…

CVSS: 7.7 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
Critical

CVE-2025-52239

An arbitrary file upload vulnerability in ZKEACMS v4.1 allows attackers to execute arbitrary code via a crafted file.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2013-10054

An unauthenticated arbitrary file upload vulnerability exists in LibrettoCMS version 1.1.7 (and possibly earlier) contains an unauthenticated arbitrary file upload vulnerability in its File Manager p…

CVSS: 9.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2025-6204

An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code.

CVSS: 8.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2025-08-02
High

CVE-2025-23284

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause a stack buffer overflow. A successful exploit of this vulnerability might lead to code ex…

CVSS: 7.8 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
High

CVE-2025-23283

NVIDIA vGPU software for Linux-style hypervisors contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause stack buffer overflow. A successful exploit of this vulnerabi…

CVSS: 7.8 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
High

CVE-2025-23281

NVIDIA GPU Display Driver for Windows contains a vulnerability where an attacker with local unprivileged access that can win a race condition might be able to trigger a use-after-free error. A succes…

CVSS: 7.0 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2025-23279

NVIDIA .run Installer for Linux and Solaris contains a vulnerability where an attacker could use a race condition to escalate privileges. A successful exploit of this vulnerability might lead to code…

CVSS: 7.0 CWE: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition View on NVD
High

CVE-2025-23276

NVIDIA Installer for Windows contains a vulnerability where an attacker may be able to escalate privileges. A successful exploit of this vulnerability may lead to escalation of privileges, denial of…

CVSS: 7.8 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
Medium

CVE-2025-7694

The Woffice Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the woffice_file_manager_delete() function in all versions up to, and includ…

CVSS: 6.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-54789

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript,…

CVSS: 6.1 CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) View on NVD
High

CVE-2025-54782

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-in…

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Critical

CVE-2025-54386

Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installati…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2025-54136

Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file i…

CVSS: 7.2 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2025-08-01
High

CVE-2025-54424

1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication betwee…

CVSS: 8.1 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
High

CVE-2013-10058

An authenticated OS command injection vulnerability exists in various Linksys router models (tested on WRT160Nv2) running firmware version v2.0.03 via the apply.cgi endpoint. The web interface fails…

CVSS: 8.6 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2013-10057

A stack-based buffer overflow vulnerability exists in Synactis PDF In-The-Box ActiveX control (PDF_IN_1.ocx), specifically the ConnectToSynactis method. When a long string is passed to this method—in…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2013-10055

An unauthenticated arbitrary file upload vulnerability exists in Havalite CMS version 1.1.7 (and possibly earlier) in the upload.php script. The application fails to enforce proper file extension val…

CVSS: 9.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2013-10051

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Specifically, user-supplied input passed via the loo…

CVSS: 9.8 CWE: CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') View on NVD
High

CVE-2013-10046

A local privilege escalation vulnerability exists in Agnitum Outpost Internet Security 8.1 that allows an unprivileged user to execute arbitrary code with SYSTEM privileges. The flaw resides in the a…

CVSS: 8.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2013-10044

An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once e…

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2025-8480

Alpine iLX-507 Command Injection Remote Code Execution. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine iLX-507 devices. Authenticat…

CVSS: 8.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2025-8477

Alpine iLX-507 vCard Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Alpine iLX-507…

CVSS: 7.4 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
High

CVE-2025-8476

Alpine iLX-507 TIDAL Improper Certificate Validation Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine iLX-507 devices.…

CVSS: 8.0 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2025-8475

Alpine iLX-507 AVRCP Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpin…

CVSS: 7.4 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Medium

CVE-2025-8474

Alpine iLX-507 CarPlay Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Alpine i…

CVSS: 6.8 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Medium

CVE-2025-8473

Alpine iLX-507 UPDM_wstpCBCUpdStart Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Alpine iLX-507 devic…

CVSS: 6.6 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2025-8472

Alpine iLX-507 vCard Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations…

CVSS: 7.4 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Critical

CVE-2025-6000

A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fi…

CVSS: 9.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2025-54593

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to on…

CVSS: 7.2 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2025-54574

Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer ma…

CVSS: 9.3 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
Critical

CVE-2025-50472

The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()`…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Critical

CVE-2025-50460

A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). If…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2025-7443

The BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file…

CVSS: 8.1 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-07-31
High

CVE-2025-50572

Archer 6.11.00204.10014 allows attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applica…

CVSS: 8.8 CWE: CWE-1236 - Improper Neutralization of Formula Elements in a CSV File View on NVD
Critical

CVE-2025-26063

An issue in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 allows unauthenticated attackers to execute arbitrary code via injecting a crafted payload into the ESSID name when creating a network.

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2025-50848

A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the b…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2025-50475

An OS command injection vulnerability exists in Russound MBX-PRE-D67F firmware version 3.1.6, allowing unauthenticated attackers to execute arbitrary commands as root via crafted input to the hostnam…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-50270

A stored Cross Site Scripting (xss) vulnerability in the "content management" feature in AnQiCMS v.3.4.11 allows a remote attacker to execute arbitrary code via a crafted script to the title, categor…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-34146

A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can resul…

CVSS: 7.0 CWE: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') View on NVD
Critical

CVE-2014-125126

An unrestricted file upload vulnerability exists in Simple E-Document versions 3.0 to 3.1 that allows an unauthenticated attacker to bypass authentication by sending a specific cookie header (access=…

CVSS: 9.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2013-10043

A vulnerability exists in OAstium VoIP PBX astium-confweb-2.1-25399 and earlier, where improper input validation in the logon.php script allows an attacker to bypass authentication via SQL injection.…

CVSS: 9.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2013-10042

A stack-based buffer overflow vulnerability exists in freeFTPd version 1.0.10 and earlier in the handling of the FTP PASS command. When an attacker sends a specially crafted password string, the appl…

CVSS: 9.8 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Critical

CVE-2013-10040

ClipBucket version 2.6 and earlier contains a critical vulnerability in the ofc_upload_image.php script located at /admin_area/charts/ofc-library/. This endpoint allows unauthenticated users to uploa…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2013-10038

An unauthenticated arbitrary file upload vulnerability exists in FlashChat versions 6.0.2 and 6.0.4 through 6.0.8. The upload.php endpoint fails to properly validate file types and authentication, al…

CVSS: 9.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2013-10036

A stack-based buffer overflow vulnerability exists in Beetel Connection Manager version PCW_BTLINDV1.0.0B04 when parsing the UserName parameter in the NetConfig.ini configuration file. A crafted .ini…

CVSS: 8.4 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
High

CVE-2013-10035

A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, i…

CVSS: 8.7 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2013-10034

An unrestricted file upload vulnerability exists in Kaseya KServer versions prior to 6.3.0.2. The uploadImage.asp endpoint allows unauthenticated users to upload files to arbitrary paths via a crafte…

CVSS: 9.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2013-10033

An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST paramet…

CVSS: 9.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2012-10021

A stack-based buffer overflow vulnerability exists in D-Link DIR-605L Wireless N300 Cloud Router firmware versions 1.12 and 1.13 via the getAuthCode() function. The flaw arises from unsafe usage of s…

CVSS: 9.8 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
High

CVE-2011-10008

A stack-based buffer overflow vulnerability exists in MPlayer Lite r33064 due to improper bounds checking when handling M3U playlist files containing long http:// URL entries. An attacker can craft a…

CVSS: 8.6 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2025-46359

A path traversal issue exists in backup and restore feature of multiple versions of PowerCMS. A product administrator may execute arbitrary code by restoring a crafted backup file.

CVSS: 7.2 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2025-7847

The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest_simpleFileUpload() function in versions 2.9.3 and 2.9.4. This makes it possi…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-07-30
Medium

CVE-2025-45619

An issue in Aver PTC310UV2 firmware v.0.1.0000.59 allows a remote attacker to execute arbitrary code via the SendAction function

CVSS: 6.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2025-25692

A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.

CVSS: 6.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2025-25691

A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.

CVSS: 6.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
High

CVE-2025-8323

The e-School from Ventem has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on t…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Medium

CVE-2025-8321

Tesla Wall Connector Firmware Downgrade Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Tesla Wall Connector devices. Auth…

CVSS: 6.8 CWE: CWE-1328 - Security Version Number Mutable to Older Versions View on NVD
High

CVE-2025-8320

Tesla Wall Connector Content-Length Header Improper Input Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected in…

CVSS: 8.8 CWE: CWE-1284 - Improper Validation of Specified Quantity in Input View on NVD
High

CVE-2025-24119

This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to execute arbitrary code out of i…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2025-07-29
High

CVE-2025-7849

A memory corruption vulnerability due to improper error handling when a VILinkObj is null exists in NI LabVIEW that may result in arbitrary code execution. Successful exploitation requires an attack…

CVSS: 7.8 CWE: CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input View on NVD
High

CVE-2025-7848

A memory corruption vulnerability due to improper input validation in lvpict.cpp exists in NI LabVIEW that may result in arbitrary code execution. Successful exploitation requires an attacker to get…

CVSS: 7.8 CWE: CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input View on NVD
High

CVE-2025-7361

A code injection vulnerability due to an improper initialization check exists in NI LabVIEW that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to…

CVSS: 7.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2025-45346

SQL Injection vulnerability in Bacula-web before v.9.7.1 allows a remote attacker to execute arbitrary code via a crafted HTTP GET request.

CVSS: 8.1 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2025-33092

IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 is vulnerable to a stack-based buffer overflow in db2fm, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrar…

CVSS: 7.8 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
High

CVE-2025-7675

A maliciously crafted 3DM file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, caus…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2025-7497

A maliciously crafted PRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, caus…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2025-6637

A maliciously crafted PRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, caus…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2025-6636

A maliciously crafted PRT file, when parsed through certain Autodesk products, can force a Use-After-Free vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensi…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2025-6635

A maliciously crafted PRT file, when linked or imported into certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a cra…

CVSS: 7.8 CWE: CWE-125 - Out-of-bounds Read View on NVD