Search Results (1502 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-52251 1 Provectus 1 Ui 2025-06-17 8.8 High
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
CVE-2024-0204 1 Fortra 1 Goanywhere Managed File Transfer 2025-05-30 9.8 Critical
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
CVE-2022-34715 1 Microsoft 1 Windows Server 2022 2025-05-29 9.8 Critical
Windows Network File System Remote Code Execution Vulnerability
CVE-2021-21351 7 Apache, Debian, Fedoraproject and 4 more 22 Activemq, Jmeter, Debian Linux and 19 more 2025-05-23 5.4 Medium
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVE-2013-7285 4 Apache, Oracle, Redhat and 1 more 17 Activemq, Endeca Information Discovery Studio, Fuse Esb Enterprise and 14 more 2025-05-23 9.8 Critical
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
CVE-2020-26217 6 Apache, Debian, Netapp and 3 more 23 Activemq, Debian Linux, Snapmanager and 20 more 2025-05-23 8 High
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
CVE-2020-26259 5 Apache, Debian, Fedoraproject and 2 more 10 Struts, Debian Linux, Fedora and 7 more 2025-05-23 6.8 Medium
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
CVE-2020-26258 5 Apache, Debian, Fedoraproject and 2 more 10 Struts, Debian Linux, Fedora and 7 more 2025-05-23 6.3 Medium
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
CVE-2022-24697 1 Apache 1 Kylin 2025-05-16 9.8 Critical
Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier.
CVE-2019-10173 3 Oracle, Redhat, Xstream 15 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 12 more 2025-05-14 9.8 Critical
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
CVE-2022-2992 1 Gitlab 1 Gitlab 2025-05-14 9.9 Critical
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
CVE-2024-21683 1 Atlassian 7 Confluence Data Center, Confluence Server, Crucible and 4 more 2025-05-12 7.2 High
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.  Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was found internally.
CVE-2015-0240 4 Canonical, Novell, Redhat and 1 more 9 Ubuntu Linux, Suse Linux Enterprise Desktop, Suse Linux Enterprise Server and 6 more 2025-05-09 N/A
The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1.17, and 4.2.x before 4.2.0rc5 performs a free operation on an uninitialized stack pointer, which allows remote attackers to execute arbitrary code via crafted Netlogon packets that use the ServerPasswordSet RPC API, as demonstrated by packets reaching the _netr_ServerPasswordSet function in rpc_server/netlogon/srv_netlog_nt.c.
CVE-2016-20016 1 Mvpower 4 Tv-7104he, Tv-7104he Firmware, Tv7108he and 1 more 2025-05-09 9.8 Critical
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.
CVE-2019-0227 2 Apache, Oracle 37 Axis, Agile Engineering Data Management, Agile Product Lifecycle Management and 34 more 2025-05-08 7.5 High
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
CVE-2022-36958 1 Solarwinds 1 Orion Platform 2025-05-08 8.8 High
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.
CVE-2023-0921 1 Gitlab 1 Gitlab 2025-05-05 4.3 Medium
A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.
CVE-2024-26256 3 Fedoraproject, Libarchive, Microsoft 5 Fedora, Libarchive, Windows 11 22h2 and 2 more 2025-05-03 7.8 High
Libarchive Remote Code Execution Vulnerability
CVE-2024-30044 1 Microsoft 1 Sharepoint Server 2025-05-03 7.2 High
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2004-0230 7 Juniper, Mcafee, Microsoft and 4 more 12 Junos, Network Data Loss Prevention, Windows 2000 and 9 more 2025-05-02 N/A
TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.