Export limit exceeded: 351284 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10336 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10336 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-45198 | 2026-04-15 | 8.8 High | ||
| insightsoftware Spark JDBC 2.6.21 has a remote code execution vulnerability. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This can further lead to remote code execution. | ||||
| CVE-2025-9918 | 2 Google, Google Cloud | 2 Cloud Platform, Secops Soar Server | 2026-04-15 | N/A |
| A Path Traversal vulnerability in the archive extraction component in Google SecOps SOAR Server (versions 6.3.54.0, 6.3.53.2, and all prior versions) allows an authenticated attacker with permissions to import Use Cases to achieve Remote Code Execution (RCE) via uploading a malicious ZIP archive containing path traversal sequences. | ||||
| CVE-2025-53867 | 2026-04-15 | 9.8 Critical | ||
| Island Lake WebBatch before 2025C allows Remote Code Execution via a crafted URL. | ||||
| CVE-2024-10771 | 1 Sick | 3 Inspector61x Firmware, Inspector62x Firmware, Tim3xx | 2026-04-15 | 8.8 High |
| Due to missing input validation during one step of the firmware update process, the product is vulnerable to remote code execution. With network access and the user level ”Service”, an attacker can execute arbitrary system commands in the root user’s contexts. | ||||
| CVE-2024-13981 | 2026-04-15 | N/A | ||
| LiveBOS, an object-oriented business architecture middleware suite developed by Apex Software Co., Ltd., contains an arbitrary file upload vulnerability in its UploadFile.do;.js.jsp endpoint. This flaw affects the LiveBOS Server component and allows unauthenticated remote attackers to upload crafted files outside the intended directory structure via path traversal in the filename parameter. Successful exploitation may lead to remote code execution on the server, enabling full system compromise. The vulnerability is presumed to affect builds released prior to August 2024 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-23 UTC. | ||||
| CVE-2024-50672 | 1 Adapt Authoring Tool | 1 Adapt Authoring Tool | 2026-04-15 | 9.8 Critical |
| A NoSQL injection vulnerability in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. The vulnerability occurs due to insufficient validation of user input, which is used as a query in Mongoose's find() function. This makes it possible for attackers to perform a full takeover of the administrator account. Attackers can then use the newly gained administrative privileges to upload a custom plugin to perform remote code execution (RCE) on the server hosting the web application. | ||||
| CVE-2024-6345 | 2 Python, Redhat | 10 Setuptools, Enterprise Linux, Openshift and 7 more | 2026-04-15 | 8.8 High |
| A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. | ||||
| CVE-2025-13486 | 2 Hwk-fr, Wordpress | 2 Advanced Custom Fields, Wordpress | 2026-04-15 | 9.8 Critical |
| The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts. | ||||
| CVE-2025-34163 | 2026-04-15 | N/A | ||
| Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST request. This allows remote code execution on the server, potentially leading to full system compromise. The vulnerability is presumed to affect builds released prior to July 2025 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC. | ||||
| CVE-2025-8769 | 1 Megasys | 1 Telenium Online Web Application | 2026-04-15 | 9.8 Critical |
| Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an attacker can inject arbitrary Perl code through a crafted HTTP request, leading to remote code execution on the server. | ||||
| CVE-2025-8917 | 1 Allegroai | 1 Clearml | 2026-04-15 | N/A |
| A vulnerability in allegroai/clearml version v2.0.1 allows for path traversal due to improper handling of symbolic and hard links in the `safe_extract` function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execution if critical files are overwritten. | ||||
| CVE-2025-9260 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization of untrusted input in the parseUserProperties function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to read arbitrary files. If allow_url_include is enabled on the server, remote code execution is possible. While the vendor patched this issue in version 6.1.0, the patch caused a fatal error in the vulnerable code, due to a missing class import, so we consider 6.1.2 to be the most complete and best patched version | ||||
| CVE-2025-9561 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-9571 | 1 Google | 1 Cloud Data Fusion | 2026-04-15 | N/A |
| A remote code execution (RCE) vulnerability exists in Google Cloud Data Fusion. A user with permissions to upload artifacts to a Data Fusion instance can execute arbitrary code within the core AppFabric component. This could allow the attacker to gain control over the Data Fusion instance, potentially leading to unauthorized access to sensitive data, modification of data pipelines, and exploration of the underlying infrastructure. The following CDAP versions include the necessary update to protect against this vulnerability: * 6.10.6+ * 6.11.1+ Users must immediately upgrade to them, or greater ones, available at: https://github.com/cdapio/cdap-build/releases . | ||||
| CVE-2025-7503 | 2026-04-15 | N/A | ||
| An OEM IP camera manufactured by Shenzhen Liandian Communication Technology LTD exposes a Telnet service (port 23) with undocumented, default credentials. The Telnet service is enabled by default and is not disclosed or configurable via the device’s web interface or user manual. An attacker with network access can authenticate using default credentials and gain root-level shell access to the device. The affected firmware version is AppFHE1_V1.0.6.0 (Kernel: KerFHE1_PTZ_WIFI_V3.1.1, Hardware: HwFHE1_WF6_PTZ_WIFI_20201218). No official fix or firmware update is available, and the vendor could not be contacted. This vulnerability allows for remote code execution and privilege escalation. | ||||
| CVE-2025-7620 | 1 Dsic | 1 Cross-browser Components | 2026-04-15 | 8.8 High |
| The cross-browser document creation component produced by Digitware System Integration Corporation has a Remote Code Execution vulnerability. If a user visits a malicious website while the component is active, remote attackers can cause the system to download and execute arbitrary programs. | ||||
| CVE-2025-7742 | 2026-04-15 | N/A | ||
| An authentication vulnerability exists in the LG Innotek camera model LNV5110R firmware that allows a malicious actor to upload an HTTP POST request to the devices non-volatile storage. This action may result in remote code execution that allows an attacker to run arbitrary commands on the target device at the administrator privilege level. | ||||
| CVE-2025-7766 | 1 Lantronix | 1 Provisioning Manager | 2026-04-15 | 8 High |
| Lantronix Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed. | ||||
| CVE-2025-7769 | 1 Tigo Energy | 1 Cloud Connect Advanced | 2026-04-15 | N/A |
| Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure. | ||||
| CVE-2025-7847 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest_simpleFileUpload() function in versions 2.9.3 and 2.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server when the REST API is enabled, which may make remote code execution possible. | ||||