Total
5662 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-25350 | 1 Phpgurukul | 1 Zoo Management System | 2025-03-27 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in /zms/admin/edit-ticket.php in PHPGurukul Zoo Management System 1.0 via tickettype and tprice parameters. | |||||
| CVE-2024-25202 | 1 Phpgurukul | 1 User Registration \& Login And User Management System | 2025-03-27 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Phpgurukul User Registration & Login and User Management System 1.0 allows attackers to run arbitrary code via the search bar. | |||||
| CVE-2024-22632 | 2025-03-26 | N/A | 9.8 CRITICAL | ||
| Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hmsg parameter. This vulnerability is triggered via a crafted POST request. | |||||
| CVE-2024-40552 | 1 Publiccms | 1 Publiccms | 2025-03-26 | N/A | 8.8 HIGH |
| PublicCMS v4.0.202302.e was discovered to contain a remote commande execution (RCE) vulnerability via the cmdarray parameter at /site/ScriptComponent.java. | |||||
| CVE-2025-2623 | 1 Westboy | 1 Cicadascms | 2025-03-26 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in westboy CicadasCMS 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /system/cms/content/save. The manipulation of the argument title/content/laiyuan leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2021-36424 | 1 Phpwcms | 1 Phpwcms | 2025-03-26 | N/A | 9.8 CRITICAL |
| An issue discovered in phpwcms 1.9.25 allows remote attackers to run arbitrary code via DB user field during installation. | |||||
| CVE-2024-29202 | 1 Fit2cloud | 1 Jumpserver | 2025-03-25 | N/A | 9.9 CRITICAL |
| JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7. | |||||
| CVE-2024-29201 | 1 Fit2cloud | 1 Jumpserver | 2025-03-25 | N/A | 9.9 CRITICAL |
| JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can bypass the input validation mechanism in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7. | |||||
| CVE-2023-43651 | 1 Fit2cloud | 1 Jumpserver | 2025-03-25 | N/A | 8.5 HIGH |
| JumpServer is an open source bastion host. An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root privileges on the system. Through the WEB CLI interface provided by the koko component, a user logs into the authorized mongoDB database and exploits the MongoDB session to execute arbitrary commands. This vulnerability has been addressed in versions 2.28.20 and 3.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-24230 | 2025-03-25 | N/A | 7.5 HIGH | ||
| Komm.One CMS 10.4.2.14 has a Server-Side Template Injection (SSTI) vulnerability via the Velocity template engine. It allows remote attackers to execute arbitrary code via a URL that specifies java.lang.Runtime in conjunction with getRuntime().exec followed by an OS command. | |||||
| CVE-2024-33442 | 1 Flusity | 1 Flusity | 2025-03-25 | N/A | 4.3 MEDIUM |
| An issue in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the add_post.php component. | |||||
| CVE-2023-24333 | 1 Tenda | 2 Ac21, Ac21 Firmware | 2025-03-25 | N/A | 8.8 HIGH |
| A stack overflow vulnerability in Tenda AC21 with firmware version US_AC21V1.0re_V16.03.08.15_cn_TDC01 allows attackers to run arbitrary commands via crafted POST request to /goform/openSchedWifi. | |||||
| CVE-2024-57061 | 2025-03-25 | N/A | 9.8 CRITICAL | ||
| An issue in Termius Version 9.9.0 through v.9.16.0 allows a physically proximate attacker to execute arbitrary code via the insecure Electron Fuses configuration. | |||||
| CVE-2023-23912 | 1 Ui | 20 Er-10x, Er-10x Firmware, Er-12 and 17 more | 2025-03-24 | N/A | 8.8 HIGH |
| A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability. | |||||
| CVE-2024-7520 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-03-24 | N/A | 8.8 HIGH |
| A type confusion bug in WebAssembly could be leveraged by an attacker to potentially achieve code execution. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1. | |||||
| CVE-2025-2617 | 2025-03-22 | 3.3 LOW | 2.4 LOW | ||
| A vulnerability classified as problematic was found in yangyouwang 杨有旺 crud 简约后台管理系统 1.0.0. Affected by this vulnerability is an unknown functionality of the component Department Page. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2616 | 2025-03-22 | 3.3 LOW | 2.4 LOW | ||
| A vulnerability classified as problematic has been found in yangyouwang 杨有旺 crud 简约后台管理系统 1.0.0. Affected is an unknown function of the component Role Management Page. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2303 | 2025-03-22 | N/A | 8.8 HIGH | ||
| The Block Logic – Full Gutenberg Block Display Control plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.8 via the block_logic_check_logic function. This is due to the unsafe evaluation of user-controlled input. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. | |||||
| CVE-2024-11740 | 1 W3eden | 1 Download Manager | 2025-03-21 | N/A | 7.3 HIGH |
| The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2023-0788 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-03-21 | N/A | 8.1 HIGH |
| Code Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11. | |||||