Export limit exceeded: 356099 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (6745 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-39071 | 1 Fujiankelixun | 1 Command And Dispatch Platform | 2026-04-15 | 9.8 Critical |
| Fujian Kelixun <=7.6.6.4391 is vulnerable to SQL Injection in send_event.php. | ||||
| CVE-2024-39165 | 2026-04-15 | 9.8 Critical | ||
| QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in the filename parameter. This occurs because an unnecessary QR/demoapp folder.is shipped with the product. | ||||
| CVE-2024-39209 | 1 Luci App Sms Tool | 1 Luci App Sms Tool | 2026-04-15 | 6.3 Medium |
| luci-app-sms-tool v1.9-6 was discovered to contain a command injection vulnerability via the score parameter. | ||||
| CVE-2024-3924 | 2026-04-15 | N/A | ||
| A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head_ref` user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0. | ||||
| CVE-2024-39714 | 1 Veeam | 1 Service Provider Console | 2026-04-15 | N/A |
| A code injection vulnerability that permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server. | ||||
| CVE-2024-39715 | 1 Veeam | 1 Service Provider Console | 2026-04-15 | N/A |
| A code injection vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server. | ||||
| CVE-2024-39844 | 1 Znc | 1 Znc | 2026-04-15 | 9.8 Critical |
| In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK. | ||||
| CVE-2025-50567 | 1 Saurus | 1 Saurus Cms | 2026-04-15 | 10 Critical |
| Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution. | ||||
| CVE-2024-39915 | 2026-04-15 | 10 Critical | ||
| Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation. The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the script /script/html2pdf.sh is called. The vulnerability can be exploited by an authorized user with network access. This issue has been addressed in version 3.16. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-41961 | 1 Sapcc | 1 Elektra | 2026-04-15 | 9.2 Critical |
| Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. An authenticated user can craft a search term containing Ruby code, which later flows into an `eval` sink which executes the code. Fixed in commit 8bce00be93b95a6512ff68fe86bf9554e486bc02. | ||||
| CVE-2024-41997 | 1 Warp Terminal | 1 Warp Terminal | 2026-04-15 | 6.6 Medium |
| An issue was discovered in version of Warp Terminal prior to 2024.07.18 (v0.2024.07.16.08.02). A command injection vulnerability exists in the Docker integration functionality. An attacker can create a specially crafted hyperlink using the `warp://action/docker/open_subshell` intent that when clicked by the victim results in command execution on the victim's machine. | ||||
| CVE-2025-4996 | 1 Intelbras | 1 Rf 301k | 2026-04-15 | 2.4 Low |
| A vulnerability, which was classified as problematic, has been found in Intelbras RF 301K 1.1.5. This issue affects some unknown processing of the component Add Static IP. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure. | ||||
| CVE-2024-42041 | 1 Apptool-browser-video | 1 Video Downloader | 2026-04-15 | 8.1 High |
| The com.videodownload.browser.videodownloader (aka AppTool-Browser-Video All Video Downloader) application 20-30.05.24 for Android allows an attacker to execute arbitrary JavaScript code via the acr.browser.lightning.DefaultBrowserActivity component. | ||||
| CVE-2024-4261 | 2026-04-15 | 5.4 Medium | ||
| The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes. | ||||
| CVE-2024-4264 | 1 Berriai | 1 Litellm | 2026-04-15 | N/A |
| A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the `eval` function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the `/config/update` endpoint, which allows for the update of settings in `proxy_server_config.yaml`. | ||||
| CVE-2025-49372 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 10 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.This issue affects HAPPY: from n/a through <= 1.0.7. | ||||
| CVE-2024-45480 | 2026-04-15 | N/A | ||
| An improper control of generation of code ('Code Injection') vulnerability in the AprolCreateReport component of B&R APROL <4.4-00P5 may allow an unauthenticated network-based attacker to read files from the local system. | ||||
| CVE-2024-4662 | 2 Soflyy, Wordpress | 2 Oxygen, Wordpress | 2026-04-15 | 8.8 High |
| The Oxygen Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.8.2 via post metadata. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for lower privileged users, such as contributors, to inject arbitrary PHP code via the WordPress user interface and gain elevated privileges. | ||||
| CVE-2024-46639 | 1 Evolutionscript | 1 Helpdeskz | 2026-04-15 | 7.6 High |
| A cross-site scripting (XSS) vulnerability in HelpDeskZ v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field of Custom Fields message box. | ||||
| CVE-2025-47271 | 2026-04-15 | N/A | ||
| The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2. | ||||