Total
5887 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62429 | 2 Clip-bucket, Oxygenz | 2 Clipbucket, Clipbucket | 2025-11-10 | 7.2 High |
| ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 #147, ClipBucket v5 is vulnerable to arbitrary PHP code execution. In /upload/admin_area/actions/update_launch.php, the "type" parameter from a POST request is embedded into PHP tags and executed. Proper sanitization is not performed, and by injecting malicious code an attacker can execute arbitrary PHP code. This allows an attacker to achieve RCE. This issue has been resolved in version 5.5.2 #147. | ||||
| CVE-2025-64108 | 2 Anysphere, Cursor | 2 Cursor, Cursor | 2025-11-10 | 8.8 High |
| Cursor is a code editor built for programming with AI. In versions 1.7.44 and below, various NTFS path quirks allow a prompt injection attacker to circumvent sensitive file protections and overwrite files which Cursor requires human approval to overwrite. Modification of some of the protected files can lead to RCE. Must be chained with a prompt injection or malicious model attach. Only affects systems supporting NTFS. This issue is fixed in version 2.0. | ||||
| CVE-2025-4551 | 1 Continew | 2 Admin, Continew Admin | 2025-11-10 | 3.5 Low |
| A vulnerability, which was classified as problematic, was found in ContiNew Admin up to 3.6.0. Affected is an unknown function of the file /dev-api/common/file. The manipulation of the argument File leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2020-8644 | 1 Playsms | 1 Playsms | 2025-11-07 | 9.8 Critical |
| PlaySMS before 1.4.3 does not sanitize inputs from a malicious string. | ||||
| CVE-2019-16759 | 1 Vbulletin | 1 Vbulletin | 2025-11-07 | 9.8 Critical |
| vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | ||||
| CVE-2019-7609 | 2 Elastic, Redhat | 3 Kibana, Openshift, Openshift Container Platform | 2025-11-07 | 9.8 Critical |
| Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. | ||||
| CVE-2024-54448 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 7.2 High |
| The Automation Scripting functionality can be exploited by attackers to run arbitrary system commands on the underlying operating system. An account with administrator privileges or that has been explicitly granted access to use Automation Scripting is needed to carry out the attack. Exploitation of this vulnerability would allow an attacker to run commands of their choosing on the underlying operating system of the web server running LogicalDOC. | ||||
| CVE-2025-12546 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 3.5 Low |
| A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11946 | 1 Logicaldoc | 1 Logicaldoc | 2025-11-07 | 3.5 Low |
| A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2490 | 1 Ujcms | 1 Ujcms | 2025-11-06 | 2.4 Low |
| A vulnerability was found in Dromara ujcms 9.7.5. It has been rated as problematic. Affected by this issue is the function uploadZip/upload of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileUploadController.java of the component File Upload. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-47879 | 1 Jedox | 2 Jedox, Jedox Cloud | 2025-11-06 | 7.5 High |
| A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods. NOTE: The vendor states that the vulnerability affects installations running version 22.5 or earlier. The issue was resolved with version 23.2 and later versions are not affected. | ||||
| CVE-2024-11491 | 1 115cms | 1 115cms | 2025-11-05 | 3.5 Low |
| A vulnerability was found in 115cms up to 20240807. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /index.php/admin/web/useradmin.html. The manipulation of the argument ks leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-3984 | 1 Apereo | 2 Cas, Central Authentication Service | 2025-11-05 | 5 Medium |
| A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-50123 | 2025-11-04 | N/A | ||
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote command execution by a privileged account when the server is accessed via a console and through exploitation of the hostname input. | ||||
| CVE-2024-31864 | 1 Apache | 1 Zeppelin | 2025-11-04 | 9.8 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | ||||
| CVE-2024-25713 | 3 Fedoraproject, Ibireme, Yyjson | 3 Fedora, Yyjson, Yyjson | 2025-11-04 | 8.6 High |
| yyjson through 0.8.0 has a double free, leading to remote code execution in some cases, because the pool_free function lacks loop checks. (pool_free is part of the pool series allocator, along with pool_malloc and pool_realloc.) | ||||
| CVE-2025-1585 | 1 Tale Project | 1 Tale | 2025-11-04 | 2.4 Low |
| A vulnerability, which was classified as problematic, has been found in otale tale up to 2.0.5. This issue affects the function OptionsService of the file src/main/resources/templates/themes/default/partial/header.html. The manipulation of the argument logo_url leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2023-41984 | 1 Apple | 6 Ios And Ipados, Ipados, Iphone Os and 3 more | 2025-11-04 | 7.8 High |
| The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.6, tvOS 17, iOS 16.7 and iPadOS 16.7, macOS Monterey 12.7, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to execute arbitrary code with kernel privileges. | ||||
| CVE-2025-1105 | 1 Siberiancms | 1 Siberiancms | 2025-11-04 | 4.3 Medium |
| A vulnerability was found in SiberianCMS 4.20.6. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /app/sae/design/desktop/flat of the component HTTP GET Request Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2491 | 1 Ujcms | 1 Ujcms | 2025-11-04 | 2.4 Low |
| A vulnerability classified as problematic has been found in Dromara ujcms 9.7.5. This affects the function update of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileTemplateController.java of the component Edit Template File Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||