Micro Focus Operations Bridge Manager <=2020.05 - Remote Code Execution

Micro Focus Operations Bridge Manager in versions 2020.05 and below is vulnerable to remote code execution via UCMDB. The vulnerability allows remote attackers to execute arbitrary code on affected installations of Data Center Automation. An attack requires network access and authentication as a...

CWP (Control Web Panel) < 0.9.8.1205 - Remote Code Execution

CWP Control Web Panel 0.9.8.1205 contains a remote code execution caused by shell metacharacters in the ttotal parameter in filemanager changePerm request, letting unauthenticated attackers execute code remotely, exploit requires knowledge of a valid non-root username. id: CVE-2025-48703 info:...

Sangfor OSM - Arbitrary File Upload

Sangfor Operation and Maintenance Management System = 3.0.8 contains an unrestricted file upload vulnerability caused by manipulation of the "File" argument in /fort/trust/version/common/common.jsp, letting remote attackers upload arbitrary files, exploit requires no special privileges. id:...

TOTOLINK CX-A3002RU - Remote Code Execution

An issue in TOTOLINK-CX-A3002RU V1.0.4-B20171106.1512 and TOTOLINK-CX-N150RT V2.1.6-B20171121.1002 and TOTOLINK-CX-N300RT V2.1.6-B20170724.1420 and TOTOLINK-CX-N300RT V2.1.8-B20171113.1408 and TOTOLINK-CX-N300RT V2.1.8-B20191010.1107 and TOTOLINK-CX-N302RE V2.0.2-B20170511.1523 allows a remote...

Moodle - Remote Code Execution

Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system. id: CVE-2024-43425 info: name: Moodle - Remote Code Execution author:...

SmarterMail - Remote Code Execution

SmarterTools SmarterMail build 9511 contains an unauthenticated remote code execution caused by malicious OS command execution via ConnectToHub API method, letting remote attackers execute arbitrary commands, exploit requires no authentication. id: CVE-2026-24423 info: name: SmarterMail - Remote...

eMerge E3 1.00-06 - Local File Inclusion

Linear eMerge E3-Series devices are vulnerable to local file inclusion. id: CVE-2019-7254 info: name: eMerge E3 1.00-06 - Local File Inclusion author: 0xAkoko severity: high description: Linear eMerge E3-Series devices are vulnerable to local file inclusion. impact: | Successful exploitation of...

ForgeRock OpenAM <7.0 - Remote Code Execution

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/ request to the server. The vulnerabilit...

SCIMono <0.0.19 - Remote Code Execution

SCIMono before 0.0.19 is vulnerable to remote code execution because it is possible for an attacker to inject and execute java expressions and compromise the availability and integrity of the system. id: CVE-2021-21479 info: name: SCIMono 0.0.19 - Remote Code Execution author: dwisiswant0 severit...

LearnPress < 4.2.5.8 - Remote Code Execution

The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the getcontent function. This is due to the plugin making use of the calluserfunc function with user input. This makes it possible for unauthenticated attackers to execute any...

Rudder Server < 1.3.0-rc.1 - SQL Injection

Rudder-server is part of RudderStack, an open source Customer Data Platform CDP. Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution RCE due to the rudder role in PostgresSQL having superuser permissions by default. Version...

SPIP Saisies - Remote Code Execution

SPIP Saisies plugin 5.4.0 through 5.11.0 contains a remote code execution caused by an unspecified flaw, letting attackers execute arbitrary code on the server, exploit requires no special conditions. id: CVE-2025-71243 info: name: SPIP Saisies - Remote Code Execution author: omarkurt severity:...

MAGMI - Cross-Site Request Forgery

MAGMI Magento Mass Importer is vulnerable to cross-site request forgery CSRF due to a lack of CSRF tokens. Remote code execution via phpcli command is also possible in the event that CSRF is leveraged against an existing admin session. id: CVE-2020-5776 info: name: MAGMI - Cross-Site Request...

Langflow AI - Unauthenticated Remote Code Execution

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint.A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. id: CVE-2025-3248 info: name: Langflow AI - Unauthenticated Remote Code Execution author: nvn172...

Apache OFBiz < 18.12.11 - Remote Code Execution

The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery SSRF id: CVE-2023-51467 info: name: Apache OFBiz 18.12.11 - Remote Code Execution author: your3cho severity: critical description: | The vulnerability allows attackers to bypass...

Drag and Drop Multiple File Upload - CF7 <= 1.3.9.6 - Remote Code Execution

Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin = 1.3.9.6 contains an unrestricted file upload caused by insufficient file type validation and bypass of filename sanitization with non-ASCII characters, letting unauthenticated attackers upload arbitrary files and achieve...

MajorDoMo - Unauthenticated RCE

MajorDoMo contains a remote code execution caused by an include order bug and lack of exit after redirect in admin panel's PHP console, letting unauthenticated attackers execute arbitrary PHP code via crafted GET requests. id: CVE-2026-27174 info: name: MajorDoMo - Unauthenticated RCE author:...

WordPress RevSlider - Remote Code Execution via File Upload

The ThemePunch Slider Revolution revslider plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to 1 upload and execute arbitrary files via an updateplugin...

Joomla! ionFiles 4.4.2 - Local File Inclusion

Joomla! ionFiles 4.4.2 is susceptible to local file inclusion in download.php in the ionFiles comionfiles that allows remote attackers to read arbitrary files via a .. dot dot in the file parameter. id: CVE-2008-6080 info: name: Joomla! ionFiles 4.4.2 - Local File Inclusion author: daffainfo...

Jenkins CLI - HTTP Java Deserialization

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. id: CVE-2016-9299 info: name: Jenkins CLI - HTTP Java Deserialization author:...