pgAdmin < 6.17 - Unauthenticated Remote Code Execution

pgAdmin prior to 6.17 contains an insecure HTTP API caused by improper access control, letting unauthenticated users execute arbitrary external utilities via path manipulation, exploit requires no authentication. id: CVE-2022-4223 info: name: pgAdmin 6.17 - Unauthenticated Remote Code Execution...

MeteoBridge <= 6.1 - Remote Code Execution

The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C.This web interface exposes an endpoint that is vulnerable to command injection.Remote...

Wazuh - Unsafe Deserialization Remote Code Execution

A critical Remote Code Execution RCE vulnerability exists in Wazuh server versions = 4.4.0 and = 4.4.0 and 4.9.1. The vulnerability occurs due to unsafe deserialization in the wazuh-manager package, specifically in the DistributedAPI where parameters are serialized as JSON and deserialized using...

Ivanti Endpoint Manager Mobile - Unauthenticated Remote Code Execution

An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials. This leads to unauthenticated Remote Code Execution via unsafe userinput in one of the bean validators which is sink for Server-Side Template Injection. id:...

Code-Projects School Fees Payment System 1.0 - SQL Injection

A vulnerability was found in code-projects School Fees Payment System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /student.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been...

VMware vCenter Server - Out-of-Bounds Write

vCenter Server contains an out-of-bounds write caused by a vulnerability in the DCERPC protocol implementation. A malicious actor with network access can trigger remote code execution on vCenter Server. id: CVE-2023-34048 info: name: VMware vCenter Server - Out-of-Bounds Write author: ritikchaddh...

mooSocial v.3.1.8 - Cross-Site Scripting

Cross-Site Scripting XSS vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the mode parameter of the invite friend login function. id: CVE-2023-44813 info: name: mooSocial v.3.1.8 - Cross-Site Scripting author: ritikchaddha severity:...

JetBrains TeamCity > 2023.11.3 - Authentication Bypass

In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible id: CVE-2024-23917 info: name: JetBrains TeamCity 2023.11.3 - Authentication Bypass author: iamnoooob,rootxharsh,pdresearch severity: critical description: | In JetBrains TeamCity before 2023.11.3...

KeySight RF - smsRestoreDatabaseZip UNC path to Remote Code Execution

The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file i.e., \\sms,...

Acmailer - Improper Access Control to OS Command Injection

Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining the sensitive information on the server via unspecified...

Datart v1.0.0-rc.3 - Remote Code Execution

Datart v1.0.0-rc.3 contains a vulnerability that allows remote attackers to execute arbitrary code via INIT connection parameters. id: CVE-2025-56819 info: name: Datart v1.0.0-rc.3 - Remote Code Execution author: Redmomn severity: critical description: | Datart v1.0.0-rc.3 contains a vulnerabilit...

Moodle - Cross-Site Scripting/Remote Code Execution

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system. Moodle versions 4.1.x before 4.1.3 and 4.2.x before...

Cockpit Web Console < 360 - Remote Code Execution

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH...

Google ADK-Python - Unauthenticated Builder Endpoint

Google Agent Development Kit ADK 1.7.0 through 1.28.1 and 2.0.0a1 through 2.0.0a2 on Python OSS, Cloud Run, and GKE contains a code injection and missing authentication vulnerability, letting unauthenticated remote attackers execute arbitrary code on the server, exploit requires no authentication...

Ninja Forms File Uploads <= 3.3.26 - Arbitrary File Upload

Ninja Forms File Uploads plugin for WordPress versions up to and including 3.3.26 is vulnerable to unauthenticated arbitrary file upload which could lead to remote code execution. id: CVE-2026-0740 info: name: Ninja Forms File Uploads = 3.3.26 - Arbitrary File Upload author: whattheslime severity...

dash-uploader 0.1.0 - 0.7.0a2 - Denial-of-Service via flowTotalChunks

fohrloop dash-uploader v0.1.0 through v0.7.0a2 contains a remote code execution caused by improper handling in Upload function and maxfilesize parameter in dashuploader components, letting remote attackers execute arbitrary code, exploit requires crafted request. id: CVE-2026-38361 info: name:...

Joomla! Component Photo Battle 1.0.1 - Local File Inclusion

A directory traversal vulnerability in the Photo Battle comphotobattle component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php. id: CVE-2010-1461 info: name: Joomla! Component Photo Battle 1.0.1 - Local File Inclusion author: daffainfo...

Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound)

Microsoft Exchange Server contains a remote code execution caused by improper input validation in the server component, letting remote attackers execute arbitrary code, exploit requires network access to the server. id: CVE-2021-28481 info: name: Microsoft Exchange - Pre-Auth SSRF / ACL Bypass...

Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound)

Microsoft Exchange Server contains a remote code execution caused by improper input validation in the server component, letting remote attackers execute arbitrary code, exploit requires network access to the server. id: CVE-2021-28480 info: name: Microsoft Exchange - Pre-Auth SSRF / ACL Bypass...

Apache ActiveMQ < 5.16.5/5.17.3 - Remote Code Execution

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandlerhandlePostRequest is able to create JmxRequest...