tomcat: RCE due to TOCTOU issue in JSP compilation

A flaw was found in Tomcat. A Time-of-check Time-of-use TOCTOU race condition occurs during JSP compilation on case-insensitive file systems when the default servlet is enabled for writing. This vulnerability allows an uploaded file to be treated as a JSP and executed, resulting in remote code...

CVE-2025-2294

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubiohybridthemeloadtemplate function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the...

CVE-2025-2294

The CVE-2025-2294 entry is supported by concrete technical details in connected documents: Kubio AI Page Builder for WordPress (plugin ≤ 2.5.1) is vulnerable to Local File Inclusion via the kubio_hybrid_theme_load_template function. The flaw allows unauthenticated attackers to include and execute...

GHSA-M37H-8R48-2CXJ H2O Vulnerable to Execution of Arbitrary Files

In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like behavior. This vulnerability makes it possible for an attacke...

H2O Vulnerable to Execution of Arbitrary Files

In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like behavior. This vulnerability makes it possible for an attacke...

CVE-2025-1770

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to...

Arbitrary Code Execution (ACE)

Qiskit is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to unsafe deserialization in the qiskit.qpy.load function, which allows a maliciously crafted QPY file to execute embedded Python code without privilege escalation...

PT-2025-11693 · Emlog Pro · Emlog Pro

Name of the Vulnerable Software and Affected Versions: emlog pro version 2.5.7 Description: An arbitrary file upload vulnerability in the component /views/plugin.php of emlog pro allows attackers to execute arbitrary code via uploading a crafted PHP file. The vulnerability is located in the...

CVE-2024-13913

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it possible for...

CVE-2025-1771 Traveler <= 3.1.8 - Unauthenticated Local File Inclusion via hotel_alone_load_more_post

The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotelaloneloadmorepost' function 'style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the...

WordPress plugin Traveler 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blogging sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2024-13913

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it possible for...

CVE-2024-13913

CVE-2024-13913 (InstaWP Connect – 1-click WP Staging & Migration for WordPress) is a CSRF-to-LFI vulnerability affecting versions up to 0.1.0.83. The root cause is missing or incorrect nonce validation in the file /migrate/templates/main.php, enabling an unauthenticated attacker to coerce the app...

WordPress plugin InstaWP Connect 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site reques...

CVE-2025-1707

The Review Schema plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.4 via post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing...

CVE-2025-1432

CVE-2025-1432 affects Autodesk AutoCAD via parsing of a malicious 3DM file, triggering a Use-After-Free in the current process. Impact per sources: crash, read sensitive data, or arbitrary code execution. Affected component: 3DM file parsing in AutoCAD; root cause: Use-After-Free. CVSSv3.1 base s...

CVE-2025-1707

CVE-2025-1707 applies to the WordPress plugin Review Schema (Versions up to and including 2.2.4). The vulnerability is Local File Inclusion via post meta, exploitable by authenticated attackers with contributor+ privileges to include and execute arbitrary PHP files on the server, potentially bypa...

Linux Distros Unpatched Vulnerability : CVE-2024-23606

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An out-of-bounds write vulnerability exists in the sopenFAMOSread functionality of The Biosig Project libbiosig 2.5.0 and Master Branch ab0ee111. A specially...

CVE-2024-12811 Traveler <= 3.1.8 - Authenticated (Contributor+) Local File Inclusion via Shortcode

The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotelaloneslider' shortcode 'style' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute...

CVE-2024-13592

The Team Builder For WPBakery Page BuilderFormerly Visual Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'team-builder-vc' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above,...