Lucene search
K

44987 matches found

OSV
OSV
added 2025/12/20 8:35 p.m.4 views

MAL-2025-192682 Malicious code in @nosinovacao/nosid-mfe-common (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5f49ca2c72725bef26372372dfae65145d32d2d69179865156de7a930c88853d The package @nosinovacao/nosid-mfe-common was found to contain malicious code. Source: ghsa-malware...

7AI score
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/12/20 7:11 a.m.11 views

CVE-2025-66174

There is an improper authentication vulnerability in some Hikvision DVR products. Due to the improper implementation of authentication for the serial port, an attacker with physical access could exploit this vulnerability by connecting to the affected products and run a series of commands...

6.8CVSS6.7AI score0.00311EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/12/19 8:18 p.m.4 views

CVE-2023-53942

File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with ...

9.4CVSS7.8AI score0.00497EPSS
Exploits1References1
Securelist
Securelist
added 2025/12/19 8:0 a.m.10 views

Yet another DCOM object for lateral movement

Introduction If you're a penetration tester, you know that lateral movement is becoming increasingly difficult, especially in well-defended environments. One common technique for remote command execution has been the use of DCOM objects. Over the years, many different DCOM objects have been...

7.2AI score
Exploits0
CVE
CVE
added 2025/12/19 6:39 a.m.9 views

CVE-2025-66174

CVE-2025-66174 describes an improper authentication vulnerability in certain Hikvision DVRs related to serial-port authentication. An attacker with physical access could connect to affected devices and execute commands due to the flawed authentication implementation. The vulnerability is document...

6.8CVSS6.3AI score0.00311EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2025/12/19 6:39 a.m.4 views

EUVD-2025-204451

There is an improper authentication vulnerability in some Hikvision DVR products. Due to the improper implementation of authentication for the serial port, an attacker with physical access could exploit this vulnerability by connecting to the affected products and run a series of commands...

6.5CVSS6.2AI score0.00311EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/12/19 12:0 a.m.4 views

Hikvision DVR DS-7204HGHI-F1 安全漏洞

The Hikvision DVR DS-7204HGHI-F1 is a hard disk recorder from Hikvision China. A security vulnerability exists in the Hikvision DVR DS-7204HGHI-F1 that originates from improper serial port authentication and could result in the execution of a series of commands...

6.8CVSS6.9AI score0.00311EPSS
Exploits0References2
Saint
Saint
added 2025/12/19 12:0 a.m.151 views

HPE OneView id-pools command execution

Added: 12/19/2025 Background HPE OneView is integrated IT infrastructure management software. Problem A vulnerability in the id-pools feature allow remote attackers to execute arbitrary commands by sending a PUT request to the executeCommand API endpoint. Resolution Apply the hotfix referenced in...

10CVSS7.7AI score0.89733EPSS
Exploits8
RedhatCVE
RedhatCVE
added 2025/12/18 11:36 p.m.5 views

CVE-2023-53924

UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution...

8.8CVSS8.3AI score0.00794EPSS
Exploits1References1
NVD
NVD
added 2025/12/18 8:15 p.m.3 views

CVE-2023-53942

File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with ...

9.4CVSS0.00497EPSS
Exploits1References3
NVD
NVD
added 2025/12/18 8:15 p.m.8 views

CVE-2023-53941

EasyPHP Webserver 14.1 contains an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by injecting malicious payloads through the appservicecontrol parameter. Attackers can send POST requests to /index.php?zone=settings with crafted...

9.8CVSS0.05704EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2025/12/18 7:53 p.m.3 views

CVE-2023-53942 File Thingie 2.5.7 Authenticated Arbitrary File Upload Remote Code Execution

File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with ...

9.4CVSS7.4AI score0.00497EPSS
Exploits1References3
NVD
NVD
added 2025/12/18 3:15 p.m.4 views

CVE-2025-65008

In WODESYS WD-R608U router also known as WDR122B V2.0 and WDR28 due to lack of validation in the langGet parameter in the adm.cgi endpoint, the malicious attacker can execute system shell commands. The vendor was notified early about this vulnerability, but didn't respond with the details of...

9.4CVSS0.02439EPSS
Exploits0References3
CVE
CVE
added 2025/12/18 3:10 p.m.16 views

CVE-2025-65008

CVE-2025-65008 affects the WODESYS WD-R608U router (WDR122B V2.0 / WDR28). Root cause: lack of input validation in the langGet parameter of the adm.cgi endpoint, enabling an attacker to execute system shell commands. Only WDR28081123OV1.01 has been tested as vulnerable; other versions may also be...

9.4CVSS6.7AI score0.02439EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/12/18 1:44 p.m.3 views

CVE-2025-67792

An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unprivileged users can manipulate a DriveLock process to execute arbitrary commands on Windows computers...

8.8CVSS7.7AI score0.00114EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2025/12/18 1:35 a.m.5 views

python: Virtual environment (venv) activation scripts don't quote paths

A vulnerability has been found in the Python venv module and CLI. Path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts, for example, "source venv/bin/activate". This flaw allows...

7.8CVSS7.2AI score0.00647EPSS
Exploits0References7
CNNVD
CNNVD
added 2025/12/18 12:0 a.m.14 views

WODESYS WD-R608U 访问控制错误漏洞

The WODESYS WD-R608U is a wireless router from China Xinyang WODESYS. An access control error vulnerability exists in the WODESYS WD-R608U that stems from a lack of authentication in the adm.cgi endpoint configuration change module, which could allow an unauthenticated attacker to execute command...

8.7CVSS6.9AI score0.00262EPSS
Exploits0References3
CNNVD
CNNVD
added 2025/12/18 12:0 a.m.2 views

TP-Link WA850RE 安全漏洞

TP-Link WA850RE is a wireless signal extender from China P&L TP-Link. A security vulnerability exists in the TP-Link WA850RE V2160527 and earlier versions, which originates from a command injection in the httpd module that could lead to the execution of arbitrary commands...

8.5CVSS7.5AI score0.00969EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/12/18 12:0 a.m.5 views

PT-2025-52247

In WODESYS WD-R608U router also known as WDR122B V2.0 and WDR28 due to lack of validation in the langGet parameter in the adm.cgi endpoint, the malicious attacker can execute system shell commands. The vendor was notified early about this vulnerability, but didn't respond with the details of...

9.4CVSS7.1AI score0.02439EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2025/12/18 12:0 a.m.5 views

Rapid7 Velociraptor < 0.74.3 Privilege Escalation

The version of Rapid7 Velociraptor installed on the remote host is prior to 0.74.3. It is, therefore, affected by privilege escalation vulnerability: - Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run...

5.5CVSS9.3AI score0.00963EPSS
Exploits2References2
Rows per page
Query Builder