CVE-2025-48877 Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, Codepen is present in the default allowediframes site setting, and it can potentially auto-run arbitrary JS...

CVE-2025-48877 Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, Codepen is present in the default allowediframes site setting, and it can potentially auto-run arbitrary JS...

[SECURITY] [DSA 5928-1] libvpx security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5928-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso May 28, 2025 https://www.debian.org/security/faq -...

Fuji Electric V-SFT Buffer Overflow Vulnerability (CNVD-2025-12951)

Fuji Electric V-SFT is a screen configuration software from Fuji Electric Japan. Fuji Electric V-SFT suffers from a buffer overflow vulnerability that originates in the settemptypedefault function in VS6MemInIF, which can be exploited by an attacker to cause a crash, information disclosure, and...

CVE-2021-27244

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 16.0.1-48919. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw...

CVE-2021-34310

A vulnerability has been identified in JT2Go All versions V13.2, Teamcenter Visualization All versions V13.2. The Tiffloader.dll library in affected applications lacks proper validation of user-supplied data when parsing TIFF files. This could result in an out of bounds write past the end of an...

CVE-2021-21477

SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability...

CVE-2021-29461

Discord Recon Server is a bot that allows one to do one's reconnaissance process from one's Discord. A vulnerability in Discord Recon Server prior to 0.0.3 could be exploited to read internal files from the system and write files into the system resulting in remote code execution. This issue has...

CVE-2020-16227

Delta Electronics TPEditor Versions 1.97 and prior. An improper input validation may be exploited by processing a specially crafted project file not validated when the data is entered by a user. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execut...

CVE-2019-14040

Using memory after being freed in qsee due to wrong implementation can lead to unexpected behavior such as execution of unknown code in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon...

CVE-2006-3957

PHP remote file inclusion vulnerability in payment.php in BosDev BosDates allows remote attackers to execute arbitrary PHP code via a URL in the insPath parameter...

CVE-2025-28893 WordPress Visual Text Editor plugin <= 1.2.1 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Govind Visual Text Editor visual-text-editor allows Remote Code Inclusion.This issue affects Visual Text Editor: from n/a through = 1.2.1...

USN-7361-1: Libxslt vulnerability

Ivan Fratric discovered that Libxslt incorrectly handled certain memory operations when handling documents. A remote attacker could use this issue to cause Libxslt to crash, resulting in a denial of service, or possibly execute arbitrary code...

CVE-2024-21760

An improper control of generation of code 'Code Injection' vulnerability CWE-94 in FortiSOAR Connector FortiSOAR 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker to execute arbitrary code on the host via a playbook code...

CVE-2025-1127

The vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user and/or modify the contents of any data on the filesystem...

CVE-2022-24056

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro 11.8.7.0. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within th...

CVE-2024-23969

ChargePoint Home Flex devices are affected by CVE-2024-23969 due to an out-of-bounds write in the wlanchnllst function caused by improper validation of user-supplied data. This vulnerability can allow network-adjacent attackers to execute arbitrary code with root privileges, and authentication is...

CVE-2025-21291

CVE-2025-21291 is a Windows Direct Show remote code execution vulnerability. Documented CVSSv3.1 shows high risk (8.8) with network exploitation requiring user interaction. Affected: Windows DirectShow components; root cause specifics not disclosed in provided materials. Microsoft has released se...

QNAP Symlink Remote Code Execution

The QNAP operating system suffers from a symlinking vulnerability. It is possible to upload a symlink trough a ZIP file and abuse the encrypt/decrypt function to gain an arbitrary file write primitive which can be turned into remote code execution. An attacker with privileges of a regular user ca...

Exploit for Unrestricted Upload of File with Dangerous Type in Apache Struts

CVE-2024-53677 - Apache Struts 2 Remote Code Execution Vulnerabi...