950 matches found
CVE-2025-56769
CVE-2025-56769 affects chinabugotech Hutool (hutool/ hutool-extra) prior to version 5.8.4 (and related advisories mention 5.8.40) due to insecure handling in the QLExpressEngine . The issue lets an attacker craft expressions that cause arbitrary method invocation, enabling potential remote code e...
CVE-2025-43789
JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies get executed...
GHSA-Q86R-GWQC-JX85 Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution
JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies to get executed...
Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution
JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies to get executed...
CVE-2025-43789
JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies get executed...
CVE-2025-43789
JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies get executed...
CVE-2025-42944
Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high...
PT-2025-37182
Name of the Vulnerable Software and Affected Versions: SEAT Queue Ticket Kiosk versions up to 20250827 Description: A flaw exists in the Java RMI Registry Handler component of SEAT Queue Ticket Kiosk. This issue allows for deserialization, and can only be exploited within a local network. The...
CVE-2025-59017 Broken Access Control in Backend AJAX Routes
Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules...
CVE-2025-42944
Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high...
CVE-2025-42944 Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)
Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high...
CVE-2025-42944 Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)
Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high...
CVE-2025-42944
The CVE-2025-42944 vulnerability affects SAP NetWeaver (notably the NetWeaver Application Server Java) via insecure deserialization in the RMI-P4 module. An unauthenticated, remote attacker can send a malicious payload to an open port, leading to arbitrary OS command execution with the attacker g...
PT-2025-36562
SAP NetWeaver and Affected Versions SAP NetWeaver versions 5.3 through 10.0 SAP NetWeaver AS Java affected versions not specified Description SAP NetWeaver contains a critical deserialization flaw in the RMI-P4 module. This allows an unauthenticated attacker to execute arbitrary operating system...
CVE-2025-7388
It was possible to perform Remote Command Execution RCE via Java RMI interface in the OpenEdge AdminServer, allowing authenticated users to inject and execute OS commands under the delegated authority of the AdminServer process. An RMI interface permitted manipulation of a configuration property...
Exploit Tool Invocation Prompt for Tool Behavior Hijacking in LLM-Based Agentic System
LLM-based agentic systems leverage large language models to handle user queries, make decisions, and execute external tools for complex tasks across domains like chatbots, customer service, and software engineering. A critical component of these systems is the Tool Invocation Prompt TIP, which...
CVE-2025-7388 Authenticated Command Injection via configuration parameter manipulation in exposed RMI interface
It was possible to perform Remote Command Execution RCE via Java RMI interface in the OpenEdge AdminServer, allowing authenticated users to inject and execute OS commands under the delegated authority of the AdminServer process. An RMI interface permitted manipulation of a configuration property...
Progress Software OpenEdge 命令注入漏洞
Progress Software OpenEdge is a suite of integrated development environments IDEs from Progress Software, USA. A command injection vulnerability exists in Progress Software OpenEdge that stems from insufficient input validation of the Java RMI interface, which could lead to a remote command...
PT-2025-35938
Name of the Vulnerable Software and Affected Versions OpenEdge AdminServer affected versions not specified Description The OpenEdge AdminServer is susceptible to Remote Command Execution RCE via its Java RMI interface. Authenticated users can inject and execute OS commands under the delegated...
Linux Distros Unpatched Vulnerability : CVE-2019-0187
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Unauthenticated RCE is possible when JMeter is used in distributed mode -r or -R command line options. Attacker can establish a RMI connection to a jmeter-serve...