Google ADK-Python - Unauthenticated Builder Endpoint

Google Agent Development Kit ADK 1.7.0 through 1.28.1 and 2.0.0a1 through 2.0.0a2 on Python OSS, Cloud Run, and GKE contains a code injection and missing authentication vulnerability, letting unauthenticated remote attackers execute arbitrary code on the server, exploit requires no authentication...

dash-uploader 0.1.0 - 0.7.0a2 - Denial-of-Service via flowTotalChunks

fohrloop dash-uploader v0.1.0 through v0.7.0a2 contains a remote code execution caused by improper handling in Upload function and maxfilesize parameter in dashuploader components, letting remote attackers execute arbitrary code, exploit requires crafted request. id: CVE-2026-38361 info: name:...

Acmailer - Improper Access Control to OS Command Injection

Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining the sensitive information on the server via unspecified...

AJ-Report < 1.4.1 - Remote Code Execution

AJ-Report before version 1.4.1 is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java code on the victim server through script engine injection in the validation rul...

DedeCMS 5.7SP2 - Cross-Site Request Forgery/Remote Code Execution

DedeCMS 5.7SP2 is susceptible to cross-site request forgery with a corresponding impact of arbitrary code execution because the partcode parameter in a tagtestaction.php request can specify a runphp field in conjunction with PHP code. id: CVE-2018-7700 info: name: DedeCMS 5.7SP2 - Cross-Site...

Cuppa CMS v1.0 - Local File Inclusion

CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertLightbox.php. id: CVE-2022-25485 info: name: Cuppa CMS v1.0 - Local File Inclusion author: theamanrawat severity: high description: | CuppaCMS v1.0 was discovered to contain a local file inclusion...

Ruby on Rails <5.0.1 - Remote Code Execution

Ruby on Rails before version 5.0.1 is susceptible to remote code execution because it passes user parameters as local variables into partials. id: CVE-2020-8163 info: name: Ruby on Rails 5.0.1 - Remote Code Execution author: timkoopmans severity: high description: Ruby on Rails before version 5.0...

Employee Records System 1.0 - Unauthenticated File Upload RCE

Employee Records System version 1.0 contains an unrestricted file upload vulnerability in uploadID.php that allows remote unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution. id: CVE-2021-4462 info: name: Employee Records System 1.0 - Unauthenticated File...

Eclipse BIRT Viewer - Remote Code Execution

Eclipse BIRT versions 4.8.0 and earlier contain a JSP injection caused by query parameters, letting remote attackers create and access malicious JSP files in the viewer directory, exploit requires sending crafted query parameters. id: CVE-2021-34427 info: name: Eclipse BIRT Viewer - Remote Code...

Letta Letta 0.7.12 - Remote Code Execution

Letta 0.7.12 is vulnerable to remote code execution via POST /v1/tools/run in letta.server.restapi.routers.v1.tools.runtoolfromsource, allowing attackers to execute arbitrary Python and OS commands via crafted tool source code. id: CVE-2025-51482 info: name: Letta Letta 0.7.12 - Remote Code...

Oracle WebLogic Server - Remote Code Execution

Oracle WebLogic Server 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 contains a remote code execution caused by unauthenticated access via T3, IIOP, letting attackers take over the server, exploit requires network access. id: CVE-2021-2135 info: name: Oracle WebLogic Server - Remote Code Execution author:...

Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload

The plugin does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE. id: CVE-2023-4666 info: name: Form-Maker 1.15.20 - Unauthenticated Arbitrary File Upload author: pussycat0x severity: critical...

FreePBX - Remote Code Execution

FreePBX 15, 16, and 17 contain a remote code execution caused by insufficiently sanitized user-supplied data in endpoints, letting unauthenticated attackers manipulate the database and execute code remotely, exploit requires no authentication. id: CVE-2025-57819 info: name: FreePBX - Remote Code...

Schneider Electric U.motion Builder - Remote Code Execution

U.motion Builder 1.3.4 contains a remote code execution vulnerability caused by improper input sanitization, allowing attackers to execute arbitrary system commands through crafted input parameters. id: CVE-2018-7841 info: name: Schneider Electric U.motion Builder - Remote Code Execution author:...

JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object. id: CVE-2017-5983 info: name:...

React Server Components - Remote Code Execution

React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain a remote code execution caused by unsafe deserialization of payloads from HTTP requests to Server Function endpoints, letting...

LotusCMS 3.0 - Remote Code Execution

LotusCMS 3.0 is susceptible to remote code execution via the Router function. This is done by embedding PHP code in the 'page' parameter, which will be passed to a eval call and allow remote code execution. id: CVE-2011-0518 info: name: LotusCMS 3.0 - Remote Code Execution author: pikpikcu...

LG Supersign EZ CMS - Remote Code Execution

LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsrserver/device/getThumbnail. id: CVE-2018-17173 info: name: LG Supersign EZ CMS - Remote Code Execution author: pussycat0x severity: critical description: | LG SuperSign CMS allows remote attackers...

74CMS - Remote File Inclusion

PHP remote file inclusion in the assignresumetpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution. id: CVE-2020-29279 info: name: 74CMS - Remote File Inclusion author: DhiyaneshDK severity: critical description: | PHP remote file...

Scramble Laravel - Remote Code Execution

Scramble for Laravel = 0.13.2 and = 0.13.2 and 0.13.22 contains a remote code execution caused by evaluation of user-controlled input in validation rules during documentation generation, letting remote attackers execute arbitrary PHP code, exploit requires publicly accessible documentation...