Lucee Admin - Remote Code Execution

Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 contains an unauthenticated remote code execution vulnerability. id: CVE-2021-21307 info: name: Lucee Admin - Remote Code Execution author: dhiyaneshDk severity: critical description: Lucee Admin before versions 5.3.7.47, 5.3.6.68 or...

VMware Workspace ONE Access - Server-Side Template Injection

VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identit...

XStream <1.4.16 - Remote Code Execution

XStream before 1.4.16 is susceptible to remote code execution. An attacker can load and execute arbitrary code from a remote host via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative...

PT-2026-48437

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints POST /api/service/haproxy//section/ and the PUT / global / defaults variants accept a JSON option field that is not validated, not escaped, and ...

CVE-2026-44513

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False or omitting it, which is the default. The vulnerability has three variant...

CVE-2026-4944

vllm-project/vllm version 0.14.1 contains a vulnerability where the trustremotecode=True parameter is hardcoded in two model implementation files vllm/modelexecutor/models/nemotronvl.py and vllm/modelexecutor/models/kimik25.py. This bypasses the user's explicit --trust-remote-code=False setting,...

CVE-2026-27648 web_webview has an out-of-bounds write vulnerability

in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps...

Exploit for CVE-2026-42167

CVE-2026-42167 — ProFTPD modsql SQL Injection / Auth Bypass...

CVE-2025-59707

In N2W before 4.3.2 and 4.4.x before 4.4.1, there is potential remote code execution and account credentials theft because of a spoofing vulnerability...

EUVD-2026-10842

In mfchandlereleasedbuf of mfccoreisr.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation...

SUSE CVE-2026-3086

GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary...

Important: gegl

Issue Overview: The rgbereadnewrle function in gegl/libs/rgbe/rgbe.c has a heap buffer overflow vulnerability during HDR image parsing that may allow remote code execution. CVE-2026-2049 When parsing an HDR image file, the function rgbereadnewrle gegl/libs/rgbe/rgbe.c contains HEAP Based Buffer...

CVE-2025-57293

A command injection vulnerability in COMFAST CF-XR11 firmware V2.7.2 exists in the multipppoe API, processed by the sub423930 function in /usr/bin/webmgnt. The phyinterface parameter is not sanitized, allowing attackers to inject arbitrary commands via a POST request to...

CVE-2025-8296

SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL queries. In certain conditions, this can also lead to remote code execution...

CVE-2024-32905

In circread of linkdevicememorylegacy.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation...

USN-7490-2 libsoup2.4 regression

USN-7490-1 fixed vulnerabilities in libsoup. It was discovered that the fix for CVE-2025-32912 was incomplete. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Tan Wei Chong discovered that libsoup incorrectly handled memory when parsing HTTP request...

Vulnerability of the array_append, array_prepend, and array_subscript_handler functions in the PostgreSQL database management system, related to integer overflow during array modifications, allowing attackers to execute arbitrary code.

The vulnerability of the arrayappend, arrayprepend, and arraysubscripthandler functions in the PostgreSQL database management system is related to integer overflow during array modification. Exploiting this vulnerability allows an attacker to execute arbitrary code remotely...

The vulnerability of the SetTriggerPPPoEValidate() function in the D-Link DIR-3040 wireless router’s microprogramming software allows a hacker to execute arbitrary code.

The vulnerability of the SetTriggerPPPoEValidate function in the D-Link DIR-3040 wireless router software lies in the fact that the operation’s output escapes the buffer in memory. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by sending specially crafted HNAP...

CVE-2023-38861

An issue in Wavlink WLWNJ575A3 v.R75A3V1410220513 allows a remote attacker to execute arbitrary code via username parameter of the setsysadm function in adm.cgi...

Remote code execution

ESPCMS P8.21120101 was discovered to contain a remote code execution RCE vulnerability in the component UPFILEPICZOOMHIGHT...