CVE-2025-3022

Os command injection vulnerability in e-solutions e-management. This vulnerability allows an attacker to execute arbitrary commands on the server via the ‘client’ parameter in the /data/apache/e-management/api/api3.php endpoint...

CVE-2025-0422 Authenticated Remote Code Execution via ScriptVar

An authenticated user in the "bestinformed Web" application can execute commands on the underlying server running the application. Remote Code Execution For this, the user must be able to create "ScriptVars" with the type „script" and preview them by, for example, creating a new "Info". By defaul...

Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution

A critical security flaw has been disclosed in the Cacti open-source network monitoring and fault management framework that could allow an authenticated attacker to achieve remote code execution on susceptible instances. The flaw, tracked as CVE-2025-22604, carries a CVSS score of 9.1 out of a...

DataEase 代码问题漏洞

DataEase is an open source data visualization and analysis tool from DataEase Open Source. Used to help users quickly analyze data and insight into business trends , so as to achieve business improvement and optimization . A code issue vulnerability exists in versions prior to DataEase v1.18.25...

Aim 代码注入漏洞

Aim is an easy-to-use and high-performance open source experiment tracker from the United States. Aim suffers from a code injection vulnerability. The vulnerability stems from the application failing to properly filter special elements of constructed code segments. An attacker could exploit the...

CVE-2024-28335

CVE-2024-28335 affects Lektor prior to 3.3.11. The issue is an unsanitized DB path traversal that can permit shell commands via a file added to the templates directory when a user’s browser visits an untrusted site that sends requests to localhost:5000, with the browser and the Lektor server runn...

Insecure Deserialization

Torrentpier is vulnerable to Insecure Deserialization. The vulnerability is due to a lack of proper validation during deserialization. This allows an attacker to execute arbitrary commands on the server...

Exploit for Code Injection in Apache Ofbiz

Apache OFBiz Authentication Bypass Vulnerability CVE-2023-514...

CVE-2023-38646

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2...

Job Board 1.0 Shell Upload

┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An...

Code injection

The WP-DBManager WordPress plugin before 2.80.8 does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should...

CVE-2022-32262

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.1. The affected application contains a file upload server that is vulnerable to command injection. An attacker could use this to achieve arbitrary code execution...

CVE-2022-1258

A blind SQL injection vulnerability in the ePolicy Orchestrator ePO extension of MA prior to 5.7.6 can be exploited by an authenticated administrator on ePO to perform arbitrary SQL queries in the back-end database, potentially leading to command execution on the server...

CVE-2021-32974 Moxa NPort IAW5000A-I/O Series Serial Device Server Improper Input Validation

Improper input validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to execute commands...

CVE-2022-23043

Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run commands on the server...

CVE-2022-23650 Use of Hard-coded Cryptographic Key in Netmaker

Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know the address and...

CVE-2021-42669

A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboardteacher.php, which allows changing the avatar through teacheravatar.php. Once an avatar gets uploaded it is getting uploaded to the /admin/uploads/ directory, and is accessible by all users. By...

Schneider Electric IGSS Missing Authentication Arbitrary File Deletion Vulnerability

This vulnerability allows remote attackers to delete arbitrary files on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of commands sent to the server. The issue results from the lack o...

CVE-2021-37334

Umbraco Forms version 4.0.0 up to and including 8.7.5 and below are vulnerable to a security flaw that could lead to a remote code execution attack and/or arbitrary file deletion. A vulnerability occurs because validation of the file extension is performed after the file has been stored in a...

Command Execution Vulnerability in Yisou Novel App

Yisou Novel APP is a professional mobile novel search and reading client. A command execution vulnerability exists in Yisou Novel APP. An attacker can exploit the vulnerability to execute commands on the server...