Lucene search
K

1073 matches found

NVD
NVD
added 2026/04/21 4:16 a.m.7 views

CVE-2026-5965

NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server...

9.8CVSS0.01735EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/20 9:31 p.m.4 views

EUVD-2026-23948

Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious file...

8.8CVSS6.8AI score0.00624EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/20 7:57 p.m.5 views

CVE-2026-6249

Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious...

8.8CVSS6.7AI score0.00624EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/20 7:22 p.m.5 views

CVE-2026-35465

SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine sd-app by exploiting improper...

7.5CVSS6.1AI score0.00439EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/04/20 1:28 a.m.6 views

thunderbird: Out of bounds read in IMAP parsing

A flaw was found in Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were...

8.2CVSS7.2AI score0.0036EPSS
Exploits0References5
NVD
NVD
added 2026/04/18 1:16 a.m.3 views

CVE-2026-35465

SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine sd-app by exploiting improper...

7.5CVSS0.00439EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/18 12:41 a.m.2 views

CVE-2026-35465 SecureDrop Client has path injection in read_gzip_header_filename()

SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine sd-app by exploiting improper...

7.5CVSS6.2AI score0.00439EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/18 12:41 a.m.6 views

EUVD-2026-23626

SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine sd-app by exploiting improper...

8.1CVSS6.1AI score0.00927EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 1:2 a.m.5 views

PHP Remote File Inclusion

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to PHP Remote File Inclusion via the deflanguage parameter in the API, which is not properly validated against the list of available language files. An attacker can execute arbitrary PHP...

9.9CVSS6.1AI score0.00524EPSS
Exploits1References2
CVE
CVE
added 2026/04/15 12:0 a.m.13 views

CVE-2026-30616

CVE-2026-30616 relates to Jaaz 1.0.30, with a remote code execution vulnerability in the MCP STDIO command handling. An attacker can send crafted network requests to the network-accessible Jaaz application, leading to attacker-controlled commands executed in the Jaaz service process and potential...

7.3CVSS6.5AI score0.00344EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/15 12:0 a.m.20 views

CVE-2026-30616

Jaaz 1.0.30 contains a remote code execution vulnerability in its MCP STDIO command execution handling. A remote attacker can send crafted network requests to the network-accessible Jaaz application, causing attacker-controlled commands to be executed on the server. Successful exploitation result...

0.00344EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/14 11:27 p.m.7 views

Command Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Command Injection via unsanitized input to the wget function. An attacker can execute arbitrary system commands by supplying crafted input containing shell...

9.3CVSS6AI score0.00335EPSS
Exploits1References2
OSV
OSV
added 2026/04/14 10:31 p.m.7 views

GHSA-7MQR-33RV-P3MP Expression Injection in OpenRemote

Summary The OpenRemote IoT platform's rules engine contains two interrelated critical expression injection vulnerabilities that allow an attacker to execute arbitrary code on the server, ultimately achieving full server compromise. - Unsandboxed Nashorn JavaScript Engine: JavaScript rules are...

9.9CVSS6.5AI score0.00924EPSS
Exploits2References4
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.11 views

PT-2026-32494

Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. Attackers can upload executable files .php5 scripts to web-accessible directories and execute th...

8.8CVSS6.6AI score0.00474EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.7 views

PT-2026-32331

LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server...

8.5CVSS6.4AI score0.07533EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/08 8:45 p.m.22 views

CVE-2026-39890 PraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition Loading

PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags such as !!js/function and !!js/undefined. This allows an attacker to craft a malicious YAML file that, when parsed,...

9.8CVSS0.0058EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/08 6:34 p.m.1 views

EUVD-2026-20515

A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server...

7.1CVSS6.2AI score0.00413EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/04/08 5:4 p.m.4 views

CVE-2026-32590

A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server...

8.8CVSS6.2AI score0.00413EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/07 6:8 p.m.5 views

CVE-2026-39337

ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...

10CVSS6.6AI score0.04151EPSS
Exploits3References2Affected Software1
Snyk
Snyk
added 2026/04/07 3:45 p.m.6 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the jato.clientSession HTTP parameter of the deserializeAttributes function. An attacker can execute arbitrary code on the server by sending a crafted serialized Java object to endpoints that process...

9.8CVSS6.1AI score0.1049EPSS
Exploits2References2
Rows per page
Query Builder