Export limit exceeded: 10227 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10227 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-12271 | 1 Sophos | 2 Sfos, Xg Firewall | 2025-11-07 | 9.8 Critical |
| A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords) | ||||
| CVE-2020-15505 | 1 Mobileiron | 4 Core, Enterprise Connector, Monitor And Reporting Database and 1 more | 2025-11-07 | 9.8 Critical |
| A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors. | ||||
| CVE-2018-15133 | 1 Laravel | 1 Laravel | 2025-11-07 | 8.1 High |
| In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack. | ||||
| CVE-2025-50286 | 1 Getgrav | 1 Grav | 2025-11-07 | 8.1 High |
| A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access. | ||||
| CVE-2022-29464 | 1 Wso2 | 8 Api Manager, Enterprise Integrator, Identity Server and 5 more | 2025-11-07 | 9.8 Critical |
| Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0. | ||||
| CVE-2024-52781 | 2 Dcnetworks, Dcnglobal | 12 Dcme-320, Dcme-320-l, Dcme-320-l Firmware and 9 more | 2025-11-06 | 9.8 Critical |
| DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/tool/traceroute.php. | ||||
| CVE-2024-52780 | 2 Dcnetworks, Dcnglobal | 12 Dcme-320, Dcme-320-l, Dcme-320-l Firmware and 9 more | 2025-11-06 | 9.8 Critical |
| DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/basic/mgmt_edit.php. | ||||
| CVE-2024-52779 | 2 Dcnetworks, Dcnglobal | 12 Dcme-320, Dcme-320-l, Dcme-320-l Firmware and 9 more | 2025-11-06 | 9.8 Critical |
| DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/audit/newstatistics/mon_stat_top10.php. | ||||
| CVE-2024-52778 | 2 Dcnetworks, Dcnglobal | 12 Dcme-320, Dcme-320-l, Dcme-320-l Firmware and 9 more | 2025-11-06 | 9.8 Critical |
| DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/audit/newstatistics/mon_stat_hist.php. | ||||
| CVE-2024-52777 | 2 Dcnetworks, Dcnglobal | 12 Dcme-320, Dcme-320-l, Dcme-320-l Firmware and 9 more | 2025-11-06 | 9.8 Critical |
| DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L, <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/basic/license_update.php. | ||||
| CVE-2024-52782 | 2 Dcnetworks, Dcnglobal | 12 Dcme-320, Dcme-320-l, Dcme-320-l Firmware and 9 more | 2025-11-06 | 9.8 Critical |
| DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/audit/newstatistics/mon_stat_hist_new.php. | ||||
| CVE-2024-0229 | 3 Fedoraproject, Redhat, X.org | 13 Fedora, Enterprise Linux, Enterprise Linux Aus and 10 more | 2025-11-06 | 7.8 High |
| An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments. | ||||
| CVE-2025-50688 | 2 Twisted, Twistedmatrix | 2 Twisted, Twistedweb | 2025-11-06 | 6.5 Medium |
| A command injection vulnerability exists in TwistedWeb (version 14.0.0) due to improper input sanitization in the file upload functionality. An attacker can exploit this vulnerability by sending a specially crafted HTTP PUT request to upload a malicious file (e.g., a reverse shell script). Once uploaded, the attacker can trigger the execution of arbitrary commands on the target system, allowing for remote code execution. This could lead to escalation of privileges depending on the privileges of the web server process. The attack does not require physical access and can be conducted remotely, posing a significant risk to the confidentiality and integrity of the system. | ||||
| CVE-2025-40599 | 1 Sonicwall | 6 Sma 210, Sma 210 Firmware, Sma 410 and 3 more | 2025-11-06 | 9.1 Critical |
| An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote attacker with administrative privileges can exploit this flaw to upload arbitrary files to the system, potentially leading to remote code execution. | ||||
| CVE-2022-47879 | 1 Jedox | 2 Jedox, Jedox Cloud | 2025-11-06 | 7.5 High |
| A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods. NOTE: The vendor states that the vulnerability affects installations running version 22.5 or earlier. The issue was resolved with version 23.2 and later versions are not affected. | ||||
| CVE-2019-16278 | 1 Nazgul | 1 Nostromo Nhttpd | 2025-11-06 | 9.8 Critical |
| Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request. | ||||
| CVE-2025-60801 | 1 Jishenghua | 1 Jsherp | 2025-11-05 | 8.2 High |
| jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function. | ||||
| CVE-2025-30406 | 1 Gladinet | 1 Centrestack | 2025-11-05 | 9 Critical |
| Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config. | ||||
| CVE-2017-1000353 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2025-11-05 | 9.8 Critical |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default. | ||||
| CVE-2017-1000486 | 1 Primetek | 1 Primefaces | 2025-11-05 | 9.8 Critical |
| Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution | ||||