Total
5661 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9647 | 1 Mtons | 1 Mblog | 2025-11-14 | 4.3 Medium |
| A weakness has been identified in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /admin/role/list. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-23357 | 1 Nvidia | 1 Megatron-lm | 2025-11-14 | 7.8 High |
| NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering. | ||||
| CVE-2025-12733 | 2 Wordpress, Wpallimport | 2 Wordpress, Import Any Xml | 2025-11-14 | 8.8 High |
| The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution. | ||||
| CVE-2025-12813 | 2 Strix-bubol5, Wordpress | 2 Holiday Class Post Calendar, Wordpress | 2025-11-14 | 9.8 Critical |
| The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server. | ||||
| CVE-2025-5757 | 1 Carmelo | 1 Traffic Offense Reporting System | 2025-11-13 | 3.5 Low |
| A vulnerability was found in code-projects Traffic Offense Reporting System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /save-reported.php. The manipulation of the argument offence_id/vehicle_no/driver_license/name/address/gender/officer_reporting/offence leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-49521 | 1 Redhat | 3 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside | 2025-11-13 | 8.8 High |
| A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft. | ||||
| CVE-2025-49926 | 2 Laborator, Wordpress | 2 Kalium, Wordpress | 2025-11-13 | 7.3 High |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Laborator Kalium kalium allows Code Injection.This issue affects Kalium: from n/a through <= 3.25. | ||||
| CVE-2025-5651 | 1 Carmelo | 1 Traffic Offense Reporting System | 2025-11-13 | 3.5 Low |
| A vulnerability, which was classified as problematic, has been found in code-projects Traffic Offense Reporting System 1.0. This issue affects some unknown processing of the file saveuser.php. The manipulation of the argument user_id/username/email/name/position leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-5661 | 1 Carmelo | 1 Traffic Offense Reporting System | 2025-11-13 | 2.4 Low |
| A vulnerability, which was classified as problematic, was found in code-projects Traffic Offense Reporting System 1.0. This affects an unknown part of the file /save-settings.php of the component Setting Handler. The manipulation of the argument site_name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-62959 | 2 Videowhisper, Wordpress | 2 Videowhisper, Wordpress | 2025-11-13 | 9.1 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Remote Code Inclusion.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.3.22. | ||||
| CVE-2025-62023 | 2 S2member, Wordpress | 2 S2member, Wordpress | 2025-11-13 | 9.8 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905. | ||||
| CVE-2025-60206 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 10 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through <= 7.8.3. | ||||
| CVE-2025-52756 | 2 Sayandatta, Wordpress | 2 Wp Last Modified Info, Wordpress | 2025-11-13 | 7.4 High |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Sayan Datta WP Last Modified Info wp-last-modified-info allows Remote Code Inclusion.This issue affects WP Last Modified Info: from n/a through <= 1.9.2. | ||||
| CVE-2025-49372 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 10 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.This issue affects HAPPY: from n/a through <= 1.0.7. | ||||
| CVE-2025-47588 | 2 Acowebs, Wordpress | 2 Dynamic Pricing With Discount Rules For Woocommerce, Wordpress | 2025-11-13 | 9.8 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through <= 4.5.9. | ||||
| CVE-2025-32222 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 9.8 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.This issue affects Widget Logic: from n/a through <= 6.0.5. | ||||
| CVE-2025-42887 | 1 Sap | 1 Solution Manager | 2025-11-12 | 9.9 Critical |
| Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system. | ||||
| CVE-2025-42895 | 1 Sap | 1 Hana-client | 2025-11-12 | 6.9 Medium |
| Due to insufficient validation of connection property values, the SAP HANA JDBC Client allows a high-privilege locally authenticated user to supply crafted parameters that lead to unauthorized code loading, resulting in low impact on confidentiality and integrity and high impact on availability of the application. | ||||
| CVE-2025-12637 | 1 Wordpress | 1 Wordpress | 2025-11-12 | 8.8 High |
| The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-12729 | 1 Sophos | 2 Firewall, Firewall Firmware | 2025-11-12 | 8.8 High |
| A post-auth code injection vulnerability in the User Portal allows authenticated users to execute code remotely in Sophos Firewall older than version 21.0 MR1 (21.0.1). | ||||