Total
5661 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-53883 | 1 Webedition | 1 Webedition Cms | 2025-12-18 | 7.2 High |
| Webedition CMS v2.9.8.8 contains a remote code execution vulnerability that allows authenticated attackers to inject system commands through PHP page creation. Attackers can create a new PHP page with malicious system commands in the description field to execute arbitrary commands on the server. | ||||
| CVE-2025-55313 | 3 Apple, Foxit, Microsoft | 5 Macos, Pdf Editor, Pdf Editor For Mac and 2 more | 2025-12-18 | 7.8 High |
| An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. They allow potential arbitrary code execution when processing crafted PDF files. The vulnerability stems from insufficient handling of memory allocation failures after assigning an extremely large value to a form field's charLimit property via JavaScript. This can result in memory corruption and may allow an attacker to execute arbitrary code by persuading a user to open a malicious file. | ||||
| CVE-2025-14729 | 2 Ctcms, Ctcms Project | 2 Content Management System, Ctcms | 2025-12-18 | 4.7 Medium |
| A vulnerability was identified in CTCMS Content Management System up to 2.1.2. The affected element is the function Save of the file /ctcms/libs/Ct_App.php of the component Backend App Configuration Module. The manipulation of the argument CT_App_Paytype leads to code injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | ||||
| CVE-2025-14730 | 2 Ctcms, Ctcms Project | 2 Content Management System, Ctcms | 2025-12-18 | 4.7 Medium |
| A security flaw has been discovered in CTCMS Content Management System up to 2.1.2. The impacted element is an unknown function in the library /ctcms/libs/Ct_Config.php of the component Backend System Configuration Module. The manipulation of the argument Cj_Add/Cj_Edit results in code injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-65602 | 1 Chancms | 1 Chancms | 2025-12-18 | 9.8 Critical |
| A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request. | ||||
| CVE-2025-67172 | 1 Ritecms | 1 Ritecms | 2025-12-18 | 7.2 High |
| RiteCMS v3.1.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the parse_special_tags() function. | ||||
| CVE-2025-62521 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | 10 Critical |
| ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue. | ||||
| CVE-2025-14801 | 1 Xiweicheng | 1 Tms | 2025-12-18 | 2.4 Low |
| A security vulnerability has been detected in xiweicheng TMS up to 2.28.0. This affects the function createComment of the file /admin/blog/comment/create. Such manipulation of the argument content leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-29806 | 1 Microsoft | 1 Edge Chromium | 2025-12-17 | 6.5 Medium |
| No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2025-29807 | 1 Microsoft | 1 Dataverse | 2025-12-17 | 8.7 High |
| Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network. | ||||
| CVE-2025-65294 | 1 Aqara | 6 Camera Hub G3, Camera Hub G3 Firmware, Hub M2 and 3 more | 2025-12-17 | 9.8 Critical |
| Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 contain an undocumented remote access mechanism enabling unrestricted remote command execution. | ||||
| CVE-2024-32406 | 2 Inducer, Inducer | 2 Relate, Relate | 2025-12-17 | 7.5 High |
| Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1 allows a remote attacker to execute arbitrary code via a crafted payload to the Batch-Issue Exam Tickets function. | ||||
| CVE-2024-22533 | 1 Xiandafu | 1 Beetl | 2025-12-17 | 9.8 Critical |
| Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution. | ||||
| CVE-2025-66457 | 1 Elysiajs | 1 Elysia | 2025-12-17 | 8.8 High |
| Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.17 and below are subject to arbitrary code execution from cookie config. When dynamic cookies are enabled (e.g. there an existing cookie schema), the cookie config is injected into the compiled route without first being sanitised. Availability of this exploit is generally low, but when combined with GHSA-hxj9-33pp-j2cc, it allows for a full RCE chain. An attack requires write access to either the Elysia app's source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to be provisioned by the environment). This issue is fixed in version 1.4.18. | ||||
| CVE-2018-7602 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-12-17 | 9.8 Critical |
| A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. | ||||
| CVE-2025-14662 | 2 Code-projects, Fabian | 2 Student Management System, Student File Management System | 2025-12-16 | 2.4 Low |
| A vulnerability was found in code-projects Student File Management System 1.0. This affects an unknown part of the file /admin/update_user.php of the component Update User Page. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. | ||||
| CVE-2023-20209 | 1 Cisco | 1 Telepresence Video Communication Server | 2025-12-16 | 6.5 Medium |
| A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to establish a remote shell with root privileges. | ||||
| CVE-2023-20063 | 1 Cisco | 2 Firepower Threat Defense, Secure Firewall Management Center | 2025-12-16 | 8.2 High |
| A vulnerability in the inter-device communication mechanisms between devices that are running Cisco Firepower Threat Defense (FTD) Software and devices that are running Cisco Firepower Management (FMC) Software could allow an authenticated, local attacker to execute arbitrary commands with root permissions on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by accessing the expert mode of an affected device and submitting specific commands to a connected system. A successful exploit could allow the attacker to execute arbitrary code in the context of an FMC device if the attacker has administrative privileges on an associated FTD device. Alternatively, a successful exploit could allow the attacker to execute arbitrary code in the context of an FTD device if the attacker has administrative privileges on an associated FMC device. | ||||
| CVE-2025-14663 | 2 Code-projects, Fabian | 2 Student Management System, Student File Management System | 2025-12-16 | 2.4 Low |
| A vulnerability was determined in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/update_student.php. Executing manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-14722 | 2025-12-16 | 2.4 Low | ||
| A vulnerability was determined in vion707 DMadmin up to 3403cafdb42537a648c30bf8cbc8148ec60437d1. This impacts the function Add of the file Admin/Controller/AddonsController.class.php of the component Backend. Executing manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | ||||