Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 55.5% and no vendor patch available.
Laf is a cloud development platform. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.5.0 through 1.9.0, which could lead to Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.
Arbitrary File Write vulnerability in the saveReportFile method of ureport2 2.2.9 and before allows attackers to write arbitrary files and run arbitrary commands via crafted POST request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered on GL.iNet devices through 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.
PaddlePaddle before 2.6.0 has a command injection in _wget_download. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.
PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.
A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.