Skip to main content

Code Injection

4857 CVEs technique

Monthly

CVE-2025-54019 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53577 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS allows Remote Code Inclusion.1.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-53194 HIGH This Week

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Crocoblock JetEngine allows Code Injection.7.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Ssti Code Injection
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-48169 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion.3.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-30975 HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in SaifuMak Add Custom Codes allows Code Injection.80. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-57791 MEDIUM POC THREAT This Month

A security vulnerability has been identified that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 40.3% and no vendor patch available.

Code Injection Commvault
NVD
CVSS 4.0
6.9
EPSS
40.3%
Threat
4.1
CVE-2025-55733 CRITICAL POC PATCH Act Now

DeepChat is a smart assistant that connects powerful AI to your personal world. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Deepchat
NVD GitHub
CVSS 3.1
9.6
EPSS
0.4%
CVE-2025-8723 CRITICAL This Week

The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Code Injection RCE PHP Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2025-55585 MEDIUM POC This Week

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an eval injection vulnerability via the eval() function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection A3002r Firmware TOTOLINK
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-8878 MEDIUM This Month

The The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection PHP
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2025-8105 HIGH This Month

The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.6.7. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection PHP
NVD
CVSS 3.1
7.3
EPSS
0.4%
CVE-2025-7961 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.6.0. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.

RCE Apple Code Injection macOS
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2025-54466 CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.09.02 only when the scrum plugin is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Code Injection Apache Ofbiz
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-8905 MEDIUM This Month

The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection PHP
NVD
CVSS 3.1
6.3
EPSS
0.4%
CVE-2025-55192 HIGH This Month

HomeAssistant-Tapo-Control offers Control for Tapo cameras as a Home Assistant component. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-20265 CRITICAL This Week

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to inject arbitrary shell commands. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Code Injection Secure Firewall Management Center
NVD
CVSS 3.1
10.0
EPSS
0.2%
CVE-2025-49887 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in WPFactory Product XML Feed Manager for WooCommerce allows Remote Code Inclusion.9.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-39483 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in imithemes Eventer allows Code Injection.9.9.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-55346 npm CRITICAL This Week

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-23306 HIGH This Month

NVIDIA Megatron-LM for all platforms contains a vulnerability in the megatron/training/ arguments.py component where an attacker could cause a code injection issue by providing a malicious input. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Megatron Lm
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23305 HIGH This Week

NVIDIA Megatron-LM for all platforms contains a vulnerability in the tools component, where an attacker may exploit a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Megatron Lm
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23298 HIGH This Week

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Nvidia RCE Python Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23296 HIGH This Week

NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Nvidia RCE Python Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23295 HIGH This Week

NVIDIA Apex for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue by providing a malicious file. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Nvidia RCE Python Information Disclosure +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-52385 CRITICAL This Week

An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-52386 MEDIUM This Month

CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-42957 CRITICAL This Week

SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-42950 CRITICAL This Week

SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-42945 MEDIUM This Month

SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SAP Code Injection
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-54063 HIGH POC PATCH This Week

Cherry Studio is a desktop client that supports for multiple LLM providers. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Cherry Studio
NVD GitHub
CVSS 3.1
8.0
EPSS
0.4%
CVE-2025-54997 Go CRITICAL PATCH Act Now

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Information Disclosure Openbao Suse
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-54417 PHP MEDIUM PATCH This Month

Craft is a platform for creating digital experiences. Rated medium severity (CVSS 5.2), this vulnerability is remotely exploitable. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Craft Cms
NVD GitHub
CVSS 4.0
5.2
EPSS
0.0%
CVE-2025-54940 MEDIUM Monitor

An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection PHP
NVD
CVSS 4.0
4.6
EPSS
0.0%
CVE-2025-50692 CRITICAL POC Act Now

FoxCMS <=v1.2.5 is vulnerable to Code Execution in admin/template_file/editFile.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Foxcms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-29866 HIGH This Month

: External Control of File Name or Path vulnerability in TAGFREE X-Free Uploader XFU allows : Parameter Injection.0.1.0084 before 1.0.1.0085, from 2.0.1.0034 before 2.0.1.0035. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
CVSS 4.0
8.8
EPSS
0.1%
CVE-2025-8419 Maven MEDIUM PATCH This Month

A vulnerability was found in Keycloak-services. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Keycloak Red Hat
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-8556 Go LOW PATCH Monitor

A flaw was found in CIRCL's implementation of the FourQ elliptic curve. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft Code Injection
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-8420 HIGH This Week

The Request a Quote Form plugin for WordPress is vulnerable to Remote Code Execution in version less than, or equal to, 2.5.2 via the emd_form_builder_lite_pagenum function. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress RCE Code Injection
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-54624 MEDIUM This Month

Unexpected injection event vulnerability in the multimodalinput module. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Harmonyos
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-54594 CRITICAL This Week

react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Node.js
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2013-10070 CRITICAL POC THREAT Emergency

PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 58.8%.

PHP Code Injection RCE
NVD Exploit-DB
CVSS 4.0
10.0
EPSS
58.8%
Threat
5.3
CVE-2025-50707 CRITICAL POC Act Now

An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection Thinkphp
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2025-50706 PHP CRITICAL POC Act Now

An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Thinkphp
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2025-51387 CRITICAL This Week

The GitKraken Desktop 10.8.0 and 11.1.0 is susceptible to code injection due to misconfigured Electron Fuses. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Node.js Gitkraken Desktop
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-6204 HIGH POC KEV THREAT Act Now

DELMIA Apriso from Release 2020 through 2025 contains a code injection vulnerability allowing attackers to execute arbitrary code on the manufacturing execution system.

RCE Code Injection Delmia Apriso
NVD
CVSS 3.1
8.0
EPSS
7.5%
Threat
4.8
CVE-2013-10057 HIGH POC THREAT Act Now

A stack-based buffer overflow vulnerability exists in Synactis PDF In-The-Box ActiveX control (PDF_IN_1.ocx), specifically the ConnectToSynactis method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 61.1%.

Buffer Overflow RCE Code Injection
NVD Exploit-DB
CVSS 4.0
7.5
EPSS
61.1%
Threat
4.8
CVE-2013-10051 CRITICAL POC THREAT Emergency

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 75.8%.

PHP Code Injection RCE Instantcms
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
75.8%
Threat
5.6
CVE-2025-6000 Go CRITICAL POC PATCH This Week

A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Hashicorp Code Injection Vault Red Hat +1
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-54593 HIGH POC PATCH This Month

FreshRSS is a free, self-hostable RSS aggregator. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Freshrss
NVD GitHub
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-41376 MEDIUM This Month

CRLF Injection vulnerability in Limesurvey v2.65.1+170522. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Code Injection Limesurvey
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-53399 MEDIUM This Month

In Sipwise rtpengine before 13.4.1.1, an origin-validation error in the endpoint-learning logic of the media-relay core allows remote attackers to inject or intercept RTP/SRTP media streams via RTP. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-6175 HIGH This Week

HTTP Request Splitting in DECE Software Geodi before GEODI Setup 9.0.146 allows remote unauthenticated attackers to inject CRLF sequences into HTTP requests, enabling cache poisoning, response splitting, and cross-site scripting against downstream consumers. The flaw is network-reachable with low attack complexity and no authentication, and Turkey's national CERT (USOM) issued advisory TR-25-0182 covering the issue. No public exploit identified at time of analysis and EPSS probability is low at 0.22% (45th percentile).

Code Injection
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-4056 HIGH This Week

Denial of service in GNOME GLib on Windows platforms occurs when an application uses GLib's process-spawning functions with excessively long command lines, causing the spawn operation to fail or crash the host process and disrupt availability. The flaw affects the GLib library's Windows command-line handling and impacts any Windows application that links GLib and passes attacker-influenced long argument strings to a child process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; despite Red Hat tags mentioning RCE/Code Injection, the CVSS impact metrics confirm availability-only impact (C:N/I:N/A:H).

Code Injection Denial Of Service Microsoft RCE Glib
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-8030 HIGH PATCH This Week

Firefox and Thunderbird's 'Copy as cURL' feature improperly escapes shell metacharacters, allowing remote attackers to trick users into executing arbitrary commands when pasting copied network requests into a terminal. Affects Firefox <141, Firefox ESR <128.13/140.1, and Thunderbird <141, <128.13/140.1. Vendor-released patches available across all affected branches. CVSS 8.1 with network attack vector requiring user interaction; no public exploit identified at time of analysis. EPSS data not provided but social engineering dependency limits automated exploitation risk.

Mozilla RCE Code Injection Thunderbird Red Hat +1
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-7962 Maven MEDIUM PATCH This Month

SMTP injection in Eclipse Jakarta Mail (and its Angus Mail implementation) prior to version 2.0.2 allows a low-privileged attacker to inject arbitrary SMTP protocol commands by embedding raw carriage return (\r) and line feed (\n) UTF-8 characters into email fields processed by the library. The library fails to sanitize these input terminators before passing data to the SMTP command stream, enabling an attacker with control over email content to inject additional SMTP commands, forge headers, or deliver unsolicited messages through a trusted mail relay. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Code Injection Jakarta Mail Angus Mail Red Hat Suse
NVD VulDB
CVSS 4.0
6.0
EPSS
0.8%
CVE-2025-54068 PHP CRITICAL POC KEV PATCH THREAT Act Now

Laravel Livewire v3 through v3.6.3 contains a critical remote code execution vulnerability (CVE-2025-54068, CVSS 9.8) that allows unauthenticated attackers to execute commands through improper hydration of component property updates. KEV-listed with EPSS 16%, this vulnerability affects one of the most popular PHP frameworks, potentially compromising thousands of Laravel applications using Livewire for reactive server-side rendering.

Laravel PHP RCE Code Injection Livewire
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
16.0%
Threat
5.4
CVE-2025-53867 CRITICAL Act Now

Remote code execution in Island Lake Consulting's WebBatch prior to version 2025C allows remote attackers to run arbitrary code by supplying a crafted URL. Rated CVSS 9.8 with an unauthenticated network vector (PR:N/UI:N), the flaw stems from code injection (CWE-94) in the product's URL handling, giving full confidentiality, integrity, and availability compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-interaction profile makes it a high-priority patch candidate.

Code Injection RCE
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-53833 PHP CRITICAL POC PATCH THREAT Act Now

LaRecipe versions prior to 2.8.1 contain a Server-Side Template Injection (SSTI) vulnerability that can lead to Remote Code Execution (RCE) in vulnerable configurations. The vulnerability allows unauthenticated network attackers to execute arbitrary commands on the server, access sensitive environment variables, and escalate privileges without requiring user interaction or special access. With a perfect CVSS 3.1 score of 10.0 and network-based attack vector, this represents a critical threat to all unpatched LaRecipe installations.

RCE Laravel PHP Information Disclosure Code Injection
NVD GitHub
CVSS 3.1
10.0
EPSS
16.8%
Threat
4.0
CVE-2024-58258 HIGH POC PATCH This Week

CVE-2024-58258 is a Server-Side Request Forgery (SSRF) vulnerability in SugarCRM's API module that exploits limited code injection capabilities to allow unauthenticated remote attackers to make arbitrary requests from the affected server. SugarCRM versions before 13.0.4 and 14.x before 14.0.1 are affected, potentially enabling attackers to access internal resources, cloud metadata endpoints, or perform lateral movement. The vulnerability has a CVSS 3.1 score of 7.2 (High) with network-based attack vector and no authentication required, though it does not enable direct code execution or availability impact.

Code Injection SSRF Salesforce
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
0.9%
CVE-2025-7504 HIGH POC PATCH This Week

The Friends plugin for WordPress versions up to 3.5.1 contains a PHP Object Injection vulnerability in the query_vars parameter that allows authenticated subscribers and above to inject malicious serialized objects through unsafe deserialization. While the plugin itself lacks a known gadget chain (POP chain), successful exploitation depends on the presence of vulnerable code in other installed plugins or themes; if such a chain exists, attackers can achieve arbitrary file deletion, data exfiltration, or remote code execution, but exploitation requires knowledge of the site's SALT_NONCE and SALT_KEY values.

Deserialization PHP WordPress Information Disclosure Code Injection +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-53641 HIGH PATCH This Week

CVE-2025-53641 is a Server-Side Request Forgery (SSRF) vulnerability in Postiz versions 1.45.1 through 1.62.2 that allows unauthenticated network attackers to inject arbitrary HTTP headers into the middleware pipeline, enabling unauthorized outbound requests from the affected server. With a CVSS score of 8.2 and network-accessible attack surface (AV:N/PR:N), this vulnerability poses significant risk to confidentiality of internal services and resources accessible from the server. The vulnerability is patched in version 1.62.3, and exploitation requires no user interaction or authentication, making it a high-priority remediation target.

SSRF Code Injection
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-50123 HIGH This Week

CVE-2025-50123 is a code injection vulnerability (CWE-94) in an unspecified server product that allows remote command execution when accessed via console by a privileged account through malicious hostname input. The vulnerability has a CVSS 4.0 score of 7.2 and requires physical access and high privileges, significantly limiting real-world exploitability despite the high impact potential. KEV status and EPSS scoring data are unavailable in provided intelligence, but the physical attack vector and high privilege requirement suggest this poses limited risk in typical network environments.

RCE Code Injection Privilege Escalation Command Injection
NVD
CVSS 4.0
7.2
EPSS
0.0%
CVE-2025-48891 HIGH PATCH This Week

CVE-2025-48891 is a SQL injection vulnerability in Advantech iView's CUtils.checkSQLInjection() function that fails to properly sanitize user input, allowing authenticated attackers with user-level privileges to execute arbitrary SQL queries. This can lead to unauthorized information disclosure or denial-of-service conditions. The vulnerability requires network access and user authentication but has no UI interaction requirement, making it a significant risk for organizations using iView in multi-user environments.

Code Injection Iview
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-28243 HIGH POC This Week

CVE-2025-28243 is a Stored/Reflected HTML Injection vulnerability in Alteryx Server 2023.1.1.460 affecting the pages component, enabling unauthenticated attackers to inject malicious scripts that execute in victims' browsers with user interaction. This vulnerability carries a CVSS 8.0 score with high confidentiality and integrity impact; while no KEV or confirmed EPSS data is provided in the source material, the network-accessible attack vector and relatively high CVSS indicate moderate-to-significant real-world risk depending on deployment scope and user exposure.

Code Injection Alteryx Server
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-47812 CRITICAL POC KEV PATCH THREAT Act Now

Wing FTP Server before 7.4.4 contains a critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) through null byte injection in user/admin web interfaces that enables arbitrary Lua code execution in session files. With EPSS 92.7% and KEV listing, this vulnerability guarantees unauthenticated root/SYSTEM code execution on affected servers, as the FTP service runs with maximum privileges by default.

RCE Code Injection Ftp Privilege Escalation Wing Ftp Server
NVD Exploit-DB
CVSS 3.1
10.0
EPSS
92.7%
Threat
7.8
CVE-2024-7650 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText™ Directory Services allows Remote Code Inclusion. The vulnerability could allow access to the system via script injection.This issue affects Directory Services: 23.4.

RCE Code Injection
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2025-6948 HIGH PATCH This Week

CVE-2025-6948 is a Stored Cross-Site Scripting (XSS) vulnerability in GitLab CE/EE that allows authenticated attackers to execute actions on behalf of other users through malicious content injection. Affected versions include 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. An attacker with valid credentials can manipulate the UI context (via user interaction) to perform unauthorized actions with high confidentiality and integrity impact across the GitLab instance.

Gitlab Code Injection
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-38280 HIGH PATCH This Week

CVE-2025-38280 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Linux Code Injection
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-53652 Maven HIGH PATCH This Week

Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters.

Code Injection Jenkins Git Parameter
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-38264 MEDIUM PATCH This Month

CVE-2025-38264 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Code Injection Ubuntu Debian Linux Kernel +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-7378 MEDIUM PATCH This Month

A security vulnerability in An improper Input Validation vulnerability (CVSS 6.0) that allows injecting arbitrary values of the nas configuration file. Remediation should follow standard vulnerability management procedures.

Code Injection
NVD
CVSS 4.0
6.0
EPSS
0.0%
CVE-2025-34077 CRITICAL POC THREAT Emergency

The Pie Register WordPress plugin versions up to 3.7.1.4 contain an authentication bypass that allows unauthenticated attackers to log in as any user including administrators. By submitting a crafted POST request with social_site=true and a target user_id_social_site value, attackers generate valid WordPress sessions for arbitrary accounts.

PHP Authentication Bypass RCE Code Injection WordPress
NVD GitHub Exploit-DB
CVSS 4.0
10.0
EPSS
72.4%
Threat
5.7
CVE-2025-53547 Go HIGH PATCH This Week

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.

RCE Code Injection Kubernetes Debian Helm +2
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-49704 HIGH POC KEV PATCH THREAT Act Now

Microsoft Office SharePoint contains a code injection vulnerability (CVE-2025-49704, CVSS 8.8) enabling authenticated attackers to execute arbitrary code over the network. KEV-listed with EPSS 63.8%, this vulnerability requires only basic SharePoint authentication and enables server-level code execution, threatening the documents, workflows, and data stored across the organization's SharePoint infrastructure.

Microsoft RCE Code Injection Sharepoint Server
NVD
CVSS 3.1
8.8
EPSS
63.8%
Threat
8.7
CVE-2025-47988 HIGH PATCH This Week

Improper control of generation of code ('code injection') in Azure Monitor Agent allows an unauthorized attacker to execute code over an adjacent network.

Microsoft RCE Code Injection Azure Monitor Agent
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-0293 MEDIUM This Month

A security vulnerability in Ivanti Connect Secure (CVSS 6.6) that allows a remote authenticated attacker with admin rights. Remediation should follow standard vulnerability management procedures.

Code Injection Ivanti Connect Secure Policy Secure
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-6744 HIGH This Week

The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_get_products_shortcode() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

WordPress RCE Code Injection Woodmart PHP
NVD
CVSS 3.1
7.3
EPSS
0.5%
CVE-2025-42967 CRITICAL Act Now

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with user level privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

SAP RCE Code Injection
NVD
CVSS 3.1
9.9
EPSS
0.7%
CVE-2025-36014 HIGH This Week

IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code injection by a privileged user with access to the IIB install directory.

RCE Code Injection IBM Integration Bus
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-53373 HIGH PATCH This Week

A security vulnerability in Natours (CVSS 8.9). High severity vulnerability requiring prompt remediation.

Code Injection
NVD GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2025-45479 CRITICAL POC Act Now

Insufficient security mechanisms for created containers in educoder challenges v1.0 allow attackers to execute arbitrary code via injecting crafted content into a container.

RCE Code Injection Challenges
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-5333 CRITICAL Act Now

Remote attackers can execute arbitrary code in the context of the vulnerable service process.

RCE Code Injection
NVD
CVSS 4.0
9.5
EPSS
0.5%
CVE-2025-38194 MEDIUM PATCH This Month

CVE-2025-38194 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Code Injection Ubuntu Debian Linux Kernel +3
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-52718 HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Remote Code Inclusion. This issue affects Alone: from n/a through 7.8.2.

RCE Code Injection
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-49302 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe allows Remote Code Inclusion. This issue affects Easy Stripe: from n/a through 1.1.

RCE Code Injection
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-32918 HIGH PATCH This Week

A security vulnerability in autocomplete endpoint within the RestAPI of Checkmk (CVSS 8.8) that allows an authenticated user. High severity vulnerability requiring prompt remediation.

Code Injection Ubuntu Debian Checkmk
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-34089 CRITICAL POC THREAT Emergency

An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio, in versions up to and including 2025.7. When the application is configured with authentication disabled (i.e., the "Allow unknown devices" option is enabled), the /api/executeScript endpoint is exposed without access control. This allows unauthenticated remote attackers to inject arbitrary AppleScript payloads via the X-Script HTTP header, resulting in code execution using do shell script. Successful exploitation grants attackers the ability to run arbitrary commands on the macOS host with the privileges of the Remote for Mac background process.

RCE Code Injection Apple macOS
NVD
CVSS 4.0
9.3
EPSS
56.5%
Threat
5.1
CVE-2025-34086 PHP HIGH POC THREAT Act Now

Pandora FMS monitoring platform version 7.0NG and earlier contains an authenticated command injection in the net_tools.php functionality. The select_ips parameter is passed to OS commands without sanitization when performing ping operations, allowing authenticated users to execute arbitrary commands on the monitoring server.

PHP RCE Code Injection Bolt
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
50.8%
Threat
4.8
CVE-2025-34061 CRITICAL POC THREAT Emergency

PHPStudy development environment versions 2016 through 2018 contain an embedded backdoor that executes arbitrary PHP code from HTTP request headers. The backdoor listens for base64-encoded payloads in the Accept-Charset header, decodes and executes them without any authentication, providing complete remote code execution on any server running the compromised PHPStudy.

PHP RCE Code Injection
NVD
CVSS 4.0
9.3
EPSS
59.2%
Threat
5.1
CVE-2025-48939 npm MEDIUM POC PATCH This Month

A security vulnerability in tarteaucitron.js (CVSS 4.2). Risk factors: public PoC available. Vendor patch is available.

Code Injection Tarteaucitronjs
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS allows Remote Code Inclusion.1.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Crocoblock JetEngine allows Code Injection.7.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Ssti Code Injection
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion.3.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in SaifuMak Add Custom Codes allows Code Injection.80. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

RCE Code Injection
NVD
EPSS 40% 4.1 CVSS 6.9
MEDIUM POC THREAT This Month

A security vulnerability has been identified that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 40.3% and no vendor patch available.

Code Injection Commvault
NVD
EPSS 0% CVSS 9.6
CRITICAL POC PATCH Act Now

DeepChat is a smart assistant that connects powerful AI to your personal world. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Deepchat
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL This Week

The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Code Injection RCE +2
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Week

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an eval injection vulnerability via the eval() function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection A3002r Firmware TOTOLINK
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

The The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 7.3
HIGH This Month

The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.6.7. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.6.0. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.

RCE Apple Code Injection +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.09.02 only when the scrum plugin is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Code Injection Apache +1
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 8.6
HIGH This Month

HomeAssistant-Tapo-Control offers Control for Tapo cameras as a Home Assistant component. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL This Week

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to inject arbitrary shell commands. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Code Injection Secure Firewall Management Center
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in WPFactory Product XML Feed Manager for WooCommerce allows Remote Code Inclusion.9.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in imithemes Eventer allows Code Injection.9.9.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA Megatron-LM for all platforms contains a vulnerability in the megatron/training/ arguments.py component where an attacker could cause a code injection issue by providing a malicious input. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Megatron-LM for all platforms contains a vulnerability in the tools component, where an attacker may exploit a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Nvidia RCE +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Nvidia RCE +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Apex for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue by providing a malicious file. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Nvidia RCE +3
NVD
EPSS 1% CVSS 9.8
CRITICAL This Week

An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL This Week

SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection
NVD
EPSS 0% CVSS 9.9
CRITICAL This Week

SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SAP Code Injection
NVD
EPSS 0% CVSS 8.0
HIGH POC PATCH This Week

Cherry Studio is a desktop client that supports for multiple LLM providers. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Cherry Studio
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

Craft is a platform for creating digital experiences. Rated medium severity (CVSS 5.2), this vulnerability is remotely exploitable. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Craft Cms
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM Monitor

An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

FoxCMS <=v1.2.5 is vulnerable to Code Execution in admin/template_file/editFile.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Foxcms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Month

: External Control of File Name or Path vulnerability in TAGFREE X-Free Uploader XFU allows : Parameter Injection.0.1.0084 before 1.0.1.0085, from 2.0.1.0034 before 2.0.1.0035. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A vulnerability was found in Keycloak-services. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Keycloak Red Hat
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

A flaw was found in CIRCL's implementation of the FourQ elliptic curve. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft Code Injection
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

The Request a Quote Form plugin for WordPress is vulnerable to Remote Code Execution in version less than, or equal to, 2.5.2 via the emd_form_builder_lite_pagenum function. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress RCE Code Injection
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

Unexpected injection event vulnerability in the multimodalinput module. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Harmonyos
NVD
EPSS 0% CVSS 9.1
CRITICAL This Week

react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Node.js
NVD GitHub
EPSS 59% 5.3 CVSS 10.0
CRITICAL POC THREAT Emergency

PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 58.8%.

PHP Code Injection RCE
NVD Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Thinkphp
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

The GitKraken Desktop 10.8.0 and 11.1.0 is susceptible to code injection due to misconfigured Electron Fuses. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Node.js +1
NVD GitHub
EPSS 7% 4.8 CVSS 8.0
HIGH POC KEV THREAT Act Now

DELMIA Apriso from Release 2020 through 2025 contains a code injection vulnerability allowing attackers to execute arbitrary code on the manufacturing execution system.

RCE Code Injection Delmia Apriso
NVD
EPSS 61% 4.8 CVSS 7.5
HIGH POC THREAT Act Now

A stack-based buffer overflow vulnerability exists in Synactis PDF In-The-Box ActiveX control (PDF_IN_1.ocx), specifically the ConnectToSynactis method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 61.1%.

Buffer Overflow RCE Code Injection
NVD Exploit-DB
EPSS 76% 5.6 CVSS 9.3
CRITICAL POC THREAT Emergency

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 75.8%.

PHP Code Injection RCE +1
NVD Exploit-DB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH This Week

A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Hashicorp Code Injection +3
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Month

FreshRSS is a free, self-hostable RSS aggregator. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Freshrss
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

CRLF Injection vulnerability in Limesurvey v2.65.1+170522. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Code Injection Limesurvey
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

In Sipwise rtpengine before 13.4.1.1, an origin-validation error in the endpoint-learning logic of the media-relay core allows remote attackers to inject or intercept RTP/SRTP media streams via RTP. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

HTTP Request Splitting in DECE Software Geodi before GEODI Setup 9.0.146 allows remote unauthenticated attackers to inject CRLF sequences into HTTP requests, enabling cache poisoning, response splitting, and cross-site scripting against downstream consumers. The flaw is network-reachable with low attack complexity and no authentication, and Turkey's national CERT (USOM) issued advisory TR-25-0182 covering the issue. No public exploit identified at time of analysis and EPSS probability is low at 0.22% (45th percentile).

Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in GNOME GLib on Windows platforms occurs when an application uses GLib's process-spawning functions with excessively long command lines, causing the spawn operation to fail or crash the host process and disrupt availability. The flaw affects the GLib library's Windows command-line handling and impacts any Windows application that links GLib and passes attacker-influenced long argument strings to a child process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; despite Red Hat tags mentioning RCE/Code Injection, the CVSS impact metrics confirm availability-only impact (C:N/I:N/A:H).

Code Injection Denial Of Service Microsoft +2
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Firefox and Thunderbird's 'Copy as cURL' feature improperly escapes shell metacharacters, allowing remote attackers to trick users into executing arbitrary commands when pasting copied network requests into a terminal. Affects Firefox <141, Firefox ESR <128.13/140.1, and Thunderbird <141, <128.13/140.1. Vendor-released patches available across all affected branches. CVSS 8.1 with network attack vector requiring user interaction; no public exploit identified at time of analysis. EPSS data not provided but social engineering dependency limits automated exploitation risk.

Mozilla RCE Code Injection +3
NVD
EPSS 1% CVSS 6.0
MEDIUM PATCH This Month

SMTP injection in Eclipse Jakarta Mail (and its Angus Mail implementation) prior to version 2.0.2 allows a low-privileged attacker to inject arbitrary SMTP protocol commands by embedding raw carriage return (\r) and line feed (\n) UTF-8 characters into email fields processed by the library. The library fails to sanitize these input terminators before passing data to the SMTP command stream, enabling an attacker with control over email content to inject additional SMTP commands, forge headers, or deliver unsolicited messages through a trusted mail relay. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Code Injection Jakarta Mail Angus Mail +2
NVD VulDB
EPSS 16% 5.4 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Laravel Livewire v3 through v3.6.3 contains a critical remote code execution vulnerability (CVE-2025-54068, CVSS 9.8) that allows unauthenticated attackers to execute commands through improper hydration of component property updates. KEV-listed with EPSS 16%, this vulnerability affects one of the most popular PHP frameworks, potentially compromising thousands of Laravel applications using Livewire for reactive server-side rendering.

Laravel PHP RCE +2
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution in Island Lake Consulting's WebBatch prior to version 2025C allows remote attackers to run arbitrary code by supplying a crafted URL. Rated CVSS 9.8 with an unauthenticated network vector (PR:N/UI:N), the flaw stems from code injection (CWE-94) in the product's URL handling, giving full confidentiality, integrity, and availability compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-interaction profile makes it a high-priority patch candidate.

Code Injection RCE
NVD
EPSS 17% 4.0 CVSS 10.0
CRITICAL POC PATCH THREAT Act Now

LaRecipe versions prior to 2.8.1 contain a Server-Side Template Injection (SSTI) vulnerability that can lead to Remote Code Execution (RCE) in vulnerable configurations. The vulnerability allows unauthenticated network attackers to execute arbitrary commands on the server, access sensitive environment variables, and escalate privileges without requiring user interaction or special access. With a perfect CVSS 3.1 score of 10.0 and network-based attack vector, this represents a critical threat to all unpatched LaRecipe installations.

RCE Laravel PHP +2
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC PATCH This Week

CVE-2024-58258 is a Server-Side Request Forgery (SSRF) vulnerability in SugarCRM's API module that exploits limited code injection capabilities to allow unauthenticated remote attackers to make arbitrary requests from the affected server. SugarCRM versions before 13.0.4 and 14.x before 14.0.1 are affected, potentially enabling attackers to access internal resources, cloud metadata endpoints, or perform lateral movement. The vulnerability has a CVSS 3.1 score of 7.2 (High) with network-based attack vector and no authentication required, though it does not enable direct code execution or availability impact.

Code Injection SSRF Salesforce
NVD Exploit-DB
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The Friends plugin for WordPress versions up to 3.5.1 contains a PHP Object Injection vulnerability in the query_vars parameter that allows authenticated subscribers and above to inject malicious serialized objects through unsafe deserialization. While the plugin itself lacks a known gadget chain (POP chain), successful exploitation depends on the presence of vulnerable code in other installed plugins or themes; if such a chain exists, attackers can achieve arbitrary file deletion, data exfiltration, or remote code execution, but exploitation requires knowledge of the site's SALT_NONCE and SALT_KEY values.

Deserialization PHP WordPress +3
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

CVE-2025-53641 is a Server-Side Request Forgery (SSRF) vulnerability in Postiz versions 1.45.1 through 1.62.2 that allows unauthenticated network attackers to inject arbitrary HTTP headers into the middleware pipeline, enabling unauthorized outbound requests from the affected server. With a CVSS score of 8.2 and network-accessible attack surface (AV:N/PR:N), this vulnerability poses significant risk to confidentiality of internal services and resources accessible from the server. The vulnerability is patched in version 1.62.3, and exploitation requires no user interaction or authentication, making it a high-priority remediation target.

SSRF Code Injection
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

CVE-2025-50123 is a code injection vulnerability (CWE-94) in an unspecified server product that allows remote command execution when accessed via console by a privileged account through malicious hostname input. The vulnerability has a CVSS 4.0 score of 7.2 and requires physical access and high privileges, significantly limiting real-world exploitability despite the high impact potential. KEV status and EPSS scoring data are unavailable in provided intelligence, but the physical attack vector and high privilege requirement suggest this poses limited risk in typical network environments.

RCE Code Injection Privilege Escalation +1
NVD
EPSS 0% CVSS 7.6
HIGH PATCH This Week

CVE-2025-48891 is a SQL injection vulnerability in Advantech iView's CUtils.checkSQLInjection() function that fails to properly sanitize user input, allowing authenticated attackers with user-level privileges to execute arbitrary SQL queries. This can lead to unauthorized information disclosure or denial-of-service conditions. The vulnerability requires network access and user authentication but has no UI interaction requirement, making it a significant risk for organizations using iView in multi-user environments.

Code Injection Iview
NVD
EPSS 0% CVSS 8.0
HIGH POC This Week

CVE-2025-28243 is a Stored/Reflected HTML Injection vulnerability in Alteryx Server 2023.1.1.460 affecting the pages component, enabling unauthenticated attackers to inject malicious scripts that execute in victims' browsers with user interaction. This vulnerability carries a CVSS 8.0 score with high confidentiality and integrity impact; while no KEV or confirmed EPSS data is provided in the source material, the network-accessible attack vector and relatively high CVSS indicate moderate-to-significant real-world risk depending on deployment scope and user exposure.

Code Injection Alteryx Server
NVD GitHub
EPSS 93% 7.8 CVSS 10.0
CRITICAL POC KEV PATCH THREAT Act Now

Wing FTP Server before 7.4.4 contains a critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) through null byte injection in user/admin web interfaces that enables arbitrary Lua code execution in session files. With EPSS 92.7% and KEV listing, this vulnerability guarantees unauthenticated root/SYSTEM code execution on affected servers, as the FTP service runs with maximum privileges by default.

RCE Code Injection Ftp +2
NVD Exploit-DB
EPSS 0% CVSS 6.3
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText™ Directory Services allows Remote Code Inclusion. The vulnerability could allow access to the system via script injection.This issue affects Directory Services: 23.4.

RCE Code Injection
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

CVE-2025-6948 is a Stored Cross-Site Scripting (XSS) vulnerability in GitLab CE/EE that allows authenticated attackers to execute actions on behalf of other users through malicious content injection. Affected versions include 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. An attacker with valid credentials can manipulate the UI context (via user interaction) to perform unauthorized actions with high confidentiality and integrity impact across the GitLab instance.

Gitlab Code Injection
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

CVE-2025-38280 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Linux Code Injection
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters.

Code Injection Jenkins Git Parameter
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

CVE-2025-38264 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Code Injection Ubuntu +4
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

A security vulnerability in An improper Input Validation vulnerability (CVSS 6.0) that allows injecting arbitrary values of the nas configuration file. Remediation should follow standard vulnerability management procedures.

Code Injection
NVD
EPSS 72% 5.7 CVSS 10.0
CRITICAL POC THREAT Emergency

The Pie Register WordPress plugin versions up to 3.7.1.4 contain an authentication bypass that allows unauthenticated attackers to log in as any user including administrators. By submitting a crafted POST request with social_site=true and a target user_id_social_site value, attackers generate valid WordPress sessions for arbitrary accounts.

PHP Authentication Bypass RCE +2
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.

RCE Code Injection Kubernetes +4
NVD GitHub
EPSS 64% 8.7 CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

Microsoft Office SharePoint contains a code injection vulnerability (CVE-2025-49704, CVSS 8.8) enabling authenticated attackers to execute arbitrary code over the network. KEV-listed with EPSS 63.8%, this vulnerability requires only basic SharePoint authentication and enables server-level code execution, threatening the documents, workflows, and data stored across the organization's SharePoint infrastructure.

Microsoft RCE Code Injection +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper control of generation of code ('code injection') in Azure Monitor Agent allows an unauthorized attacker to execute code over an adjacent network.

Microsoft RCE Code Injection +1
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

A security vulnerability in Ivanti Connect Secure (CVSS 6.6) that allows a remote authenticated attacker with admin rights. Remediation should follow standard vulnerability management procedures.

Code Injection Ivanti Connect Secure +1
NVD
EPSS 0% CVSS 7.3
HIGH This Week

The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_get_products_shortcode() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

WordPress RCE Code Injection +2
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with user level privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

SAP RCE Code Injection
NVD
EPSS 0% CVSS 8.2
HIGH This Week

IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code injection by a privileged user with access to the IIB install directory.

RCE Code Injection IBM +1
NVD
EPSS 0% CVSS 8.9
HIGH PATCH This Week

A security vulnerability in Natours (CVSS 8.9). High severity vulnerability requiring prompt remediation.

Code Injection
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Insufficient security mechanisms for created containers in educoder challenges v1.0 allow attackers to execute arbitrary code via injecting crafted content into a container.

RCE Code Injection Challenges
NVD GitHub
EPSS 1% CVSS 9.5
CRITICAL Act Now

Remote attackers can execute arbitrary code in the context of the vulnerable service process.

RCE Code Injection
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

CVE-2025-38194 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Code Injection Ubuntu +5
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Remote Code Inclusion. This issue affects Alone: from n/a through 7.8.2.

RCE Code Injection
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe allows Remote Code Inclusion. This issue affects Easy Stripe: from n/a through 1.1.

RCE Code Injection
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A security vulnerability in autocomplete endpoint within the RestAPI of Checkmk (CVSS 8.8) that allows an authenticated user. High severity vulnerability requiring prompt remediation.

Code Injection Ubuntu Debian +1
NVD
EPSS 56% 5.1 CVSS 9.3
CRITICAL POC THREAT Emergency

An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio, in versions up to and including 2025.7. When the application is configured with authentication disabled (i.e., the "Allow unknown devices" option is enabled), the /api/executeScript endpoint is exposed without access control. This allows unauthenticated remote attackers to inject arbitrary AppleScript payloads via the X-Script HTTP header, resulting in code execution using do shell script. Successful exploitation grants attackers the ability to run arbitrary commands on the macOS host with the privileges of the Remote for Mac background process.

RCE Code Injection Apple +1
NVD
EPSS 51% 4.8 CVSS 8.8
HIGH POC THREAT Act Now

Pandora FMS monitoring platform version 7.0NG and earlier contains an authenticated command injection in the net_tools.php functionality. The select_ips parameter is passed to OS commands without sanitization when performing ping operations, allowing authenticated users to execute arbitrary commands on the monitoring server.

PHP RCE Code Injection +1
NVD GitHub Exploit-DB
EPSS 59% 5.1 CVSS 9.3
CRITICAL POC THREAT Emergency

PHPStudy development environment versions 2016 through 2018 contain an embedded backdoor that executes arbitrary PHP code from HTTP request headers. The backdoor listens for base64-encoded payloads in the Accept-Charset header, decodes and executes them without any authentication, providing complete remote code execution on any server running the compromised PHPStudy.

PHP RCE Code Injection
NVD
EPSS 0% CVSS 4.2
MEDIUM POC PATCH This Month

A security vulnerability in tarteaucitron.js (CVSS 4.2). Risk factors: public PoC available. Vendor patch is available.

Code Injection Tarteaucitronjs
NVD GitHub
Prev Page 15 of 54 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy