Remote Code Execution

Apryse HTML2PDF SDK through version 11.10 has a command injection vulnerability in the InsertFromURL function allowing remote code execution when converting HTML to PDF.

Miion WordPress theme by zozothemes has an unrestricted file upload vulnerability allowing unauthenticated web shell deployment and server compromise.

Blogzee WordPress theme by blazethemes has an unrestricted file upload vulnerability — the fourth blazethemes product affected by the same shared vulnerable upload component.

Blogistic WordPress theme by blazethemes has an unrestricted file upload vulnerability enabling attackers to deploy web shells for persistent server access.

Event Tickets with Ticket Scanner WordPress plugin has a code injection vulnerability allowing remote code execution through the event management system.

Real Homes CRM WordPress plugin has an unrestricted file upload allowing web shell deployment for persistent remote code execution.

News Event WordPress theme by blazethemes has an unrestricted file upload allowing web shell deployment and remote code execution.

Blogmatic WordPress theme by blazethemes has an unrestricted file upload vulnerability allowing attackers to upload web shells for persistent server access.

Remote code execution in Docling Core versions 2.21.0 through 2.48.3 allows unauthenticated attackers to execute arbitrary code when applications deserialize untrusted YAML data using the `DoclingDocument.load_from_yaml()` method with vulnerable PyYAML versions. The vulnerability stems from unsafe deserialization practices (CWE-502) and affects document processing systems using affected library versions. No patch is currently available; mitigation requires upgrading to version 2.48.4 or ensuring PyYAML 5.4+ is installed.

Tenda AX3 firmware has another stack-based buffer overflow in formGetIptv through a different input path, enabling remote code execution.

Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. [CVSS 7.2 HIGH]

HAMASTAR MeetingHub has an arbitrary file upload vulnerability allowing unauthenticated remote attackers to upload web shells and achieve full server compromise.

HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content. [CVSS 7.6 HIGH]

Remote code execution in Tendenci CMS versions 15.3.11 and below allows authenticated staff users to execute arbitrary code through unsafe pickle deserialization in the Helpdesk module's reporting function. The vulnerability stems from incomplete patching of CVE-2020-14942, where the run_report() function continues to use unsafe pickle.loads() despite the ticket_list() function being corrected. Public exploit code exists for this issue, though impact is limited to the privileges of the application's runtime user.

Laravel Reverb WebSocket server versions 1.6.3 and below have an insecure deserialization vulnerability enabling remote code execution on the backend server.

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]

5ire MCP client prior to version 0.10.0 has a code injection vulnerability through MCP tool responses that enables arbitrary code execution on the user's desktop.

ArduinoCore-avr contains the source code and configuration files of the Arduino AVR Boards platform. A vulnerability in versions prior to 1.8.7 allows an attacker to trigger a stack-based buffer overflow when converting floating-point values to strings with high precision. By passing very large `decimalPlaces` values to the affected String constructors or concat methods, the `dtostrf` function writes beyond fixed-size stack buffers, causing memory corruption and denial of service. Under speci...

Tenda AX3 firmware has a third stack-based buffer overflow in formGetIptv, allowing unauthenticated remote code execution through the router's web interface.

Tenda AX3 firmware has a second stack overflow in formSetIptv via the vlanId parameter, allowing remote code execution through the IPTV configuration endpoint.

Tenda AX3 firmware v16.03.12.11 has a stack overflow in formSetIptv via the list parameter, enabling remote attackers to crash the router or execute arbitrary code.

OkiJaSvc service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

PingzapperSvc service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

OKI Local Port Manager service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

BRA_Scheduler service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

Event Log Explorer 4.9.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

ac.sharedstore service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

Mini Mouse 9.2.0 remote control application has an RCE vulnerability allowing attackers to execute arbitrary OS commands through the remote control protocol.

GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. [CVSS 6.5 MEDIUM]

GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. [CVSS 7.2 HIGH]

OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. [CVSS 8.8 HIGH]

Hasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands through the GraphQL endpoint.

PLY (Python Lex-Yacc) library 3.11 has an unsafe feature enabling remote code execution through pickle deserialization of cached parser tables, with EPSS 0.91%.

A server-side template injection vulnerability (CWE-1336) with CVSS 9.8 allows remote attackers to execute arbitrary code through crafted template expressions.

Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 have a CVSS 9.9 command injection vulnerability allowing meeting participants to execute OS commands on the router.

Remote code execution in BROWAN COMMUNICATIONS PrismX MX100 AP controller allows high-privileged remote attackers to upload arbitrary files and execute web shell backdoors without user interaction. This vulnerability affects administrators with elevated credentials and enables complete compromise of the affected access point. No patch is currently available to remediate this issue.

Orval, a TypeScript API client generator, has a command injection vulnerability that allows code execution through malicious OpenAPI specifications.

Arbitrary code execution in Alchemy CMS before versions 7.4.12 and 8.0.3 stems from unsafe use of Ruby's eval() function on the resource_handler.engine_name parameter in the ResourcesHelper class. An authenticated administrator can manipulate module configurations to inject and execute arbitrary system commands with the privileges of the Ruby process. The vulnerability requires high privileges and careful setup to exploit, but completely bypasses the Ruby sandbox once successful.

SiYuan personal knowledge management system prior to 3.5.4 has a stored XSS vulnerability (CVSS 9.6) that allows code execution through crafted knowledge base entries.

HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. [CVSS 3.1 LOW]

Aion versions up to 2.0 contains a vulnerability that allows attackers to malicious file uploads, potentially resulting in unauthorized code execution or (CVSS 2.7).

Stored XSS in LobeChat's Mermaid artifact renderer prior to version 2.0.0-next.180 enables attackers to execute arbitrary JavaScript, which can be escalated to remote code execution through the exposed electronAPI IPC bridge to run system commands. This affects users of the open source chat platform running vulnerable versions, requiring local interaction and high privileges to exploit but resulting in full system compromise. No patch is currently available.

MCPJam Inspector versions 1.4.2 and earlier allow unauthenticated remote code execution through missing authentication in the MCP server debugging platform, with EPSS 17.2% indicating active scanning.

Omni Secure File versions up to 0.1.14 is affected by unrestricted upload of file with dangerous type.

Umbraco Forms versions up to 8.13.16 is affected by inclusion of functionality from untrusted control sphere (CVSS 7.5).

its binary path configuration contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. [CVSS 6.1 MEDIUM]

StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. [CVSS 7.2 HIGH]

Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. [CVSS 7.2 HIGH]

Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. [CVSS 7.2 HIGH]

Markright 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to embed malicious payloads in markdown files. [CVSS 7.2 HIGH]

Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution. [CVSS 7.2 HIGH]

Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads in custom widget titles and files. [CVSS 7.2 HIGH]

NTI IScheduleSvc service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

Dive, an MCP Host Desktop Application for LLM integration, allows code injection prior to version 0.13.0 through malicious tool responses, enabling attackers to execute arbitrary code on the user's machine.

Livewire Filemanager for Laravel contains an unrestricted file upload vulnerability allowing unauthenticated attackers to upload and execute arbitrary files on the server.

All-in-One Video Gallery (WordPress plugin) versions up to 4.5.7. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to trick Process Optimization services into loading arbitrary code and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server. [CVSS 8.8 HIGH]

The vulnerability, if exploited, could allow an authenticated miscreant (OS standard user) to tamper with TCL Macro scripts and escalate privileges to OS system, potentially resulting in complete compromise of the model application server. [CVSS 8.8 HIGH]

A CVSS 10.0 code injection vulnerability allows unauthenticated attackers to achieve remote code execution with OS-level system privileges on the affected product.

Canon printers contain an invalid free vulnerability in CPCA file deletion processing that allows network-based attackers to execute arbitrary code or crash the device.

Wibukey versions up to 6.51 contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. [CVSS 6.2 MEDIUM]

ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. [CVSS 8.8 HIGH]

Remote Mouse versions up to 3.008 contains a vulnerability that allows attackers to execute arbitrary code with elevated system privileges (CVSS 7.8).

Active Webcam versions up to 11.5 contains a vulnerability that allows attackers to execute arbitrary code with elevated system privileges (CVSS 7.8).

Websitebaker versions up to 2.13.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Ether MP3 CD Burner 1.3.8 has buffer overflow in registration enabling bind shell on port 3110 via SEH overwrite. PoC available.

Macro Expert versions up to 4.7 contains a vulnerability that allows attackers to potentially execute arbitrary code with elevated system privileges (CVSS 7.8).

Sysgauge versions up to 7.9.18 contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

Changjetong T+ (through 16.x) has .NET deserialization RCE in an AjaxPro endpoint. Attacker-controlled JSON triggers deserialization of malicious .NET types. PoC available.

Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation.

Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe).

CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody.

NOAA PMEL Live Access Server (LAS) has unauthenticated RCE through PyFerret SPAWN commands embedded in requests. Scientific data servers running LAS are vulnerable to complete compromise.

Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer. [CVSS 5.4 MEDIUM]

Kingdia CD Extractor 3.0.2 has a buffer overflow in the registration name field. PoC available.

10-Strike Network Inventory Explorer Pro 9.31 has a buffer overflow in text file import that enables RCE through crafted files. PoC available.

HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

Patient Management System versions up to 2.0.2 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Patient Management System versions up to 2.0.2 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

InvoicePlane through 1.6.3 allows authenticated users to upload PHP files as attachments that can be executed remotely. Low privileges sufficient with scope change. PoC available.

Supreme Modules Lite (WordPress plugin) versions up to 2.5.62. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file system. [CVSS 6.8 MEDIUM]

Tftpd32 SE 4.60 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. [CVSS 8.4 HIGH]

Outline versions up to - contains a vulnerability that allows attackers to potentially execute arbitrary code with elevated system privileges (CVSS 7.8).

Clevo HotKey Clipboard 2.1.0.6 contains an unquoted service path vulnerability in the HKClipSvc service that allows local non-privileged users to potentially execute code with system privileges. [CVSS 8.4 HIGH]

CONTPAQi AdminPAQ 14.0.0 contains an unquoted service path vulnerability in the AppKeyLicenseServer service running with LocalSystem privileges. [CVSS 8.4 HIGH]

Wbce Cms versions up to 1.5.2 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Cain \& Abel versions up to 4.9.56 contains a vulnerability that allows attackers to potentially execute arbitrary code with elevated privileges (CVSS 7.8).