| CVE-2025-50460 | Cri | 0.57 | 9.8 | 0.04 | | Aug 1, 2025 | A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). If an attacker can control the content of the YAML configuration file passed to the --run_config parameter, arbitrary code can be executed during deserialization. This can lead to full system compromise. The vulnerability is triggered when a malicious YAML file is loaded, allowing the execution of arbitrary Python commands such as os.system(). It is recommended to upgrade PyYAML to version 5.4 or higher, and to use yaml.safe_load() to mitigate the issue. |
| CVE-2025-54428 | Cri | 0.57 | 9.8 | 0.00 | | Jul 28, 2025 | RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This could allow unauthorized access to production or staging databases, potentially leading to data exfiltration, modification, or deletion. This is fixed in version 1.0.1. Workarounds include: immediately rotating credentials for the exposed database user, using a secret manager (like Vault, Doppler, AWS Secrets Manager, etc.) instead of storing secrets directly in code, or auditing recent access logs for suspicious activity. |
| CVE-2025-54426 | Cri | 0.57 | — | 0.00 | | Jul 28, 2025 | Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. In versions prior to commit 36f70d1, the Curve25519Add and Curve25519ScalarMul precompiles incorrectly handle invalid Ristretto point representations. Instead of returning an error, they silently treat invalid input bytes as the Ristretto identity element, leading to potentially incorrect cryptographic results. This is fixed in commit 36f70d1. |
| CVE-2025-53890 | Cri | 0.57 | 9.8 | 0.01 | | Jul 15, 2025 | pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included in version 0.5.0b3.dev89. |
| CVE-2025-26074 | Cri | 0.57 | 9.8 | 0.01 | | Jun 30, 2025 | Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes. |
| CVE-2025-40914 | Cri | 0.57 | 9.8 | 0.01 | | Jun 11, 2025 | Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow.
CryptX embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328. |
| CVE-2025-49652 | Cri | 0.57 | 9.8 | 0.00 | | Jun 9, 2025 | Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled. |
| CVE-2020-36846 | Cri | 0.57 | 9.8 | 0.01 | | May 30, 2025 | A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library. Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits. |
| CVE-2025-37924 | Cri | 0.57 | 9.8 | 0.00 | | May 20, 2025 | In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in kerberos authentication
Setting sess->user = NULL was introduced to fix the dangling pointer
created by ksmbd_free_user. However, it is possible another thread could
be operating on the session and make use of sess->user after it has been
passed to ksmbd_free_user but before sess->user is set to NULL. |
| CVE-2025-47282 | Cri | 0.57 | 9.9 | 0.00 | | May 19, 2025 | Gardener External DNS Management is an environment to manage external DNS entries for a kubernetes cluster. A security vulnerability was discovered in Gardener's External DNS Management prior to version 0.23.6 that could allow a user with administrative privileges for a Gardener project or a user with administrative privileges for a shoot cluster, including administrative privileges for a single namespace of the shoot cluster, to obtain control over the seed cluster where the shoot cluster is managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. The affected component is `gardener/external-dns-management`. The `external-dns-management` component may also be deployed on the seeds by the `gardener/gardener-extension-shoot-dns-service` extension when the extension is enabled. In this case, all versions of the `shoot-dns-service` extension `<= v1.60.0` are affected by this vulnerability. Version 0.23.6 of Gardener External DNS Management fixes the issue. |
| CVE-2025-32958 | Cri | 0.57 | 9.8 | 0.00 | | Apr 21, 2025 | Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the Github API to push malicious code or rewrite release commits in the AdeptLanguage/Adept repository. This issue has been patched in commit a1a41b7. |
| CVE-2025-32445 | Cri | 0.57 | 9.9 | 0.00 | | Apr 15, 2025 | Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext , volumeMount can be specified, and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under template. This vulnerability is fixed in v1.9.6. |
| CVE-2025-30206 | Cri | 0.57 | 9.8 | 0.00 | | Apr 15, 2025 | Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. This issue is patched in version 1.6.1. A workaround for this vulnerability involves replacing the hardcoded secret with a securely generated value and load it from secure configuration storage. |
| CVE-2025-32461 | Cri | 0.57 | 9.9 | 0.01 | | Apr 9, 2025 | wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3. |
| CVE-2024-9701 | Cri | 0.57 | 9.8 | 0.06 | | Mar 20, 2025 | A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized. |
| CVE-2025-25362 | Cri | 0.57 | 9.8 | 0.00 | | Mar 5, 2025 | A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field. |
| CVE-2023-38693 | Cri | 0.57 | 9.8 | 0.00 | | Mar 5, 2025 | Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173. |
| CVE-2025-25286 | Cri | 0.57 | 9.8 | 0.04 | | Feb 13, 2025 | Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been patched in `islandora/crayfish:4.1.0`. Some workarounds are available. The exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus. Alternatively or additionally, configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs. |
| CVE-2025-1066 | Cri | 0.57 | 9.8 | 0.00 | | Feb 6, 2025 | OpenPLC_V3 contains an arbitrary file upload vulnerability, which could be leveraged for malvertising or phishing campaigns. |
| CVE-2025-22137 | Cri | 0.57 | 9.8 | 0.00 | | Jan 8, 2025 | Pingvin Share is a self-hosted file sharing platform and an alternative for WeTransfer. This vulnerability allows an authenticated or unauthenticated (if anonymous shares are allowed) user to overwrite arbitrary files on the server, including sensitive system files, via HTTP POST requests. The issue has been patched in version 1.4.0. |
| CVE-2024-56327 | Cri | 0.57 | 9.8 | 0.01 | | Dec 19, 2024 | pyrage is a set of Python bindings for the rage file encryption library (age in Rust). `pyrage` uses the Rust `age` crate for its underlying operations, and `age` is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to `pyrage` for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details. Versions of `pyrage` before 1.2.0 lack plugin support and are therefore **not affected**. An equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age), see advisory GHSA-32gq-x56h-299c. This issue has been addressed in version 1.2.3 and all users are advised to update. There are no known workarounds for this vulnerability. |
| CVE-2024-21546 | Cri | 0.57 | 9.8 | 0.04 | | Dec 18, 2024 | Versions of the package unisharp/laravel-filemanager before 2.9.1 are vulnerable to Remote Code Execution (RCE) through using a valid mimetype and inserting the . character after the php file extension. This allows the attacker to execute malicious code. |
| CVE-2024-55875 | Cri | 0.57 | 9.8 | 0.07 | | Dec 12, 2024 | http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. Version 5.41.0.0 contains a patch for the issue. |
| CVE-2024-46455 | Cri | 0.57 | 9.8 | 0.00 | | Dec 9, 2024 | unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser. |
| CVE-2024-55560 | Cri | 0.57 | 9.8 | 0.00 | | Dec 8, 2024 | MailCleaner before 28d913e has default values of ssh_host_dsa_key, ssh_host_rsa_key, and ssh_host_ed25519_key that persist after installation. |
| CVE-2024-36671 | Cri | 0.57 | 9.8 | 0.00 | | Nov 29, 2024 | nodemcu before v3.0.0-release_20240225 was discovered to contain an integer overflow via the getnum function at /modules/struct.c. |
| CVE-2024-51132 | Cri | 0.57 | 9.8 | 0.08 | | Nov 5, 2024 | An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities. |
| CVE-2024-41618 | Cri | 0.57 | 9.8 | 0.00 | | Oct 24, 2024 | Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to SQL Injection in the `transaction_delete_group` function. The vulnerability is due to improper sanitization of user input in the `TrDeleteArr` parameter, which is directly incorporated into an SQL query. |
| CVE-2024-41617 | Cri | 0.57 | 9.8 | 0.01 | | Oct 24, 2024 | Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting unauthenticated users. This flaw allows an unauthenticated attacker to upload arbitrary files, potentially leading to Remote Code Execution. |
| CVE-2023-32191 | Cri | 0.57 | 9.9 | 0.00 | | Oct 16, 2024 | When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin. |
| CVE-2024-45496 | Cri | 0.57 | 9.9 | 0.00 | | Sep 17, 2024 | A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build initialization step, the git-clone container is run with a privileged security context, allowing unrestricted access to the node. An attacker with developer-level access can provide a crafted .gitconfig file containing commands executed during the cloning process, leading to arbitrary command execution on the worker node. An attacker running code in a privileged container could escalate their permissions on the node running the container. |
| CVE-2024-45258 | Cri | 0.57 | 9.8 | 0.00 | | Aug 25, 2024 | The req package before 3.43.4 for Go may send an unintended request when a malformed URL is provided, because cleanHost in http.go intentionally uses a "garbage in, garbage out" design. |
| CVE-2024-38989 | Cri | 0.57 | 9.8 | 0.00 | | Aug 12, 2024 | izatop bunt v0.29.19 was discovered to contain a prototype pollution via the component /esm/qs.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. |
| CVE-2024-36533 | Cri | 0.57 | 9.8 | 0.00 | | Jul 24, 2024 | Insecure permissions in volcano v1.8.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. |
| CVE-2024-28698 | Cri | 0.57 | 9.8 | 0.09 | | Jul 22, 2024 | Directory Traversal vulnerability in Marimer LLC CSLA .Net before 8.0 allows a remote attacker to execute arbitrary code via a crafted script to the MobileFormatter component. |
| CVE-2024-40624 | Cri | 0.57 | 9.8 | 0.00 | | Jul 15, 2024 | TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php. This issue has been addressed in commit `ed37e6e52` which is expected to be included in release version 2.4.4. Users are advised to upgrade as soon as the new release is available. There are no known workarounds for this vulnerability. |
| CVE-2024-39915 | Cri | 0.57 | 9.9 | 0.00 | | Jul 15, 2024 | Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation. The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the script /script/html2pdf.sh is called. The vulnerability can be exploited by an authorized user with network access. This issue has been addressed in version 3.16. Users are advised to upgrade. There are no known workarounds for this vulnerability.
|
| CVE-2024-39309 | Cri | 0.57 | 9.8 | 0.04 | | Jul 1, 2024 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available. |
| CVE-2024-36573 | Cri | 0.57 | 9.8 | 0.00 | | Jun 17, 2024 | almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) component. |
| CVE-2024-3592 | Cri | 0.57 | 9.9 | 0.01 | | Jun 7, 2024 | The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'question_id' parameter in all versions up to, and including, 9.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. CVE-2024-5606 appears to be a duplicate of this issue. |
| CVE-2024-36108 | Cri | 0.57 | 9.8 | 0.00 | | May 31, 2024 | casgate is an Open Source Identity and Access Management system. In affected versions `casgate` allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has been addressed in PR #201 which is pending merge. An attacker could use `id` parameter of GET requests with value `anonymous/ anonymous` to bypass authorization on certain API endpoints. Successful exploitation of the vulnerability could lead to account takeover, privilege escalation or provide attacker with credential to other services. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
| CVE-2024-5147 | Cri | 0.57 | 9.8 | 0.01 | | May 22, 2024 | The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.37 via the 'grid_style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. |
| CVE-2024-24294 | Cri | 0.57 | 9.8 | 0.00 | | May 20, 2024 | A Prototype Pollution issue in Blackprint @blackprint/engine v.0.9.0 allows an attacker to execute arbitrary code via the _utils.setDeepProperty function of engine.min.js. |
| CVE-2024-4078 | Cri | 0.57 | 9.8 | 0.10 | | May 16, 2024 | A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed. |
| CVE-2024-34706 | Cri | 0.57 | 9.8 | 0.00 | | May 14, 2024 | Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token (JWT) of the user is exposed to `api.form.io` via the the `x-jwt-token` header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user. This issue is caused by a misconfiguration of the Form.io component.
The following conditions have to be met in order to perform this attack: An attacker needs to have access to the network traffic on the `api.form.io` domain; the content of the `x-jwt-token` header is logged or otherwise available to the attacker; an attacker needs to have network access to the Valtimo API; and an attacker needs to act within the time-to-live of the access token. The default TTL in Keycloak is 5 minutes.
Versions 10.8.4, 11.1.6 and 11.2.2 have been patched. |
| CVE-2024-27280 | Cri | 0.57 | 9.8 | 0.07 | | May 14, 2024 | A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2. |
| CVE-2024-33434 | Cri | 0.57 | 9.8 | 0.08 | | May 7, 2024 | An issue in tiagorlampert CHAOS v5.0.1 before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the `filename` argument into the `buildStr` string without any sanitization or filtering. |
| CVE-2024-34461 | Cri | 0.57 | 9.8 | 0.00 | | May 4, 2024 | Zenario before 9.5.60437 uses Twig filters insecurely in the Twig Snippet plugin, and in the site-wide HEAD and BODY elements, enabling code execution by a designer or an administrator. |
| CVE-2024-32881 | Cri | 0.57 | 9.8 | 0.00 | | Apr 26, 2024 | Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot, leading to internal Slack access. This issue was patched in version 3.63. |
| CVE-2024-21511 | Cri | 0.57 | 9.8 | 0.00 | | Apr 23, 2024 | Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function. |
