Total
5137 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8919 | 1 Portabilis | 1 I-diario | 2025-08-15 | 2.4 Low |
| A vulnerability was determined in Portabilis i-Diario up to 1.6. Affected is an unknown function of the file /objetivos-de-aprendizagem-e-habilidades of the component History Page. The manipulation of the argument código/objetivo habilidade leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-23295 | 1 Nvidia | 1 Apex | 2025-08-15 | 7.8 High |
| NVIDIA Apex for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue by providing a malicious file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2025-50692 | 1 Foxcms | 1 Foxcms | 2025-08-14 | 9.8 Critical |
| FoxCMS <=v1.2.5 is vulnerable to Code Execution in admin/template_file/editFile.html. | ||||
| CVE-2025-39483 | 2 Imithemes, Wordpress | 2 Eventer, Wordpress | 2025-08-14 | 6.5 Medium |
| Improper Control of Generation of Code ('Code Injection') vulnerability in imithemes Eventer allows Code Injection. This issue affects Eventer: from n/a through 3.9.6. | ||||
| CVE-2011-10018 | 1 Mybb | 1 Mybb | 2025-08-14 | 9.8 Critical |
| myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application. | ||||
| CVE-2025-36014 | 1 Ibm | 2 Integration Bus, Integration Bus For Z\/os | 2025-08-14 | 8.2 High |
| IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code injection by a privileged user with access to the IIB install directory. | ||||
| CVE-2025-50706 | 1 Thinkphp | 1 Thinkphp | 2025-08-14 | 9.8 Critical |
| An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function | ||||
| CVE-2025-50707 | 1 Thinkphp | 1 Thinkphp | 2025-08-14 | 9.8 Critical |
| An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component | ||||
| CVE-2025-52385 | 2025-08-14 | 9.8 Critical | ||
| An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module | ||||
| CVE-2025-23298 | 1 Nvidia | 1 Merlin Transformers4rec | 2025-08-14 | 7.8 High |
| NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2025-23296 | 1 Nvidia | 1 Isaac-gr00t | 2025-08-14 | 7.8 High |
| NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2025-23305 | 1 Nvidia | 1 Megatron-lm | 2025-08-14 | 7.8 High |
| NVIDIA Megatron-LM for all platforms contains a vulnerability in the tools component, where an attacker may exploit a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2025-23306 | 1 Nvidia | 1 Megatron-lm | 2025-08-14 | 7.8 High |
| NVIDIA Megatron-LM for all platforms contains a vulnerability in the megatron/training/ arguments.py component where an attacker could cause a code injection issue by providing a malicious input. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2025-8918 | 1 Portabilis | 1 I-educar | 2025-08-14 | 2.4 Low |
| A vulnerability was found in Portabilis i-Educar up to 2.10. This issue affects some unknown processing of the file /intranet/educar_instituicao_cad.php of the component Editar Page. The manipulation of the argument neighborhood name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-42950 | 1 Sap | 1 Landscape Transformation | 2025-08-13 | 9.9 Critical |
| SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | ||||
| CVE-2025-42957 | 1 Sap | 1 S/4hana | 2025-08-13 | 9.9 Critical |
| SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | ||||
| CVE-2025-4056 | 3 Gnome, Microsoft, Redhat | 3 Glib, Windows, Enterprise Linux | 2025-08-13 | 3.7 Low |
| A flaw was found in GLib. A denial of service on Windows platforms may occur if an application attempts to spawn a program using long command lines. | ||||
| CVE-2025-54997 | 2 Openbao, Openbao Project | 2 Openbao, Openbao | 2025-08-13 | 9.1 Critical |
| OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way. | ||||
| CVE-2025-6000 | 1 Hashicorp | 2 Vault, Vault Enterprise | 2025-08-13 | 9.1 Critical |
| A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | ||||
| CVE-2025-46725 | 1 Langroid | 1 Langroid | 2025-08-13 | 9.8 Critical |
| Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be able to make the agent run malicious commands through `QueryPlan.dataframe_calc]`) compromising the host system. Langroid 0.53.15 sanitizes input to the affected function by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation. | ||||