Total
163 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-54663 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 7.5 HIGH |
| An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths. | |||||
| CVE-2025-39507 | 1 Nasatheme | 1 Nasa Core | 2025-06-06 | N/A | 7.5 HIGH |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core allows PHP Local File Inclusion. This issue affects Nasa Core: from n/a through 6.3.2. | |||||
| CVE-2022-41709 | 1 Markdownify Project | 1 Markdownify | 2025-05-08 | N/A | 7.8 HIGH |
| Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the "nodeIntegration" option enabled. | |||||
| CVE-2024-52976 | 2025-05-02 | N/A | 4.4 MEDIUM | ||
| Inclusion of functionality from an untrusted control sphere in Elastic Agent subprocess, osqueryd, allows local attackers to execute arbitrary code via parameter injection. An attacker requires local access and the ability to modify osqueryd configurations. | |||||
| CVE-2023-40195 | 1 Apache | 1 Airflow Spark Provider | 2025-04-23 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that administrators provided authorizations to configure Spark hooks without taking this into account. We recommend administrators to review their configurations to make sure the authorization to configure Spark hooks is only provided to fully trusted users. To view the warning in the docs please visit https://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html | |||||
| CVE-2025-33026 | 1 Peazip | 1 Peazip | 2025-04-22 | N/A | 6.1 MEDIUM |
| In PeaZip through 10.4.0, there is a Mark-of-the-Web Bypass Vulnerability. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of PeaZip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, PeaZip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. | |||||
| CVE-2017-1376 | 1 Ibm | 1 Operations Analytics Predictive Insights | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw in the IBM J9 VM class verifier allows untrusted code to disable the security manager and elevate its privileges. IBM X-Force ID: 126873. | |||||
| CVE-2017-6381 | 1 Drupal | 1 Drupal | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments | |||||
| CVE-2022-34468 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 8.8 HIGH |
| An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. | |||||
| CVE-2022-24119 | 1 Ge | 16 Inet 900, Inet 900 Firmware, Inet Ii 900 and 13 more | 2025-04-12 | N/A | 9.8 CRITICAL |
| Certain General Electric Renewable Energy products have a hidden feature for unauthenticated remote access to the device configuration shell. This affects iNET and iNET II before 8.3.0. | |||||
| CVE-2010-2076 | 1 Apache | 1 Cxf | 2025-04-11 | 7.5 HIGH | 9.8 CRITICAL |
| Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632. | |||||
| CVE-2004-0285 | 3 Allmyguests Project, Allmylinks Project, Allmyvisitors Project | 3 Allmyguests, Allmylinks, Allmyvisitors | 2025-04-03 | 7.5 HIGH | 9.8 CRITICAL |
| PHP remote file inclusion vulnerabilities in include/footer.inc.php in (1) AllMyVisitors, (2) AllMyLinks, and (3) AllMyGuests allow remote attackers to execute arbitrary PHP code via a URL in the _AMVconfig[cfg_serverpath] parameter. | |||||
| CVE-2004-0030 | 1 Phpgedview | 1 Phpgedview | 2025-04-03 | 7.5 HIGH | 9.8 CRITICAL |
| PHP remote file inclusion vulnerability in (1) functions.php, (2) authentication_index.php, and (3) config_gedcom.php for PHPGEDVIEW 2.61 allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains the code. | |||||
| CVE-2025-27668 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-01 | N/A | 9.8 CRITICAL |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Arbitrary Content Inclusion via Iframe OVE-20230524-0012. | |||||
| CVE-2024-5693 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-03-27 | N/A | 6.1 MEDIUM |
| Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. | |||||
| CVE-2024-45482 | 2025-03-27 | N/A | N/A | ||
| An Inclusion of Functionality from Untrusted Control Sphere vulnerability in the SSH server on B&R APROL <4.4-00P1 may allow an authenticated local attacker from a trusted remote server to execute malicious commands. | |||||
| CVE-2019-15839 | 1 Sinaextra | 1 Sina Extension For Elementor | 2025-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| The sina-extension-for-elementor plugin before 2.2.1 for WordPress has local file inclusion. | |||||
| CVE-2022-41216 | 1 Hybridsoftware | 1 Cloudflow | 2025-03-20 | N/A | 8.3 HIGH |
| Local File Inclusion vulnerability within Cloudflow allows attackers to retrieve confidential information from the system. | |||||
| CVE-2022-4134 | 2 Openstack, Redhat | 2 Glance, Openstack | 2025-03-06 | N/A | 2.8 LOW |
| A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images. | |||||
| CVE-2025-24796 | 2025-03-06 | N/A | N/A | ||
| Collabora Online is a collaborative online office suite based on LibreOffice. Macro support is disabled by default in Collabora Online, but can be enabled by an administrator. Collabora Online typically hosts each document instance within a jail and is allowed to download content from locations controlled by the net.lok_allow configuration option, which by default include the private IP ranges to enable access to the local network. If enabled, macros were allowed run executable binaries. By combining an ability to host executables, typically in the local network, in an allowed accessible location, with a macro enabled Collabora Online, it was then possible to install arbitrary binaries within the jail and execute them. These executables are restricted to the same jail file system and user as the document instance but can be used to bypass the additional limits on what network hosts are accessible and provide more flexibility as a platform for further attempts. This is issue is fixed in 24.04.12.4, 23.05.19, 22.05.25 and later macros. | |||||