Total
51 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-25270 | 1 Phoenixcontact | 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more | 2025-07-11 | N/A | 9.8 CRITICAL |
| An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with specific configurations. | |||||
| CVE-2025-6107 | 2025-06-16 | N/A | 3.1 LOW | ||
| A vulnerability was found in comfyanonymous comfyui 0.3.40. It has been classified as problematic. Affected is the function set_attr of the file /comfy/utils.py. The manipulation leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-46673 | 1 Nasa | 1 Cryptolib | 2025-05-29 | N/A | 9.9 CRITICAL |
| NASA CryptoLib before 1.3.2 does not check whether the SA is in an operational state before use, possibly leading to a bypass of the Space Data Link Security protocol (SDLS). | |||||
| CVE-2025-46675 | 1 Nasa | 1 Cryptolib | 2025-05-12 | N/A | 4.2 MEDIUM |
| In NASA CryptoLib before 1.3.2, the key state is not checked before use, potentially leading to spacecraft hijacking. | |||||
| CVE-2025-31674 | 1 Drupal | 1 Drupal | 2025-05-01 | N/A | N/A |
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3. | |||||
| CVE-2022-44000 | 1 Backclick | 1 Backclick | 2025-04-30 | N/A | 9.8 CRITICAL |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server. | |||||
| CVE-2024-2537 | 1 Logitech | 1 Logi Tune | 2025-04-09 | N/A | 9.8 CRITICAL |
| Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion. | |||||
| CVE-2024-8953 | 1 Composio | 1 Composio | 2025-04-01 | N/A | 9.8 CRITICAL |
| In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function. | |||||
| CVE-2014-9852 | 3 Imagemagick, Opensuse, Suse | 7 Imagemagick, Leap, Opensuse and 4 more | 2024-11-04 | 7.5 HIGH | 9.8 CRITICAL |
| distribute-cache.c in ImageMagick re-uses objects after they have been destroyed, which allows remote attackers to have unspecified impact via unspecified vectors. | |||||
| CVE-2024-5452 | 1 Lightningai | 1 Pytorch Lightning | 2024-10-09 | N/A | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default. | |||||
| CVE-2021-26276 | 1 Godaddy | 1 Node-config-shield | 2024-08-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vulnerability. The set command was not intended for use with untrusted data | |||||
| CVE-2022-4318 | 3 Fedoraproject, Kubernetes, Redhat | 8 Extra Packages For Enterprise Linux, Fedora, Cri-o and 5 more | 2024-05-03 | N/A | 7.8 HIGH |
| A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable. | |||||
| CVE-2006-7079 | 1 Exv2 | 1 Content Management System | 2024-01-26 | 6.8 MEDIUM | 9.8 CRITICAL |
| Variable extraction vulnerability in include/common.php in exV2 2.0.4.3 and earlier allows remote attackers to overwrite arbitrary program variables and conduct directory traversal attacks to execute arbitrary code by modifying the $xoopsOption['pagetype'] variable. | |||||
| CVE-2012-2055 | 1 Github | 1 Github | 2024-01-21 | 5.0 MEDIUM | 7.5 HIGH |
| GitHub Enterprise before 20120304 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the public_key[user_id] value via a modified URL for the public-key update form, related to a "mass assignment" vulnerability. | |||||
| CVE-2023-31032 | 1 Nvidia | 2 Dgx A100, Dgx A100 Firmware | 2024-01-19 | N/A | 5.5 MEDIUM |
| NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a dynamic variable evaluation by local access. A successful exploit of this vulnerability may lead to denial of service. | |||||
| CVE-2023-43177 | 1 Crushftp | 1 Crushftp | 2023-11-29 | N/A | 9.8 CRITICAL |
| CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. | |||||
| CVE-2023-5763 | 1 Eclipse | 1 Glassfish | 2023-11-13 | N/A | 9.8 CRITICAL |
| In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners. | |||||
| CVE-2022-25265 | 2 Linux, Netapp | 17 Linux Kernel, Baseboard Management Controller Firmware, H300e and 14 more | 2023-11-09 | 4.4 MEDIUM | 7.8 HIGH |
| In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file. | |||||
| CVE-2020-3419 | 1 Cisco | 1 Webex Meetings Server | 2023-11-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to join a Webex session without appearing on the participant list. This vulnerability is due to improper handling of authentication tokens by a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. A successful exploit requires the attacker to have access to join a Webex meeting, including applicable meeting join links and passwords. The attacker could then exploit this vulnerability to join meetings, without appearing in the participant list, while having full access to audio, video, chat, and screen sharing capabilities. | |||||
| CVE-2022-25355 | 1 Ec-cube | 1 Ec-cube | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users. | |||||