58944 results (0.033 seconds)

CVSS: 9.5EPSS: %CPEs: -EXPL: 0

06 Jul 2025 — Remote attackers can execute arbitrary code in the context of the vulnerable service process. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35903 •

CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0

04 Jul 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe allows Remote Code Inclusion. • https://patchstack.com/database/wordpress/plugin/easy-stripe/vulnerability/wordpress-easy-stripe-1-1-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 8.1EPSS: 0%CPEs: -EXPL: 0

04 Jul 2025 — Tunnelblick 3.5beta06 before 7.0, when incompletely uninstalled, allows attackers to execute arbitrary code as root (upon the next boot) by dragging a crafted Tunnelblick.app file into /Applications. • https://tunnelblick.net/cCVE-2025-43711.html • CWE-459: Incomplete Cleanup •

CVSS: -EPSS: 0%CPEs: -EXPL: 1

04 Jul 2025 — WordPress Migration, Backup, Staging – WPvivid Backup and Migration plugin versions 0.9.116 and below are vulnerable to arbitrary file uploads due to missing file type validation in the wpvivid_upload_import_files function. This allows authenticated attackers (Administrator-level and above) to upload arbitrary files to the server, potentially enabling remote code execution. • https://packetstorm.news/files/id/205244 •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2

03 Jul 2025 — An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio, in versions up to and including 2025.7. ... This allows unauthenticated remote attackers to inject arbitrary AppleScript payloads via the X-Script HTTP header, resulting in code execution using do shell script. Successful exploitation grants attackers the ability to run arbitrary commands on the macOS host with the privileges of ... • https://vulncheck.com/advisories/remote-for-mac-rce • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-306: Missing Authentication for Critical Function •

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2

03 Jul 2025 — An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions. Existe una vulnerabilidad de inyec... • https://vulncheck.com/advisories/pihole-adminlte-whitelist-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2

03 Jul 2025 — An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. • https://vulncheck.com/advisories/pandora-fms-rce-via-ping • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1

03 Jul 2025 — An unauthenticated attacker with network access to a vulnerable device can inject arbitrary commands, leading to remote code execution with elevated privileges. • https://vulncheck.com/advisories/igel-os-secure-terminal-shadow-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2

03 Jul 2025 — Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. ... By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an ex... • https://boltcms.io/newsitem/major-announcements-bolt-3-eol-bolt-4-2-5-0-releases • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 9.8EPSS: 0%CPEs: -EXPL: 1

03 Jul 2025 — A backdoor in PHPStudy versions 2016 through 2018 allows unauthenticated remote attackers to execute arbitrary PHP code on affected installations. ... This leads to remote code execution as the web server user, compromising the affected system. • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/phpstudy_backdoor_rce.rb • CWE-94: Improper Control of Generation of Code ('Code Injection') •