CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-8156 – Command Injection in significant-gravitas/autogpt
https://notcve.org/view.php?id=CVE-2024-8156
20 Mar 2025 — A command injection vulnerability exists in the workflow-checker.yml workflow of significant-gravitas/autogpt. The untrusted user input `github.head.ref` is used insecurely, allowing an attacker to inject arbitrary commands. This vulnerability affects versions up to and including the latest version. An attacker can exploit this by creating a branch name with a malicious payload and opening a pull request, potentially leading to reverse shell access or theft of sensitive tokens and keys. • https://github.com/significant-gravitas/autogpt/commit/1df7d527dd37dff8363dc162fb58d300f072e302 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-0185 – Pandas Query Injection in langgenius/dify
https://notcve.org/view.php?id=CVE-2025-0185
20 Mar 2025 — A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does not properly sanitize user inputs before executing queries using the Pandas library. This can potentially lead to Remote Code Execution (RCE) if exploited. • https://huntr.com/bounties/7d9eb9b2-7b86-45ed-89bd-276c1350db7e • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-7990 – Stored Cross-Site Scripting in open-webui/open-webui
https://notcve.org/view.php?id=CVE-2024-7990
20 Mar 2025 — This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution. • https://huntr.com/bounties/2256e336-0f67-449e-a82d-7fc57081a21c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-57061
https://notcve.org/view.php?id=CVE-2024-57061
19 Mar 2025 — An issue in Termius Version 9.9.0 through v.9.16.0 allows a physically proximate attacker to execute arbitrary code via the insecure Electron Fuses configuration. • https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-29401
https://notcve.org/view.php?id=CVE-2025-29401
19 Mar 2025 — An arbitrary file upload vulnerability in the component /views/plugin.php of emlog pro v2.5.7 allows attackers to execute arbitrary code via uploading a crafted PHP file. • https://github.com/bGl1o/emlogpro/blob/main/emlog%20pro2.5.7-getshell.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55551
https://notcve.org/view.php?id=CVE-2024-55551
19 Mar 2025 — An issue was discovered in Exasol jdbc driver 24.2.0. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This can further lead to remote code execution vulnerability. An issue was discovered in Exasol JDBC driver before 24.2.1 (2024-12-10). Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect t... • https://docs.exasol.com/db/latest/connect_exasol/drivers/jdbc.htm • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-471: Modification of Assumed-Immutable Data (MAID) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2491 – Dromara ujcms Edit Template File Page WebFileTemplateController.java update cross site scripting
https://notcve.org/view.php?id=CVE-2025-2491
18 Mar 2025 — A vulnerability classified as problematic has been found in Dromara ujcms 9.7.5. This affects the function update of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileTemplateController.java of the component Edit Template File Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/dromara/ujcms/issues/14 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2490 – Dromara ujcms File Upload WebFileUploadController.java upload cross site scripting
https://notcve.org/view.php?id=CVE-2025-2490
18 Mar 2025 — A vulnerability was found in Dromara ujcms 9.7.5. It has been rated as problematic. Affected by this issue is the function uploadZip/upload of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileUploadController.java of the component File Upload. The manipulation leads to cross site scripting. The attack may be launched remotely. • https://github.com/dromara/ujcms/issues/12 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.4EPSS: 0%CPEs: 6EXPL: 0CVE-2024-21760
https://notcve.org/view.php?id=CVE-2024-21760
18 Mar 2025 — An improper control of generation of code ('Code Injection') vulnerability [CWE-94] in FortiSOAR Connector FortiSOAR 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker to execute arbitrary code on the host via a playbook code snippet. • https://fortiguard.fortinet.com/psirt/FG-IR-23-420 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1398 – macOS TCC Bypass via Code Injection
https://notcve.org/view.php?id=CVE-2025-1398
17 Mar 2025 — Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection. • https://mattermost.com/security-updates • CWE-426: Untrusted Search Path •