CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9920 – Unrestricted File Upload and Execution in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-9920
20 Mar 2025 — The vulnerability arises from the use of 'subprocess.Popen' to open files without proper validation, leading to potential remote code execution. • https://huntr.com/bounties/c70c6732-23b3-4ef8-aec6-0a47467d1ed5 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-9701 – Remote Code Execution in kedro-org/kedro
https://notcve.org/view.php?id=CVE-2024-9701
20 Mar 2025 — A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. ... Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized. • https://github.com/kedro-org/kedro/commit/d79fa51de55ac0ccb58cce1a482df1b445f0fe7c • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-12044 – Remote Code Execution by Pickle Deserialization in open-mmlab/mmdetection
https://notcve.org/view.php?id=CVE-2024-12044
20 Mar 2025 — A remote code execution vulnerability exists in open-mmlab/mmdetection version v3.3.0. ... This allows an attacker to execute arbitrary code by broadcasting a malicious payload to the distributed training network. • https://huntr.com/bounties/f7e4fc32-e167-49fb-9fc7-f092b9c27e8a • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.7EPSS: 0%CPEs: -EXPL: 0CVE-2024-7033 – Arbitrary File Write in open-webui/open-webui
https://notcve.org/view.php?id=CVE-2024-7033
20 Mar 2025 — This can result in overwriting critical system or application files, causing denial of service, or potentially achieving remote code execution (RCE). RCE can allow an attacker to execute malicious code with the privileges of the user running the application, leading to a full system compromise. • https://huntr.com/bounties/7078261f-8414-4bb7-9d72-a2a4d8bfd5d1 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-10190 – Unauthenticated Remote Code Execution in ElasticRendezvousHandler in horovod/horovod
https://notcve.org/view.php?id=CVE-2024-10190
20 Mar 2025 — Horovod versions up to and including v0.28.1 are vulnerable to unauthenticated remote code execution. ... This allows an attacker to send a malicious pickle object via a PUT request, leading to arbitrary code execution on the server. • https://huntr.com/bounties/3e398d1f-70c2-4e05-ae22-f5d66b19a754 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-8060 – Remote Code Execution in OpenWebUI via Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8060
20 Mar 2025 — This can be exploited by an authenticated user to overwrite critical files within the Docker container, potentially leading to remote code execution as the root user. • https://huntr.com/bounties/a3b1a4b7-c723-496d-842c-844cc0988fe9 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-10901 – Arbitrary File Write via DuckDB SQL Injection in eosphoros-ai/db-gpt
https://notcve.org/view.php?id=CVE-2024-10901
20 Mar 2025 — In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/chart/run` allows execution of arbitrary SQL queries without any access control. ... This can potentially lead to Remote Code Execution (RCE) by writing malicious files such as `__init__.py` in the Python's `/site-packages/` directory. • https://huntr.com/bounties/db2c1d59-6e3a-4553-a1f6-94c8df162a18 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-8502 – Remote Code Execution via Deserialization in modelscope/agentscope
https://notcve.org/view.php?id=CVE-2024-8502
20 Mar 2025 — A vulnerability in the RpcAgentServerLauncher class of modelscope/agentscope v0.0.6a3 allows for remote code execution (RCE) via deserialization of untrusted data using the dill library. • https://huntr.com/bounties/7a42da2a-2ae5-442d-aff9-c9a3b47870eb • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-9053 – Remote Code Execution in vllm-project/vllm
https://notcve.org/view.php?id=CVE-2024-9053
20 Mar 2025 — This can result in remote code execution by deserializing malicious pickle data. • https://huntr.com/bounties/75a544f3-34a3-4da0-b5a3-1495cb031e09 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-10835 – Arbitrary File Write via SQL Injection in eosphoros-ai/db-gpt
https://notcve.org/view.php?id=CVE-2024-10835
20 Mar 2025 — In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/sql/run` allows execution of arbitrary SQL queries without any access control. ... This can potentially lead to Remote Code Execution (RCE). • https://huntr.com/bounties/e32fda74-ca83-431c-8de8-08274ba686c9 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •