Page 5 of 51632 results (0.047 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

27 Jun 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPBean WPB Category Slider for WooCommerce allows PHP Local File Inclusion. ... This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve ... • https://patchstack.com/database/wordpress/plugin/wpb-woocommerce-category-slider/vulnerability/wordpress-wpb-category-slider-for-woocommerce-plugin-1-71-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

27 Jun 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in devnex Devnex Addons For Elementor allows PHP Local File Inclusion. ... This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code... • https://patchstack.com/database/wordpress/plugin/devnex-addons-for-elementor/vulnerability/wordpress-devnex-addons-for-elementor-plugin-1-0-9-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVSS: 9.4EPSS: 0%CPEs: -EXPL: 1

26 Jun 2025 — An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. • https://vulncheck.com/advisories/optilink-ont1gew-router-rce • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2

26 Jun 2025 — Successful exploitation could enable remote code execution on the affected server, leading to complete compromise of the web application and potentially the underlying system. • https://github.com/M0ge/CNVD-2021-49104-Fanwei-Eoffice-fileupload/blob/main/eoffice_fileupload.py • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

26 Jun 2025 — A remote command injection vulnerability exists in the confirm.php interface of the WIFISKY 7-layer Flow Control Router via a specially-crafted HTTP GET request to the t parameter. • https://s4e.io/tools/wifisky-7-layer-flow-control-router-remote-code-execution • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 10.0EPSS: 0%CPEs: -EXPL: 1

26 Jun 2025 — A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi script. ... These commands are executed with the privileges of the web server process, enabling remote code execution and potential full device compromise. • https://ssd-disclosure.com/ssd-advisory-vacron-nvr-remote-command-execution • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 9.4EPSS: 0%CPEs: -EXPL: 3

26 Jun 2025 — Successful exploitation results in remote code execution with root privileges. • https://vulncheck.com/advisories/beward-n100-remote-command-execution • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0

26 Jun 2025 — A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. • https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-xj56-p8mm-qmxj • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •

CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0

26 Jun 2025 — A threat actor who uses a carefully crafted message that exploits this character conversion can cause remote code execution. • https://github.com/dataease/dataease/security/advisories/GHSA-x97w-69ff-r55q • CWE-153: Improper Neutralization of Substitution Characters •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

26 Jun 2025 — This makes it possible for authenticated attackers, with Editor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •