Page 8 of 53351 results (0.025 seconds)

CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0

15 Jul 2025 — An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the implemetation of the VMSVGA virtual device. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. • https://www.oracle.com/security-alerts/cpujul2025.html • CWE-284: Improper Access Control •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

14 Jul 2025 — An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. • https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.9EPSS: 1%CPEs: 3EXPL: 0

14 Jul 2025 — XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that a... • https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-863: Incorrect Authorization •

CVSS: 10.0EPSS: 16%CPEs: 1EXPL: 1

14 Jul 2025 — Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations. Attackers could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration. • https://github.com/B1ack4sh/Blackash-CVE-2025-53833 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •

CVSS: 9.7EPSS: 0%CPEs: 1EXPL: 0

14 Jul 2025 — Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This exposes secrets and potentially enables remote code execution, putting all public Dokploy users using these preview deployments at risk. • https://github.com/Dokploy/dokploy/commit/1977235d313824b9764f1a06785fb7f73ab7eba2 • CWE-862: Missing Authorization •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2

14 Jul 2025 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. ... This allows unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution. • https://packetstorm.news/files/id/206540 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

14 Jul 2025 — This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). • https://plugins.trac.wordpress.org/changeset/3326887/ht-contactform/trunk/admin/Includes/Api/Endpoints/Submission.php?contextall=1&old=3316109&old_path=%2Fht-contactform%2Ftrunk%2Fadmin%2FIncludes%2FApi%2FEndpoints%2FSubmission.php • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

14 Jul 2025 — This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/Includes/Services/FileManager.php#L107 • CWE-269: Improper Privilege Management •

CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0

14 Jul 2025 — This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). ... This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939 • CWE-73: External Control of File Name or Path •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

14 Jul 2025 — This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. • https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939 • CWE-862: Missing Authorization •