50383 results (0.035 seconds)

CVSS: 6.3EPSS: %CPEs: 1EXPL: 0

14 Aug 2025 — The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. ... This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters. • https://www.wordfence.com/threat-intel/vulnerabilities/id/cd4dc8ab-792b-41ff-a7b9-77a11c02d91b?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.8EPSS: %CPEs: 1EXPL: 0

14 Aug 2025 — The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://www.wordfence.com/threat-intel/vulnerabilities/id/24f31bbf-883f-4903-847a-7bfc3e45654c?source=cve • CWE-285: Improper Authorization •

CVSS: 9.8EPSS: %CPEs: 1EXPL: 0

14 Aug 2025 — The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/6e2e294f-904b-4674-8baf-d3a9a260d634?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 10.0EPSS: %CPEs: 2EXPL: 0

14 Aug 2025 — A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device.... A successful exploit could allow the attacker to execute commands at a high privilege level. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79

CVSS: 6.4EPSS: %CPEs: 94EXPL: 0

14 Aug 2025 — A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-JtNmcusP •

CVSS: 9.8EPSS: %CPEs: 5EXPL: 0

14 Aug 2025 — A security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix® Ethernet Modules. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow. • https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1732.html • CWE-1188: Initialization of a Resource with an Insecure Default •

CVSS: 10.0EPSS: %CPEs: 4EXPL: 0

14 Aug 2025 — Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. • https://www.postgresql.org/support/security/CVE-2025-8714 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •

CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0

14 Aug 2025 — The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. ... This combination allows unauthenticated network attackers to execute unsandboxed OS commands. • https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578 •

CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0

14 Aug 2025 — User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request. • https://research.jfrog.com/vulnerabilities/flowise-js-injection-remote-code-exection-jfsa-2025-001379925 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0

14 Aug 2025 — An issue was discovered in phome Empirebak 2010 in ebak2008/upload/class/config.php allowing attackers to execute arbitrary code when the config file was loaded. • https://www.yuque.com/lcc316/df0kgm/bfzpfvb6yaat45nt •