Search Results (14101 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-4260 1 Godaddy 1 Coblocks 2025-05-16 6.5 Medium
The Page Builder Gutenberg Blocks WordPress plugin before 3.1.12 does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks.
CVE-2024-24113 1 Xuxueli 1 Xxl-job 2025-05-15 8.8 High
xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE.
CVE-2023-42282 2 Fedorindutny, Redhat 6 Ip, Migration Toolkit Virtualization, Network Observ Optr and 3 more 2025-05-15 9.8 Critical
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
CVE-2023-45213 1 Westermo 2 L206-f2g, L206-f2g Firmware 2025-05-15 6.6 Medium
A potential attacker with access to the Westermo Lynx device would be able to execute malicious code that could affect the correct functioning of the device.
CVE-2022-42902 2 Debian, Linaro 2 Debian Linux, Lava 2025-05-15 8.8 High
In Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.
CVE-2022-41497 1 Clippercms 1 Clippercms 2025-05-15 9.8 Critical
ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the pkg_url parameter at /manager/index.php.
CVE-2022-41496 1 Idreamsoft 1 Icms 2025-05-15 9.8 Critical
iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php.
CVE-2022-41495 1 Clippercms 1 Clippercms 2025-05-15 9.8 Critical
ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the rss_url_news parameter at /manager/index.php.
CVE-2022-41534 1 Online Diagnostic Lab Management System Project 1 Online Diagnostic Lab Management System 2025-05-15 7.2 High
Online Diagnostic Lab Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /php_action/createOrder.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-40871 1 Dolibarr 1 Dolibarr Erp\/crm 2025-05-15 9.8 Critical
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
CVE-2022-40469 1 Ikuai8 1 Ikuaios 2025-05-15 8.8 High
iKuai OS v3.6.7 was discovered to contain an authenticated remote code execution (RCE) vulnerability.
CVE-2024-46076 1 Ruoyi 1 Ruoyi 2025-05-15 9.8 Critical
RuoYi v4.7.9 and before has a security flaw that allows escaping from comments within the code generation feature, enabling the injection of malicious code.
CVE-2025-2377 1 Janobe 1 Vehicle Management System 2025-05-14 3.5 Low
A vulnerability was found in SourceCodester Vehicle Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /confirmbooking.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions contradicting product names.
CVE-2022-42149 1 Keking 1 Kkfileview 2025-05-14 9.8 Critical
kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\OnlinePreviewController.java.
CVE-2025-4470 1 Senior-walter 1 Online Student Clearance System 2025-05-14 2.4 Low
A vulnerability classified as problematic was found in SourceCodester Online Student Clearance System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add-student.php. The manipulation of the argument Fullname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
CVE-2019-10173 3 Oracle, Redhat, Xstream 15 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 12 more 2025-05-14 9.8 Critical
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
CVE-2025-4022 1 Webarena 1 Webarena 2025-05-14 6.3 Medium
A vulnerability was found in web-arena-x webarena up to 0.2.0. It has been declared as critical. This vulnerability affects the function HTMLContentEvaluator of the file webarena/evaluation_harness/evaluators.py. The manipulation of the argument target["url"] leads to code injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2015-2079 1 Webmin 1 Usermin 2025-05-14 9.9 Critical
Usermin 0.980 through 1.x before 1.660 allows uconfig_save.cgi sig_file_free remote code execution because it uses the two argument (not three argument) form of Perl open.
CVE-2024-20694 1 Microsoft 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more 2025-05-14 5.5 Medium
Windows CoreMessaging Information Disclosure Vulnerability
CVE-2024-57436 1 Ruoyi 1 Ruoyi 2025-05-14 7.2 High
RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.