Export limit exceeded: 346620 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 13912 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10205 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-36008 | 1 Microsoft | 1 Edge Chromium | 2025-10-08 | 6.6 Medium |
| Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | ||||
| CVE-2023-36034 | 1 Microsoft | 1 Edge Chromium | 2025-10-08 | 7.3 High |
| Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | ||||
| CVE-2023-36437 | 1 Microsoft | 1 Azure Pipelines Agent | 2025-10-08 | 8.8 High |
| Azure DevOps Server Remote Code Execution Vulnerability | ||||
| CVE-2023-38151 | 1 Microsoft | 2 Host Integration Server, Ole Db Provider | 2025-10-08 | 8.8 High |
| Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability | ||||
| CVE-2023-36423 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-10-08 | 8.8 High |
| Microsoft Remote Registry Service Remote Code Execution Vulnerability | ||||
| CVE-2023-36425 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-10-08 | 8 High |
| Windows Distributed File System (DFS) Remote Code Execution Vulnerability | ||||
| CVE-2023-36439 | 1 Microsoft | 1 Exchange Server | 2025-10-08 | 8 High |
| Microsoft Exchange Server Remote Code Execution Vulnerability | ||||
| CVE-2023-38177 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2025-10-08 | 6.1 Medium |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | ||||
| CVE-2025-59334 | 1 Mohammadzain2008 | 1 Linkr | 2025-10-08 | 9.7 Critical |
| Linkr is a lightweight file delivery system that downloads files from a webserver. Linkr versions through 2.0.0 do not verify the integrity or authenticity of .linkr manifest files before using their contents, allowing a tampered manifest to inject arbitrary file entries into a package distribution. An attacker can modify a generated .linkr manifest (for example by adding a new entry with a malicious URL) and when a user runs the extract command the client downloads the attacker-supplied file without verification. This enables arbitrary file injection and creates a potential path to remote code execution if a downloaded malicious binary or script is later executed. Version 2.0.1 adds a manifest integrity check that compares the checksum of the original author-created manifest to the one being extracted and aborts on mismatch, warning if no original manifest is hosted. Users should update to 2.0.1 or later. As a workaround prior to updating, use only trusted .linkr manifests, manually verify manifest integrity, and host manifests on trusted servers. | ||||
| CVE-2025-59304 | 1 Swetrix | 1 Swetrix | 2025-10-08 | 9.8 Critical |
| A directory traversal issue in Swetrix Web Analytics API 3.1.1 before 7d8b972 allows a remote attacker to achieve Remote Code Execution via a crafted HTTP request. | ||||
| CVE-2025-51482 | 1 Letta | 1 Letta | 2025-10-07 | 8.8 High |
| Remote Code Execution in letta.server.rest_api.routers.v1.tools.run_tool_from_source in letta-ai Letta 0.7.12 allows remote attackers to execute arbitrary Python code and system commands via crafted payloads to the /v1/tools/run endpoint, bypassing intended sandbox restrictions. | ||||
| CVE-2024-46479 | 1 Venki | 1 Supravizio Bpm | 2025-10-07 | 9.9 Critical |
| Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, leading to remote code execution. | ||||
| CVE-2025-32012 | 1 Jellyfin | 1 Jellyfin | 2025-10-06 | 7.5 High |
| Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same local network as the Jellyfin server. Due to the method Jellyfin uses to determine the source IP of a request, an unauthenticated attacker is able to spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This means that an unauthenticated attacker could mount a denial-of-service attack on any default-configured Jellyfin server by simply sending the same spoofed request every few seconds to restart the server over and over. This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. This issue is patched in version 10.10.7. | ||||
| CVE-2025-31499 | 1 Jellyfin | 1 Jellyfin | 2025-10-06 | 8.8 High |
| Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument injection in FFmpeg. This can be leveraged to possibly achieve remote code execution by anyone with credentials to a low-privileged user. This vulnerability was previously reported in CVE-2023-49096 and patched in version 10.8.13, but the patch can be bypassed. The original fix sanitizes some parameters to make injection impossible, but certain unsanitized parameters can still be used for argument injection. The same unauthenticated endpoints are vulnerable: /Videos/<itemId>/stream and /Videos/<itemId>/stream.<container>, likely alongside similar endpoints in AudioController. This argument injection can be exploited to achieve arbitrary file write, leading to possible remote code execution through the plugin system. While the unauthenticated endpoints are vulnerable, a valid itemId is required for exploitation and any authenticated attacker could easily retrieve a valid itemId to make the exploit work. This vulnerability is patched in version 10.10.7. | ||||
| CVE-2025-56769 | 1 Hutool | 1 Hutool | 2025-10-03 | 6.5 Medium |
| An issue was discovered in chinabugotech hutool before 5.8.4 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class. | ||||
| CVE-2025-24797 | 1 Meshtastic | 2 Firmware, Meshtastic Firmware | 2025-10-03 | 9.4 Critical |
| Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid protobuf data can result in an attacker-controlled buffer overflow, allowing an attacker to hijack execution flow, potentially resulting in remote code execution. This attack does not require authentication or user interaction, as long as the target device rebroadcasts packets on the default channel. This vulnerability fixed in 2.6.2. | ||||
| CVE-2025-1497 | 1 Mljar | 1 Plotai | 2025-10-03 | 9.8 Critical |
| A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk. The vendor does not plan to release a patch to fix this vulnerability. | ||||
| CVE-2024-45434 | 1 Opensynergy | 1 Blue Sdk | 2025-10-02 | 9.8 Critical |
| OpenSynergy BlueSDK (aka Blue SDK) through 6.x has a Use-After-Free. The specific flaw exists within the BlueSDK Bluetooth stack. The issue results from the lack of validating the existence of an object before performing operations on the object (aka use after free). An attacker can leverage this to achieve remote code execution in the context of a user account under which the Bluetooth process runs. | ||||
| CVE-2024-1243 | 1 Wazuh | 1 Wazuh | 2025-10-01 | 7.2 High |
| Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks. | ||||
| CVE-2024-7490 | 1 Microchip | 1 Advanced Software Framework | 2025-09-29 | 9.8 Critical |
| Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option. This issue affects Advanced Software Framework: through 3.52.0.2574. ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework. | ||||