| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0. |
| Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.8.12, which was distributed via OpenVSX marketplace was compromised and contained malicious code designed to leverage local AI coding agent to collect and exfiltrate sensitive information. Users using the affected artifact are advised to immediately remove it and rotate environment secrets. The malicious artifact has been removed from the marketplace. No other affected artifacts have been identified. |
| On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` parameters. An unauthenticated attacker can retrieve OAuth access tokens for any user by supplying their user ID and a provider name, effectively stealing credentials to third-party services. |
| A Improper Control of Generation of Code ('Code Injection') vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to perform arbitrary system commands via a DLL file. |
| A improper verification of cryptographic signature vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to load a malicious DLL via upload plugin function. |
| Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1. |
| Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1. |
| An Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Portwell Engineering Toolkits version 4.8.2 could allow a local authenticated attacker to read and write to arbitrary memory via the Portwell Engineering Toolkits driver. Successful exploitation of this vulnerability could result in escalation of privileges or cause a denial-of-service condition. |
| WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend. |
| WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend. |
| WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend. |
| WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend. |
| WebSocket endpoints lack proper authentication mechanisms, enabling
attackers to perform unauthorized station impersonation and manipulate
data sent to the backend. An unauthenticated attacker can connect to the
OCPP WebSocket endpoint using a known or discovered charging station
identifier, then issue or receive OCPP commands as a legitimate charger.
Given that no authentication is required, this can lead to privilege
escalation, unauthorized control of charging infrastructure, and
corruption of charging network data reported to the backend. |
| Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information and log into the system as any user. |
| Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1. |
| DobryCMS's upload file functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can result in Remote Code Execution.
This issue was fixed in versions above 5.0. |
| n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, a second-order expression injection vulnerability existed in n8n's Form nodes that could allow an unauthenticated attacker to inject and evaluate arbitrary n8n expressions by submitting crafted form data. When chained with an expression sandbox escape, this could escalate to remote code execution on the n8n host. The vulnerability requires a specific workflow configuration to be exploitable. First, a form node with a field interpolating a value provided by an unauthenticated user, e.g. a form submitted value. Second, the field value must begin with an `=` character, which caused n8n to treat it as an expression and triggered a double-evaluation of the field content. There is no practical reason for a workflow designer to prefix a field with `=` intentionally — the character is not rendered in the output, so the result would not match the designer's expectations. If added accidentally, it would be noticeable and very unlikely to persist. An unauthenticated attacker would need to either know about this specific circumstance on a target instance or discover a matching form by chance. Even when the preconditions are met, the expression injection alone is limited to data accessible within the n8n expression context. Escalation to remote code execution requires chaining with a separate sandbox escape vulnerability. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Review usage of form nodes manually for above mentioned preconditions, disable the Form node by adding `n8n-nodes-base.form` to the `NODES_EXCLUDE` environment variable, and/or disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. |
| SEPPmail Secure Email Gateway before version 15.0.1 insufficiently neutralizes the PDF encryption password, allowing OS command execution. |
| The GINA web interface in SEPPmail Secure Email Gateway before version 15.0.1 does not properly check attachment filenames in GINA-encrypted emails, allowing an attacker to access files on the gateway. |
| Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service that is insufficiently protected against deserialization of arbitrary types. This can lead to remote code execution. |
