Total
3677 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10382 | 2024-11-21 | N/A | 7.5 HIGH | ||
| There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past version 1.7.0-beta02 | |||||
| CVE-2024-10094 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code | |||||
| CVE-2024-11491 | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in 115cms up to 20240807. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /index.php/admin/web/useradmin.html. The manipulation of the argument ks leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-10899 | 2024-11-21 | N/A | 7.3 HIGH | ||
| The The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. The same 'id' parameter is vulnerable to Reflected Cross-Site Scripting as well. | |||||
| CVE-2024-6950 | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability, which was classified as critical, has been found in Prain up to 1.3.0. Affected by this issue is some unknown functionality of the file /?import of the component HTTP POST Request Handler. The manipulation of the argument file leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272072. | |||||
| CVE-2024-6947 | 1 Flute-cms | 1 Flute | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been rated as critical. This issue affects the function replaceContent of the file app/Core/Support/ContentParser.php of the component Notification Handler. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272069 was assigned to this vulnerability. | |||||
| CVE-2024-6946 | 1 Flute-cms | 1 Flute | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been declared as critical. This vulnerability affects unknown code of the file /admin/pages/list. The manipulation of the argument blocks leads to code injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272068. | |||||
| CVE-2024-6940 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in DedeCMS 5.7.114. It has been classified as critical. This affects an unknown part of the file article_template_rand.php. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271995. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-6936 | 1 Formtools | 1 Form Tools | 2024-11-21 | 3.3 LOW | 2.7 LOW |
| A vulnerability, which was classified as problematic, has been found in formtools.org Form Tools 3.1.1. This issue affects some unknown processing of the file /admin/settings/index.php?page=accounts of the component Setting Handler. The manipulation of the argument Page Theme leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271991. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-6923 | 2024-11-21 | N/A | 5.5 MEDIUM | ||
| There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. | |||||
| CVE-2024-6891 | 1 Journyx | 1 Journyx | 2024-11-21 | N/A | 8.8 HIGH |
| Attackers with a valid username and password can exploit a python code injection vulnerability during the natural login flow. | |||||
| CVE-2024-6726 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Versions of Delphix Engine prior to Release 25.0.0.0 contain a flaw which results in Remote Code Execution (RCE). | |||||
| CVE-2024-6655 | 2024-11-21 | N/A | 7.0 HIGH | ||
| A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory. | |||||
| CVE-2024-6507 | 2024-11-21 | N/A | 8.1 HIGH | ||
| Command injection when ingesting a remote Kaggle dataset due to a lack of input sanitization in the ingest_kaggle() API | |||||
| CVE-2024-6376 | 1 Mongodb | 1 Compass | 2024-11-21 | N/A | 7.0 HIGH |
| MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2 | |||||
| CVE-2024-6345 | 2024-11-21 | N/A | 8.8 HIGH | ||
| A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. | |||||
| CVE-2024-6206 | 2024-11-21 | N/A | 7.5 HIGH | ||
| A security vulnerability has been identified in HPE Athonet Mobile Core software. The core application contains a code injection vulnerability where a threat actor could execute arbitrary commands with the privilege of the underlying container leading to complete takeover of the target system. | |||||
| CVE-2024-5834 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-11-21 | N/A | 8.8 HIGH |
| Inappropriate implementation in Dawn in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2024-5826 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server. | |||||
| CVE-2024-5751 | 1 Litellm | 1 Litellm | 2024-11-21 | N/A | 9.8 CRITICAL |
| BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can exploit this by sending a malicious payload to the `/config/update` endpoint, which is then processed and executed by the server when the `get_secret` function is triggered. This requires the server to use Google KMS and a database to store a model. | |||||