Total
264 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-32931 | 2025-04-15 | 9.1 Critical | ||
| DevDojo Voyager 1.4.0 through 1.8.0, when Laravel 8 or later is used, allows authenticated administrators to execute arbitrary OS commands via a specific php artisan command. | ||||
| CVE-2022-47926 | 1 Ayacms Project | 1 Ayacms | 2025-04-15 | 9.8 Critical |
| AyaCMS 3.1.2 is vulnerable to file deletion via /aya/module/admin/fst_del.inc.php | ||||
| CVE-2022-46883 | 1 Mozilla | 1 Firefox | 2025-04-15 | 8.8 High |
| Mozilla developers Gabriele Svelto, Yulia Startsev, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 106. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.<br />*Note*: This advisory was added on December 13th, 2022 after discovering it was inadvertently left out of the original advisory. The fix was included in the original release of Firefox 107. This vulnerability affects Firefox < 107. | ||||
| CVE-2016-4476 | 2 Canonical, W1.fi | 3 Ubuntu Linux, Hostapd, Wpa Supplicant | 2025-04-12 | 7.5 High |
| hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do not reject \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation. | ||||
| CVE-2016-10033 | 3 Joomla, Phpmailer Project, Wordpress | 3 Joomla\!, Phpmailer, Wordpress | 2025-04-12 | 9.8 Critical |
| The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property. | ||||
| CVE-2014-8639 | 2 Mozilla, Redhat | 5 Firefox, Firefox Esr, Seamonkey and 2 more | 2025-04-12 | N/A |
| Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 do not properly interpret Set-Cookie headers within responses that have a 407 (aka Proxy Authentication Required) status code, which allows remote HTTP proxy servers to conduct session fixation attacks by providing a cookie name that corresponds to the session cookie of the origin server. | ||||
| CVE-2014-3514 | 2 Redhat, Rubyonrails | 2 Rhel Software Collections, Rails | 2025-04-12 | N/A |
| activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls. | ||||
| CVE-2016-7966 | 4 Debian, Fedoraproject, Kde and 1 more | 4 Debian Linux, Fedora, Kmail and 1 more | 2025-04-12 | N/A |
| Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. | ||||
| CVE-2016-4477 | 1 Google | 1 Android | 2025-04-12 | N/A |
| wpa_supplicant 0.4.0 through 2.5 does not reject \n and \r characters in passphrase parameters, which allows local users to trigger arbitrary library loading and consequently gain privileges, or cause a denial of service (daemon outage), via a crafted (1) SET, (2) SET_CRED, or (3) SET_NETWORK command. | ||||
| CVE-2024-39930 | 1 Gogs | 1 Gogs | 2025-04-11 | 9.9 Critical |
| The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected. | ||||
| CVE-2024-39933 | 1 Gogs | 1 Gogs | 2025-04-10 | 7.7 High |
| Gogs through 0.13.0 allows argument injection during the tagging of a new release. | ||||
| CVE-2022-4864 | 1 Froxlor | 1 Froxlor | 2025-04-09 | 5.4 Medium |
| Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. | ||||
| CVE-2007-0882 | 2 Oracle, Sun | 2 Solaris, Sunos | 2025-04-09 | N/A |
| Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account. | ||||
| CVE-2006-6597 | 1 Hilgraeve | 1 Hyperaccess | 2025-04-09 | N/A |
| Argument injection vulnerability in HyperAccess 8.4 allows user-assisted remote attackers to execute arbitrary vbscript and commands via the /r option in a telnet:// URI, which is configured to use hawin32.exe. | ||||
| CVE-2006-4692 | 1 Microsoft | 2 Windows Server 2003, Windows Xp | 2025-04-09 | N/A |
| Argument injection vulnerability in the Windows Object Packager (packager.exe) in Microsoft Windows XP SP1 and SP2 and Server 2003 SP1 and earlier allows remote user-assisted attackers to execute arbitrary commands via a crafted file with a "/" (slash) character in the filename of the Command Line property, followed by a valid file extension, which causes the command before the slash to be executed, aka "Object Packager Dialogue Spoofing Vulnerability." | ||||
| CVE-2024-3775 | 1 Aenrich | 1 A\+hrd | 2025-04-08 | 5.3 Medium |
| aEnrich Technology a+HRD's functionality for downloading files using youtube-dl.exe does not properly restrict user input. This allows attackers to pass arbitrary arguments to youtube-dl.exe, leading to the download of partial unauthorized files. | ||||
| CVE-2006-2056 | 1 Microsoft | 2 Internet Explorer, Windows Xp | 2025-04-03 | N/A |
| Argument injection vulnerability in Internet Explorer 6 for Windows XP SP2 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. | ||||
| CVE-2006-2055 | 1 Microsoft | 1 Outlook | 2025-04-03 | N/A |
| Argument injection vulnerability in Microsoft Outlook 2003 SP1 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. | ||||
| CVE-2004-0121 | 1 Microsoft | 2 Office, Outlook | 2025-04-03 | N/A |
| Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs. | ||||
| CVE-2006-1865 | 1 Beagle Project | 1 Beagle | 2025-04-03 | N/A |
| Argument injection vulnerability in Beagle before 0.2.5 allows attackers to execute arbitrary commands via crafted filenames that inject command line arguments when Beagle launches external helper applications while indexing. | ||||