Search Results (6952 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-21577 2026-04-15 10 Critical
ComfyUI-Ace-Nodes is vulnerable to Code Injection. The ACE_ExpressionEval node contains an eval() in its entrypoint function that accepts arbitrary user-controlled data. A user can create a workflow that results in executing arbitrary code on the server.
CVE-2024-22020 2 Nodejs, Redhat 2 Nodejs, Enterprise Linux 2026-04-15 6.5 Medium
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.
CVE-2024-23727 1 Kamivision 1 Yi Iot 2026-04-15 8.4 High
The YI Smart Kami Vision com.kamivision.yismart application through 1.0.0_20231219 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.yicamera.activity.WebViewActivity component.
CVE-2024-24294 1 Blackprint 1 Blackprint Engine 2026-04-15 9.8 Critical
A Prototype Pollution issue in Blackprint @blackprint/engine v.0.9.0 allows an attacker to execute arbitrary code via the _utils.setDeepProperty function of engine.min.js.
CVE-2024-27627 1 Supercali 1 Supercali 2026-04-15 6.1 Medium
A reflected cross-site scripting (XSS) vulnerability exists in SuperCali version 1.1.0, allowing remote attackers to execute arbitrary JavaScript code via the email parameter in the bad_password.php page.
CVE-2024-28397 1 Js2py 1 Js2py Disable Pyimport 2026-04-15 5.3 Medium
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
CVE-2024-31974 1 Solarized 1 Firedown Browser And Downloader 2026-04-15 6.3 Medium
The com.solarized.firedown (aka Solarized FireDown Browser & Downloader) application 1.0.76 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent. com.solarized.firedown.IntentActivity uses a WebView component to display web content and doesn't adequately sanitize the URI or any extra data passed in the intent by any installed application (with no permissions).
CVE-2024-33644 1 Wpcustomify 1 Customify Site Library 2026-04-15 9.9 Critical
Improper Control of Generation of Code ('Code Injection') vulnerability in WPCustomify Customify Site Library allows Code Injection.This issue affects Customify Site Library: from n/a through 0.0.9.
CVE-2024-34947 2026-04-15 9.4 Critical
Quanxun Huiju Network Technology (Beijing) Co.,Ltd IK-Q3000 3.7.10 x64 Build202401261655 was discovered to be vulnerable to an ICMP redirect attack.
CVE-2024-35226 1 Smarty-php 1 Smarty 2026-04-15 7.3 High
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.
CVE-2024-36361 2026-04-15 6.8 Medium
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
CVE-2024-3734 1 Pluginus 1 Fox - Currency Switcher Professional For Woocommerce 2026-04-15 6.5 Medium
The FOX – Currency Switcher Professional for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 1.4.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on what other plugins are installed and what shortcode functionality they provide.
CVE-2024-37405 1 Rocket.chat 1 Rocket.chat 2026-04-15 N/A
Livechat messages can be leaked by combining two NoSQL injections affecting livechat:loginByToken (pre-authentication) and livechat:loadHistory.
CVE-2024-37855 1 Nepstech 1 Ntpl-xpon1gfevn Firmware 2026-04-15 8.4 High
An issue in Nepstech Wifi Router xpon (terminal) NTPL-Xpon1GFEVN, hardware verstion 1.0 firmware 2.0.1 allows a remote attacker to execute arbitrary code via the router's Telnet port 2345 without requiring authentication credentials.
CVE-2024-37860 1 Open Robotics 3 Nav2 Humble, Ros2 Humble, Ros2 Navigation2 2026-04-15 7.3 High
Buffer Overflow vulnerability in Open Robotic Operating System 2 ROS2 navigation2- ROS2-humble&& navigation2-humble allows a local attacker to execute arbitrary code via a crafted .yaml file to the nav2_amcl process
CVE-2024-37862 1 Open Robotic 3 Navigation2 Humble, Ros2 Humble, Ros2 Navigation2 2026-04-15 7.3 High
Buffer Overflow vulnerability in Open Robotic Robotic Operating System 2 ROS2 navigation2- ROS2-humble&& navigation2-humble allows a local attacker to execute arbitrary code via a crafted .yaml file to the nav2_planner process.
CVE-2024-38448 2026-04-15 9.1 Critical
htags in GNU Global through 6.6.12 allows code execution in situations where dbpath (aka -d) is untrusted, because shell metacharacters may be used.
CVE-2024-40516 1 H3c 1 Rc3000 Firmware 2026-04-15 8.8 High
An issue in H3C Technologies Co., Limited H3C Magic RC3000 RC3000V100R009 allows a remote attacker to execute arbitrary code via the Routing functionality.
CVE-2024-4135 2 Joomunited, Wordpress 2 Wp Latest Posts, Wordpress 2026-04-15 5.4 Medium
The WP Latest Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.7. This is due to the plugin allowing users to execute an action that does not properly validate a user-supplied value prior to using that value in a call to do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVE-2024-4144 2 Wordpress, Wpkube 2 Wordpress, Simple Basic Contact Form 2026-04-15 6.5 Medium
The Simple Basic Contact Form plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 20240502. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on the functionality of other plugins installed in the environment.