Search Results (6779 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-29154 2026-04-15 6.5 Medium
HTML injection vulnerability in lemeconsultoria HCM galera.app v.4.58.0 allows an attacker to execute arbitrary code via the .galera.app/ted/solicitacao_treinamento/, .galera.app/rh/metas/perspectiva_estrategica/edicao/, .galera.app/rh/cadastros/perspectivas/listagem/adc/, .galera.app/escolaridade/listagem/, .galera.app/estados_civis/cadastro/, .galera.app/nivel_hierarquico/listagem/, .galera.app/nivel_decisorio/cadastro/, .galera.app/escolaridade/cadastro/, .galera.app/nivel_decisorio/listagem/, .galera.app/rh/cadastros/perspectivas/listagem/, .galera.app/empresas_grupo/cadastro/, .galera.app/empresas/edicao/, .galera.app/liais/listagem/, .galera.app/noticias/listagem/, .galera.app/gerenciamento-de-ciclo/abertura/cadastrar, .galera.app/colaborador/cadastro/cursos/adc/edicao/, .galera.app/colaborador/cadastro/adc/, .galera.app/cads_aux/escalact/, .galera.app/ncf/tec/cadastro/ct/ .galera.app/rh/metas/painel/, .galera.app/rh/metas/equipe/edicao/, .galera.app/rh/pdi/tipo_recursos/edicao/, .galera.app/rh/pdi/familia_recursos/cadastro/, .galera.app/rh/pdi/fornecedores/edicao/, and .galera.app/rh/pdi/recursos/cadastro/ components.
CVE-2025-37146 1 Hpe 1 Arubaos 2026-04-15 7.2 High
A vulnerability in the web-based management interface of network access point configuration services could allow an authenticated remote attacker to perform remote command execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.
CVE-2025-37166 1 Hpe 1 Aruba Instant On 2026-04-15 7.5 High
A vulnerability affecting HPE Networking Instant On Access Points has been identified where a device processing a specially crafted packet could enter a non-responsive state, in some cases requiring a hard reset to re-establish services. A malicious actor could leverage this vulnerability to conduct a Denial-of-Service attack on a target network.
CVE-2025-3864 2026-04-15 N/A
Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this to exhaust connection pools, causing denial of service in applications using the library. Fix for this issue has been included inĀ 1.24.0 release.
CVE-2025-27513 2026-04-15 7.5 High
OpenTelemetry dotnet is a dotnet telemetry framework. A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header. Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime. This vulnerability is fixed in 1.11.2.
CVE-2025-27421 2026-04-15 7.5 High
Abacus is a highly scalable and stateless counting API. A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly clean up resources and terminate associated goroutines. This leads to resource exhaustion where the server continues running but eventually stops accepting new SSE connections while maintaining high memory usage. The vulnerability specifically involves improper channel cleanup in the event handling mechanism, causing goroutines to remain blocked indefinitely. This vulnerability is fixed in 1.4.0.
CVE-2025-2733 1 Mannaandpoem 1 Openmanus 2026-04-15 6.3 Medium
A vulnerability classified as critical has been found in mannaandpoem OpenManus up to 2025.3.13. This affects an unknown part of the file app/tool/python_execute.py of the component Prompt Handler. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-29606 2026-04-15 4.3 Medium
py-libp2p before 0.2.3 allows a peer to cause a denial of service (resource consumption) via a large RSA key.
CVE-2025-1549 2 Microsoft, Watchguard 3 Windows, Mobile Vpn With Ssl, Mobile Vpn With Ssl Client 2026-04-15 N/A
A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileges on the Windows system. This vulnerability is an additional unmitigated attack path for CVE-2024-4944. This vulnerability is resolved in the Mobile VPN with SSL client for Windows version 12.11.5
CVE-2025-15474 1 Auntyfey 1 Smart Combination Lock 2026-04-15 N/A
AuntyFey Smart Combination Lock firmware versions as of 2025-12-24 contain a vulnerability that allows an unauthenticated attacker within Bluetooth Low Energy (BLE) range to cause a denial of service by repeatedly initiating BLE connections. Sustained connection attempts interrupt keypad authentication input and repeatedly force the device into lockout states, preventing legitimate users from unlocking the device.
CVE-2025-1546 2026-04-15 7.3 High
A vulnerability has been found in BDCOM Behavior Management and Auditing System up to 20250210 and classified as critical. Affected by this vulnerability is the function log_operate_clear of the file /webui/modules/log/operate.mds. The manipulation of the argument start_code leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-47188 2026-04-15 6.5 Medium
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary commands within the context of the phone, leading to disclosure or modification of sensitive configuration data or affecting device availability and operation.
CVE-2025-14204 2026-04-15 6.3 Medium
A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-14188 1 Ugreen 1 Dh2100+ 2026-04-15 7.2 High
A security vulnerability has been detected in UGREEN DH2100+ up to 5.3.0.251125. This impacts the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. The manipulation of the argument path leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading the affected component is advised.
CVE-2025-14184 1 Sgai 1 Space1 Nas N1211ds 2026-04-15 6.3 Medium
A vulnerability was determined in SGAI Space1 NAS N1211DS up to 1.0.915. Impacted is the function RENAME_FILE/OPERATE_FILE/NGNIX_UPLOAD of the file /cgi-bin/JSONAPI of the component gsaiagent. This manipulation causes command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-13165 1 Digiwin 1 Easyflow Gp 2026-04-15 7.5 High
EasyFlow GP developed by Digiwin has a Denial of service vulnerability, allowing unauthenticated remote attackers to send specific requests that result in denial of web service.
CVE-2025-48978 1 Ui 1 Edgeswitch 2026-04-15 7.5 High
An Improper Input Validation in EdgeMAX EdgeSwitch (Version 1.11.0 and earlier) could allow a Command Injection by a malicious actor with access to EdgeSwitch adjacent network. Affected Products: EdgeMAX EdgeSwitch (Version 1.11.0 and earlier) Mitigation: Update the EdgeMAX EdgeSwitch to Version 1.11.1 or later.
CVE-2025-11921 1 Bjango 1 Istats 2026-04-15 N/A
iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.This issue affects iStats: 7.10.4.
CVE-2025-11488 1 D-link 1 Dir-852 2026-04-15 7.3 High
A weakness has been identified in D-Link DIR-852 up to 20251002. This affects an unknown part of the file /HNAP1/. Executing manipulation can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-49140 2026-04-15 7.5 High
Pion Interceptor is a framework for building RTP/RTCP communication software. Versions v0.1.36 through v0.1.38 contain a bug in a RTP packet factory that can be exploited to trigger a panic with Pion based SFU via crafted RTP packets, This only affect users that use pion/interceptor. Users should upgrade to v0.1.39 or later, which validates that: `padLen > 0 && padLen <= payloadLength` and return error on overflow, avoiding panic. If upgrading is not possible, apply the patch from the pull request manually or drop packets whose P-bit is set but whose padLen is zero or larger than the remaining payload.