Total
6324 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9154 | 2026-04-15 | N/A | ||
| A code injection vulnerability in HMS Networks Ewon Flexy 205 allows executing commands on system level on the device. This issue affects Ewon Flexy 205: through 14.8s0 (#2633). | ||||
| CVE-2024-46962 | 1 Google | 1 Android | 2026-04-15 | 9.1 Critical |
| The SYQ com.downloader.video.fast (aka Master Video Downloader) application through 2.0 for Android allows an attacker to execute arbitrary JavaScript code via the com.downloader.video.fast.SpeedMainAct component. | ||||
| CVE-2024-39715 | 1 Veeam | 1 Service Provider Console | 2026-04-15 | N/A |
| A code injection vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server. | ||||
| CVE-2024-3995 | 1 Perforce | 1 Helix Alm | 2026-04-15 | N/A |
| In Helix ALM versions prior to 2024.2.0, a local command injection was identified. Reported by Bryan Riggins. | ||||
| CVE-2025-4767 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability was found in defog-ai introspect up to 0.1.4. It has been rated as critical. Affected by this issue is the function test_custom_tool of the file introspect/backend/integration_routes.py of the component Test Endpoint. The manipulation of the argument input_model leads to code injection. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-13486 | 2 Hwk-fr, Wordpress | 2 Advanced Custom Fields, Wordpress | 2026-04-15 | 9.8 Critical |
| The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts. | ||||
| CVE-2025-42922 | 1 Sap | 4 Java As, Netweaver, Netweaver Java and 1 more | 2026-04-15 | 9.9 Critical |
| SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compromise of confidentiality, integrity and availability of the system. | ||||
| CVE-2024-22632 | 1 Setor | 1 Sil | 2026-04-15 | 9.8 Critical |
| Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hmsg parameter. This vulnerability is triggered via a crafted POST request. | ||||
| CVE-2025-15130 | 2026-04-15 | 4.7 Medium | ||
| A vulnerability has been found in shanyu SyCms up to a242ef2d194e8bb249dc175e7c49f2c1673ec921. This issue affects the function addPost of the file Application/Admin/Controller/FileManageController.class.php of the component Administrative Panel. The manipulation leads to code injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. This product adopts a rolling release strategy to maintain continuous delivery The project was informed of the problem early through an issue report but has not responded yet. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2021-41527 | 2026-04-15 | N/A | ||
| An error related to the 2-factor authorization (2FA) on the RISC Platform prior to the saas-2021-12-29 release can potentially be exploited to bypass the 2FA. The vulnerability requires that the 2FA setup hasn’t been completed. | ||||
| CVE-2024-46639 | 1 Evolutionscript | 1 Helpdeskz | 2026-04-15 | 7.6 High |
| A cross-site scripting (XSS) vulnerability in HelpDeskZ v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field of Custom Fields message box. | ||||
| CVE-2025-27429 | 2026-04-15 | 9.9 Critical | ||
| SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | ||||
| CVE-2024-21832 | 2026-04-15 | 3.5 Low | ||
| A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body. | ||||
| CVE-2025-1337 | 2026-04-15 | 3.5 Low | ||
| A vulnerability was found in Eastnets PaymentSafe 2.5.26.0. It has been classified as problematic. This affects an unknown part of the component BIC Search. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.5.27.0 is able to address this issue. | ||||
| CVE-2024-29309 | 1 Alfresco | 1 Alfresco Content Services | 2026-04-15 | 7.7 High |
| An issue in Alfresco Content Services v.23.3.0.7 allows a remote attacker to execute arbitrary code via the Transfer Service. | ||||
| CVE-2024-9639 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2026-04-15 | 8 High |
| Remote Code Execution vulnerabilities are present in ASPECT if session administra-tor credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. | ||||
| CVE-2025-0618 | 2026-04-15 | 6.5 Medium | ||
| A malicious third party could invoke a persistent denial of service vulnerability in FireEye EDR agent by sending a specially-crafted tamper protection event to the HX service to trigger an exception. This exception will prevent any further tamper protection events from being processed, even after a reboot of HX. | ||||
| CVE-2025-1085 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability, which was classified as problematic, was found in Animati PACS up to 1.24.12.09.03. This affects an unknown part of the file /login. The manipulation of the argument p leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-39017 | 1 Agreejs Shared | 1 Agreejs Shared | 2026-04-15 | 9.8 Critical |
| agreejs shared v0.0.1 was discovered to contain a prototype pollution via the function mergeInternalComponents. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-46964 | 1 Google | 1 Android | 2026-04-15 | 8.1 High |
| The com.video.downloader.all (aka All Video Downloader) application through 11.28 for Android allows an attacker to execute arbitrary JavaScript code via the com.video.downloader.all.StartActivity component. | ||||