An improper input validation vulnerability in Magento Open Source and Adobe Commerce allows unauthenticated remote attackers with network access via HTTP to achieve session takeover and unauthenticated remote code execution under certain conditions.
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration) allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing.
Dell Unity contains an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution.
CrushFTP, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
Wing FTP Server version 7.4.3 and prior is prone to a remote code execution due to improper handling of null bytes in both the user and admin web interfaces. This flaw allows attackers to execute arbitrary Lua command into session files, which is executed by the server with the privileges of the FTP service.
This module exploits a privilege escalation vulnerability in the way sudo handles the chroot parameter.
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
An authenticated PHP object deserialization vulnerability in Roundcube Webmail allows authenticated remote attackers to execute OS system commands.
Vite exposes content of non-allowed files using inline&import or raw import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
This module exploits an authentication bypass vulnerability in the CrushFTP WebInterface. Versions affected include 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vulnerability allows an unauthenticated attacker to bypass login by crafting a forged CrushAuth cookie and abusing the Authorization header. If a valid username is known (e.g., crushadmin), the attacker can: Retrieve a full list of users via getUserList.