Ruby Exploits
6,006 exploits tracked across all sources.
MantisBT - Remote Code Execution via XmlImportExport Plugin Preg Replace
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.
by Egidio Romano
Mantis < 1.1.4 - Authenticated Remote Code Execution via Sort Parameter
manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php.
by EgiX, Lars Sorenson
October CMS <build 412 - Code Injection
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.
by Anti Räis
CVSS 7.2
Gogs 0.5.5-0.12.2 - Authenticated Remote Code Execution via Git Hook Feature
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the documentation but not in the UI, it could be considered a "Product UI does not Warn User of Unsafe Actions" issue.
by Podalirius, Christophe De La Fuente
CVSS 7.2
Oracle Concurrent Processing 12.2.3-12.2.14 - Unauthenticated Takeover
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
by watchTowr (Sonny, Sina Kheirkhah, Jake Knott), Mathieu Dupas
CVSS 9.8
Apache Struts 2.3.x < 2.3.32 and 2.5.x < 2.5.10.1 - Remote Code Execution via Jakarta Multipart Parser
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
by Nike.Zheng, Nixawk, Chorder, egypt, Jeffrey Martin
CVSS 9.8
ChurchCRM < 5.21.0 - Unauthenticated Remote Code Execution via Setup Wizard PHP Injection
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue.
by LucasCsmt
CVSS 10.0
pimcore < 5.7.1 - Authenticated Remote Code Execution via Unserialize in Bulk-Commit Endpoint
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.
by Daniele Scanu, Fabio Cogno
CVSS 8.8
Mutiny Standard <4.5-1.12 - Command Injection
Mutiny Standard before 4.5-1.12 allows remote attackers to execute arbitrary commands via the network-interface menu, related to a "command injection vulnerability."
by Christopher Campbell, juan vazquez
CMS Made Simple 2.2.17 - Authenticated Remote Code Execution via File Upload
CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.
by Okan Kurtuluş, Mirabbas Ağalarov, tastyrice
CVSS 8.8
Openfire authentication bypass with RCE plugin
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
CVSS 8.6
Ruby on Rails 2.3.x-2.3.15 and 3.0.x-3.0.19 - Remote Code Execution via YAML Deserialization
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
by jjarmoc, egypt, lian
Monstra CMS 3.0.4 - Unrestricted Upload of File with Dangerous Type via Case Bypass
Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not.
by Ishaq Mohammed <[email protected]>, Touhid M.Shaikh <[email protected]>
CVSS 8.8
WonderCMS Remote Code Execution
Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.
by msutovsky-r7, Milad, Karimi
CVSS 6.1
Monitorr 1.7.6m - Unauthenticated Remote Code Execution via Insecure File Upload
Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.
CVSS 9.8
Roundcube Webmail < 1.5.10 and 1.6.x < 1.6.11 - Authenticated Remote Code Execution via PHP Object Deserialization
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
by Maksim Rogov, Kirill Firsov
CVSS 9.9
Flowise < 3.0.1 - Unauthenticated Remote Code Execution via Custom MCPs Feature
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands.
by Assaf Levkovich
CVSS 9.8
GNU Bash through 4.3 bash43-026 - Remote Code Execution via Environment Variable Function Parsing
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
by Stephane Chazelas, lcamtuf, bcoles
CVSS 8.8
Micro Focus Novell Service Desk <7.2 - Path Traversal
Directory traversal vulnerability in the import users feature in Micro Focus Novell Service Desk before 7.2 allows remote authenticated administrators to upload and execute arbitrary JSP files via a .. (dot dot) in a filename within a multipart/form-data POST request to a LiveTime.woa URL.
CVSS 7.2
Drupal 7.0-7.31 - SQL Injection via Array Key in Database API
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
by SektionEins, WhiteWinterWolf, Christian Mehlmauer, Brandon Perry
WordPress Royal Elementor Addons RCE
The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.
by Fioravante Souza, Valentin Lobstein
CVSS 9.8
User Registration & Membership <= 4.1.1 - Unauthenticated Privilege Escalation
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges
by wesley (wcraft), Valentin Lobstein
CVSS 8.1
Hash Form - Drag & Drop Form Builder <= 1.1.0 - Unauthenticated Arbitrary File Upload via file_upload_action Function
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
by Francesco Carlucci, Valentin Lobstein
CVSS 9.8
Grav < 1.8.0-beta.27 - Server-Side Template Injection via Weak Twig Validation
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.
by Tarek Nakkouch
CVSS 8.8
vBulletin 5 Connect <5.1.9 - Code Injection
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.
by Netanel Rubin, cutz, Julien (jvoisin) Voisin
By Source