CVSS: 10.0EPSS: %CPEs: 1EXPL: 0CVE-2025-66222 – DeepChat Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE)
https://notcve.org/view.php?id=CVE-2025-66222
03 Dec 2025 — DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server. • https://github.com/ThinkInAIXYZ/deepchat/commit/371ca7b42e3685aee6e3f0c61e85277ed1ff4db7 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2025-66032 – Claude Code Command Validation Bypass Allows Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2025-66032
03 Dec 2025 — Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. • https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.9EPSS: %CPEs: 1EXPL: 0CVE-2025-54065 – GZDoom engine allows arbitrary code execution via ZScript actor states
https://notcve.org/view.php?id=CVE-2025-54065
03 Dec 2025 — A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution. • https://github.com/ZDoom/gzdoom/security/advisories/GHSA-prhc-chfw-32jg • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 10.0EPSS: %CPEs: 3EXPL: 0CVE-2024-32641 – Masa CMS Vulnerable to Pre-Auth RCE via JSON API
https://notcve.org/view.php?id=CVE-2024-32641
03 Dec 2025 — Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6. • https://github.com/MasaCMS/MasaCMS/commit/fb27f822fe426496af71205fa35208e58823fcf6 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.4EPSS: %CPEs: -EXPL: 0CVE-2025-50360
https://notcve.org/view.php?id=CVE-2025-50360
03 Dec 2025 — Malicious execution of a pepper source file(.pr) could lead to arbitrary code execution or Denial of Service. • https://github.com/Ch1keen/CVE-2025-50360 • CWE-122: Heap-based Buffer Overflow •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13658 – Industrial Video & Control Longwatch has a Code Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-13658
02 Dec 2025 — A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges. • https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-01 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13486 – Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form
https://notcve.org/view.php?id=CVE-2025-13486
02 Dec 2025 — The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts. • https://plugins.trac.wordpress.org/changeset/3400134/acf-extended • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66448 – vLLM vulnerable to remote code execution via transformers_utils/get_config
https://notcve.org/view.php?id=CVE-2025-66448
01 Dec 2025 — vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when th... • https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66299 – Security Sandbox Bypass with SSTI (Server Side Template Injection) in the Grav CMS
https://notcve.org/view.php?id=CVE-2025-66299
01 Dec 2025 — Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an... • https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66294 – Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass
https://notcve.org/view.php?id=CVE-2025-66294
01 Dec 2025 — Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27. • https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •