CVSS: 8.1EPSS: 0%CPEs: -EXPL: 0CVE-2025-11837 – Malware Remover
https://notcve.org/view.php?id=CVE-2025-11837
02 Jan 2026 — An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism. We have already fixed the vulnerability in the following version: Malware Remover 6.6.8.20251023 and later • https://www.qnap.com/en/security-advisory/qsa-25-47 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-15437 – LigeroSmart Environment Variable cross site scripting
https://notcve.org/view.php?id=CVE-2025-15437
02 Jan 2026 — A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing manipulation of the argument REQUEST_URI results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. • https://github.com/LigeroSmart/ligerosmart/commit/264ac5b2be5b3c673ebd8cb862e673f5d300d9a7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-67268
https://notcve.org/view.php?id=CVE-2025-67268
02 Jan 2026 — This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution. • https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md •
CVSS: 4.8EPSS: 0%CPEs: 5EXPL: 1CVE-2025-15416 – xnx3 wangmarket Add Global Variable save.do cross site scripting
https://notcve.org/view.php?id=CVE-2025-15416
01 Jan 2026 — A vulnerability was found in xnx3 wangmarket up to 6.4. This affects an unknown function of the file /siteVar/save.do of the component Add Global Variable Handler. The manipulation of the argument Remark/Variable Value results in cross site scripting. The attack can be executed remotely. The exploit has been made public and could be used. • https://github.com/yuccun/CVE/blob/main/wangmarket-Stored_Cross-Site_Scripting.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-68619 – Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package
https://notcve.org/view.php?id=CVE-2025-68619
01 Jan 2026 — When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. • https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-11157 – Arbitrary Code Execution in feast-dev/feast
https://notcve.org/view.php?id=CVE-2025-11157
01 Jan 2026 — A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify the... • https://github.com/feast-dev/feast/commit/b2e37ff37953b68ae833f6874ab5bc510a4ca5fb • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.8EPSS: 0%CPEs: -EXPL: 1CVE-2025-15394 – iCMS POST Parameter ConfigAdmincp.php save code injection
https://notcve.org/view.php?id=CVE-2025-15394
31 Dec 2025 — The manipulation of the argument config results in code injection. • https://note-hxlab.wetolink.com/share/QWuWZeAmzUdm • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-15393 – Kohana KodiCMS Layout API Endpoint file.php save code injection
https://notcve.org/view.php?id=CVE-2025-15393
31 Dec 2025 — The manipulation of the argument content leads to code injection. • https://vuldb.com/?ctiid.339162 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 0CVE-2019-25262 – elinicksic Razgover Chat Message send.php cross site scripting
https://notcve.org/view.php?id=CVE-2019-25262
31 Dec 2025 — A security vulnerability has been detected in elinicksic Razgover up to db37dfc5c82f023a40f2f7834ded6633fb2b5262. This affects an unknown part of the file Chattify/send.php of the component Chat Message Handler. Such manipulation of the argument msg leads to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. • https://github.com/elinicksic/Razgover/commit/995dd89d0e3ec5522966724be23a5d58ca1bdac3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2025-15374 – EyouCMS Ask Module Ask.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-15374
31 Dec 2025 — A vulnerability was detected in EyouCMS up to 1.7.7. The affected element is an unknown function of the file application/home/model/Ask.php of the component Ask Module. Performing manipulation of the argument content results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. • https://note-hxlab.wetolink.com/share/LNickWiRaFiF • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •