CVSS: 9.0EPSS: %CPEs: 4EXPL: 0CVE-2025-49521 – Event-driven-ansible: template injection via git branch and refspec in eda projects
https://notcve.org/view.php?id=CVE-2025-49521
30 Jun 2025 — A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft. • https://access.redhat.com/errata/RHSA-2025:9986 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 30%CPEs: 1EXPL: 0NotCVE-2025-0003 – Symlink Race in Kubernetes Volume Cleanup Enables Host Filesystem Deletion
https://notcve.org/view.php?id=NotCVE-2025-0003
30 Jun 2025 — This can result in deletion of arbitrary files or directories on the host system, including data from other pods or host volumes, leading to data loss and potential privilege escalation. This NotCVE is distinct from the Go NotCVE-2025-0004 because: - Kubernetes embeds the vulnerable Go code, - Exposes it in a privileged execution context (volume cleanup), - And provides a defined remediation path (rebuild with fixed Go). • https://github.com/kubernetes/kubernetes/issues/132267 • CWE-363: Race Condition Enabling Link Following •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-53415 – File Parsing Deserialization of Untrusted Data in DTM Soft
https://notcve.org/view.php?id=CVE-2025-53415
30 Jun 2025 — Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution • https://www.deltaww.com/en-US/Cybersecurity_Advisory • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-26074
https://notcve.org/view.php?id=CVE-2025-26074
30 Jun 2025 — Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes. • https://medium.com/@mrcnry/cve-2025-26074-remote-code-execution-in-conductor-oss-via-inline-javascript-injection-5ce3cb651cfb • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-45931
https://notcve.org/view.php?id=CVE-2025-45931
30 Jun 2025 — An issue D-Link DIR-816-A2 DIR-816A2_FWv1.10CNB05_R1B011D88210 allows a remote attacker to execute arbitrary code via system() function in the bin/goahead file • http://d-link.com • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-6849 – code-projects Simple Forum forum_edit1.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-6849
29 Jun 2025 — A vulnerability, which was classified as problematic, was found in code-projects Simple Forum 1.0. ... Es wurde eine Schwachstelle in code-projects Simple Forum 1.0 gefunden. • https://code-projects.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28905 – Heap buffer overflow in picserver
https://notcve.org/view.php?id=CVE-2023-28905
28 Jun 2025 — A heap buffer overflow in the image processing binary of the MIB3 infotainment unit allows an attacker to execute arbitrary code on it. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. ... A heap buffer overflow in the image processing binary of the MIB3 infotainment unit allows an attacker to execute arbitrary code on it. • https://asrg.io/security-advisories/vulnerabilities-in-volkswagen-mib3-infotainment-part-2 • CWE-122: Heap-based Buffer Overflow •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28909 – Integer Overflow Leading to MTU Bypass
https://notcve.org/view.php?id=CVE-2023-28909
28 Jun 2025 — Consequently, this can lead to a buffer overflow in upper layer profiles, which can be used to obtain remote code execution. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. ... Consequently, this can lead to a buffer overflow in upper layer profiles, which can be used to obtain remote code execution. • https://asrg.io/security-advisories/vulnerabilities-in-volkswagen-mib3-infotainment-part-2 • CWE-190: Integer Overflow or Wraparound •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53098 – Roo Code Vulnerable to Potential Remote Code Execution via Model Context Protocol
https://notcve.org/view.php?id=CVE-2025-53098
27 Jun 2025 — Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approv... • https://github.com/RooCodeInc/Roo-Code/commit/7d0b22f9e659dc6c26aab0bacbea27874986e772 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-6778 – code-projects Food Distributor Site save_settings.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-6778
27 Jun 2025 — A vulnerability, which was classified as problematic, was found in code-projects Food Distributor Site 1.0. ... Es wurde eine Schwachstelle in code-projects Food Distributor Site 1.0 gefunden. • https://code-projects.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •