
CVE-2025-5333 – Unauthenticated Remote Code Execution in IT Management Suite
https://notcve.org/view.php?id=CVE-2025-5333
06 Jul 2025 — Remote attackers can execute arbitrary code in the context of the vulnerable service process. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35903 •

CVE-2025-49302 – WordPress Easy Stripe <= 1.1 - Remote Code Execution (RCE) Vulnerability
https://notcve.org/view.php?id=CVE-2025-49302
04 Jul 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe allows Remote Code Inclusion. • https://patchstack.com/database/wordpress/plugin/easy-stripe/vulnerability/wordpress-easy-stripe-1-1-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-43711
https://notcve.org/view.php?id=CVE-2025-43711
04 Jul 2025 — Tunnelblick 3.5beta06 before 7.0, when incompletely uninstalled, allows attackers to execute arbitrary code as root (upon the next boot) by dragging a crafted Tunnelblick.app file into /Applications. • https://tunnelblick.net/cCVE-2025-43711.html • CWE-459: Incomplete Cleanup •

CVE-2025-5691 – WordPress Migration, Backup, Staging – WPvivid Backup and Migration 0.9.116 Shell Upload
https://notcve.org/view.php?id=CVE-2025-5691
04 Jul 2025 — WordPress Migration, Backup, Staging – WPvivid Backup and Migration plugin versions 0.9.116 and below are vulnerable to arbitrary file uploads due to missing file type validation in the wpvivid_upload_import_files function. This allows authenticated attackers (Administrator-level and above) to upload arbitrary files to the server, potentially enabling remote code execution. • https://packetstorm.news/files/id/205244 •

CVE-2025-34089 – Remote for Mac Unauthenticated Remote Code Execution via AppleScript Injection
https://notcve.org/view.php?id=CVE-2025-34089
03 Jul 2025 — An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio, in versions up to and including 2025.7. ... This allows unauthenticated remote attackers to inject arbitrary AppleScript payloads via the X-Script HTTP header, resulting in code execution using do shell script. Successful exploitation grants attackers the ability to run arbitrary commands on the macOS host with the privileges of ... • https://vulncheck.com/advisories/remote-for-mac-rce • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-306: Missing Authentication for Critical Function •

CVE-2025-34087 – Pi-Hole AdminLTE Whitelist (now 'Web Allowlist') Remote Command Execution
https://notcve.org/view.php?id=CVE-2025-34087
03 Jul 2025 — An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions. Existe una vulnerabilidad de inyec... • https://vulncheck.com/advisories/pihole-adminlte-whitelist-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVE-2025-34088 – Pandora FMS Authenticated Remote Code Execution via Ping Module
https://notcve.org/view.php?id=CVE-2025-34088
03 Jul 2025 — An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. • https://vulncheck.com/advisories/pandora-fms-rce-via-ping • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVE-2025-34082 – IGEL OS Secure Terminal and Secure Shadow Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-34082
03 Jul 2025 — An unauthenticated attacker with network access to a vulnerable device can inject arbitrary commands, leading to remote code execution with elevated privileges. • https://vulncheck.com/advisories/igel-os-secure-terminal-shadow-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVE-2025-34086 – Bolt CMS Authenticated Remote Code Execution via Profile Injection and File Rename
https://notcve.org/view.php?id=CVE-2025-34086
03 Jul 2025 — Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. ... By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an ex... • https://boltcms.io/newsitem/major-announcements-bolt-3-eol-bolt-4-2-5-0-releases • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-34061 – PHPStudy 2016-2018 Backdoor Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-34061
03 Jul 2025 — A backdoor in PHPStudy versions 2016 through 2018 allows unauthenticated remote attackers to execute arbitrary PHP code on affected installations. ... This leads to remote code execution as the web server user, compromising the affected system. • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/phpstudy_backdoor_rce.rb • CWE-94: Improper Control of Generation of Code ('Code Injection') •