CVSS: 3.3EPSS: %CPEs: 1EXPL: 2CVE-2025-12654 – Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.120 - Authenticated (Admin+) Arbitrary Directory Creation
https://notcve.org/view.php?id=CVE-2025-12654
20 Dec 2025 — The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories. • https://github.com/Yuweixn/Anydesk-Exploit-CVE-2025-12654-RCE-Builder • CWE-73: External Control of File Name or Path •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68613 – n8n Vulnerable to Remote Code Execution via Expression Injection
https://notcve.org/view.php?id=CVE-2025-68613
19 Dec 2025 — Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. ... An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. • https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-53959 – FileZilla Client 3.63.1 DLL Hijacking via Missing TextShaping.dll
https://notcve.org/view.php?id=CVE-2023-53959
19 Dec 2025 — FileZilla Client 3.63.1 contains a DLL hijacking vulnerability that allows attackers to execute malicious code by placing a crafted TextShaping.dll in the application directory. Attackers can generate a reverse shell payload using msfvenom and replace the missing DLL to achieve remote code execution when the application launches. • https://www.vulncheck.com/advisories/filezilla-client-dll-hijacking-via-missing-textshapingdll • CWE-427: Uncontrolled Search Path Element •
CVSS: 9.0EPSS: 0%CPEs: -EXPL: 1CVE-2023-53956 – Flatnux 2021-03.25 Authenticated File Upload Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-53956
19 Dec 2025 — Attackers with admin credentials can upload malicious PHP scripts to the web root directory, enabling remote code execution on the server. • https://www.vulncheck.com/advisories/flatnux-authenticated-file-upload-remote-code-execution • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-53952 – Dotclear 2.25.3 Authenticated Remote Code Execution via File Upload
https://notcve.org/view.php?id=CVE-2023-53952
19 Dec 2025 — Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed, enabling arbitrary code execution on the server. • https://www.vulncheck.com/advisories/dotclear-authenticated-remote-code-execution-via-file-upload • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-53948 – Lilac-Reloaded for Nagios 2.0.8 Remote Code Execution via Autodiscovery
https://notcve.org/view.php?id=CVE-2023-53948
19 Dec 2025 — Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input filtering in the nmap_binary parameter to execute a reverse shell by sending a crafted POST request to the autodiscovery endpoint. • https://www.vulncheck.com/advisories/lilac-reloaded-for-nagios-remote-code-execution-via-autodiscovery • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-53946 – Arcsoft PhotoStudio 6.0.0.172 Unquoted Service Path Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-53946
19 Dec 2025 — Attackers can place a malicious executable in the unquoted path and trigger the service to execute arbitrary code with system-level permissions. • https://www.arcsoft.com • CWE-428: Unquoted Search Path or Element •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-53945 – BrainyCP 1.0 Remote Code Execution via Authenticated Crontab Manipulation
https://notcve.org/view.php?id=CVE-2023-53945
19 Dec 2025 — BrainyCP 1.0 contains an authenticated remote code execution vulnerability that allows logged-in users to inject arbitrary commands through the crontab configuration interface. • https://www.vulncheck.com/advisories/brainycp-remote-code-execution-via-authenticated-crontab-manipulation • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66580 – Dive has Cross-Site Scripting vulnerability that can escalate to Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-66580
19 Dec 2025 — An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. • https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-xv8m-365j-x6h2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-34433 – AVideo < 20.1 Unauthenticated RCE via Predictable Installation Salt
https://notcve.org/view.php?id=CVE-2025-34433
19 Dec 2025 — AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). ... The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution as the web server user. • https://www.vulncheck.com/advisories/avideo-unauthenticated-rce-via-predictable-installation-salt • CWE-94: Improper Control of Generation of Code ('Code Injection') •