CVSS: 7.2EPSS: %CPEs: 1EXPL: 0CVE-2025-32370
https://notcve.org/view.php?id=CVE-2025-32370
06 Apr 2025 — Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS. • https://labs.watchtowr.com/xss-to-rce-by-abusing-custom-file-handlers-kentico-xperience-cms-cve-2025-2748 • CWE-912: Hidden Functionality •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30401
https://notcve.org/view.php?id=CVE-2025-30401
05 Apr 2025 — A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp. • https://www.facebook.com/security/advisories/cve-2025-30401 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2941 – Drag and Drop Multiple File Upload for WooCommerce <= 1.1.4 - Unauthenticated Arbitrary File Move
https://notcve.org/view.php?id=CVE-2025-2941
04 Apr 2025 — This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3266697%40drag-and-drop-multiple-file-upload-for-woocommerce&new=3266697%40drag-and-drop-multiple-file-upload-for-woocommerce&sfp_email=&sfph_mail= • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32118 – WordPress CMP – Coming Soon & Maintenance plugin <= 4.1.13 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-32118
04 Apr 2025 — Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon & Maintenance allows Using Malicious Files. This issue affects CMP – Coming Soon & Maintenance: from n/a through 4.1.13. • https://patchstack.com/database/wordpress/plugin/cmp-coming-soon-maintenance/vulnerability/wordpress-cmp-coming-soon-maintenance-plugin-4-1-13-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27520 – BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization
https://notcve.org/view.php?id=CVE-2025-27520
04 Apr 2025 — A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. • https://github.com/bentoml/BentoML/commit/b35f4f4fcc53a8c3fe8ed9c18a013fe0a728e194 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29815 – Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-29815
04 Apr 2025 — Use after free in Microsoft Edge (Chromium-based) allows an authorized attacker to execute code over a network. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29815 • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25000 – Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-25000
03 Apr 2025 — Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-25000 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31119 – CWE-470 in generator-jhipster-entity-audit when having Javers selected as Entity Audit Framework
https://notcve.org/view.php?id=CVE-2025-31119
03 Apr 2025 — If an attacker manages to place some malicious classes into the classpath and also has access to these REST interface for calling the mentioned REST endpoints, using these lines of code can lead to unintended remote code execution. • https://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/_package_/web/rest/JaversEntityAuditResource.java.ejs#L88 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 5.0EPSS: 0%CPEs: -EXPL: 1CVE-2025-3169 – Projeqtor saveAttachment.php unrestricted upload
https://notcve.org/view.php?id=CVE-2025-3169
03 Apr 2025 — A vulnerability was found in Projeqtor up to 12.0.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /tool/saveAttachment.php. The manipulation of the argument attachmentFiles leads to unrestricted upload. The attack may be launched remotely. • https://github.com/deadmilkman/cve-reports/blob/main/01-projeqtor-rce/readme.md • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31115 – XZ has a heap-use-after-free bug in threaded .xz decoder
https://notcve.org/view.php?id=CVE-2025-31115
03 Apr 2025 — If a user or automated system were tricked into processing an xz file, a remote attacker could use this issue to cause XZ Utils to crash, resulting in a denial of service, or possibly execute arbitrary code. • https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480 • CWE-366: Race Condition within a Thread CWE-416: Use After Free CWE-476: NULL Pointer Dereference CWE-826: Premature Release of Resource During Expected Lifetime •