CVSS: 4.8EPSS: %CPEs: -EXPL: 1CVE-2025-9404 – Scada-LTS Folder pointHierarchySLTS cross site scripting
https://notcve.org/view.php?id=CVE-2025-9404
25 Aug 2025 — A vulnerability was identified in Scada-LTS up to 2.7.8.1. The affected element is an unknown function of the file /pointHierarchySLTS of the component Folder Handler. The manipulation of the argument Title leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. • https://vuldb.com/?id.321240 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: %CPEs: -EXPL: 1CVE-2025-9388 – Scada-LTS watch_list.shtm cross site scripting
https://notcve.org/view.php?id=CVE-2025-9388
24 Aug 2025 — A vulnerability was determined in Scada-LTS up to 2.7.8.1. This impacts an unknown function of the file watch_list.shtm. Executing manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. • https://vuldb.com/?id.321221 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-43766
https://notcve.org/view.php?id=CVE-2025-43766
23 Aug 2025 — The Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows the upload of unrestricted files in the style books component that are processed within the environment enabling arbitrary code execution by attackers. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43766 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-57771 – Roo-Code potential remote code execution via auto-execute command parsing flaw
https://notcve.org/view.php?id=CVE-2025-57771
22 Aug 2025 — Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions prior to 3.25.5, Roo-Code fails to properly handle process substitution and single ampersand characters in the command parsing logic for auto-execute commands. If a user has enabled auto-approved execution for a command such as ls, an attacker who can submit crafted prompts to the agent may inject arbitrary commands to be executed alongside the intended command. Exploitation requires attac... • https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-wrh9-463x-7wvv • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-55745 – UnoPim Quick Export feature is vulnerable to CSV injection
https://notcve.org/view.php?id=CVE-2025-55745
22 Aug 2025 — When the CSV file is opened in spreadsheet applications such as Microsoft Excel, the malicious input may be interpreted as a formula or command, potentially resulting in the execution of arbitrary code on the victim's device. Successful exploitation can lead to remote code execution, including the establishment of a reverse shell. • https://github.com/unopim/unopim/security/advisories/GHSA-74rg-6f92-g6wx • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9048 – Wptobe-memberships <= 3.4.2 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-9048
22 Aug 2025 — The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://www.wordfence.com/threat-intel/vulnerabilities/id/466568c5-33a9-4891-b4ad-9bc6052603cb?source=cve • CWE-73: External Control of File Name or Path •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 4CVE-2009-10006 – UFO: Alien Invasion <= 2.2.1 IRC Client Buffer Overflow
https://notcve.org/view.php?id=CVE-2009-10006
22 Aug 2025 — This results in a stack-based buffer overflow, which may corrupt control flow structures and allow arbitrary code execution. • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/misc/ufo_ai.rb • CWE-121: Stack-based Buffer Overflow •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-57699
https://notcve.org/view.php?id=CVE-2025-57699
22 Aug 2025 — A user with the write permission on the root directory of the system drive may execute arbitrary code with the SYSTEM privilege. • https://www.westerndigital.com/support/product-security/wdc-25004-western-digital-kitfox-software-version-1-1-1-1 • CWE-428: Unquoted Search Path or Element •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-41451 – Post-Authentication OS Command Injection RCE in Danfoss AK-SM8xxA Series
https://notcve.org/view.php?id=CVE-2025-41451
22 Aug 2025 — Improper neutralization of alarm-to-mail configuration fields used in an OS shell Command ('Command Injection') in Danfoss AK-SM8xxA Series prior to version 4.3.1, leading to a potential post-authenticated remote code execution on an attacked system. Improper neutralization of alarm-to-mail configuration fields used in an OS shell Command ('Command Injection') in Danfoss AK-SM8xxA Series prior to version 4.3.1, leading to a potential post-authenticated remote code execu... • https://www.danfoss.com/en/service-and-support/downloads/dcs/adap-kool-software/ak-sm-800a/#tab-overview • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 1CVE-2022-31491
https://notcve.org/view.php?id=CVE-2022-31491
22 Aug 2025 — Voltronic Power ViewPower through 1.04-24215, ViewPower Pro through 2.0-22165, and PowerShield Netguard before 1.04-23292 allows a remote attacker to run arbitrary code via an unspecified web interface related to detection of a managed UPS shutting down. An unauthenticated attacker can use this to run arbitrary code immediately regardless of any managed UPS state or presence. • https://github.com/ready2disclose/CVE-2022-31491 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-749: Exposed Dangerous Method or Function •