CVSS: 8.1EPSS: %CPEs: 1EXPL: 0CVE-2025-3055 – WP User Frontend Pro <= 4.1.3 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-3055
04 Jun 2025 — The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_avatar_ajax() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2025-3054 – WP User Frontend Pro <= 4.1.3 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-3054
04 Jun 2025 — The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 3.4EPSS: %CPEs: 7EXPL: 0CVE-2025-20277 – Cisco Unified Contact Center Express Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2025-20277
04 Jun 2025 — A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, local attacker to execute arbitrary code on an affected device. ... A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of an affected device as a low-privilege user. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-multi-UhOTvPGL • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 3.8EPSS: %CPEs: 7EXPL: 0CVE-2025-20276 – Cisco Unified Contact Center Express Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-20276
04 Jun 2025 — A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, remote attacker to execute arbitrary code on an affected device. ... A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of an affected device as a low-privilege user. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-multi-UhOTvPGL • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: %CPEs: 7EXPL: 0CVE-2025-20275 – Cisco Unified Contact Center Express Editor Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-20275
04 Jun 2025 — A vulnerability in the file opening process of Cisco Unified Contact Center Express (Unified CCX) Editor could allow an unauthenticated attacker to execute arbitrary code on an affected device.... A successful exploit could allow the attacker to execute arbitrary code on the host that is running the editor application with the privileges of the user who launched it. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-editor-rce-ezyYZte8 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: %CPEs: 18EXPL: 0CVE-2025-20273 – Cisco Unified Intelligent Contact Management Enterprise Cross-Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2025-20273
04 Jun 2025 — A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-icm-xss-cfcqhXAg • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.9EPSS: %CPEs: 3EXPL: 0CVE-2025-1701 – Local Privilege Escalation in MIM Admin Service
https://notcve.org/view.php?id=CVE-2025-1701
04 Jun 2025 — An attacker could exploit this vulnerability by sending a specially crafted request over the RMI interface to execute arbitrary code with the privileges of the MIM Admin service. • https://www.mimsoftware.com/cve-2025-1701 • CWE-20: Improper Input Validation CWE-306: Missing Authentication for Critical Function •
CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48710
https://notcve.org/view.php?id=CVE-2025-48710
04 Jun 2025 — kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes. • https://github.com/kro-run/kro/compare/v0.2.1...v0.2.2 • CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-49223
https://notcve.org/view.php?id=CVE-2025-49223
04 Jun 2025 — billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. • https://cve.naver.com/detail/cve-2025-49223.html • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49002 – Dataease H2 Database Remote Code Execution (RCE) Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2025-49002
03 Jun 2025 — DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability has been fixed in v2.10.10. No known workarounds are available. • https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34 • CWE-290: Authentication Bypass by Spoofing •