CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31119 – CWE-470 in generator-jhipster-entity-audit when having Javers selected as Entity Audit Framework
https://notcve.org/view.php?id=CVE-2025-31119
03 Apr 2025 — If an attacker manages to place some malicious classes into the classpath and also has access to these REST interface for calling the mentioned REST endpoints, using these lines of code can lead to unintended remote code execution. • https://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/_package_/web/rest/JaversEntityAuditResource.java.ejs#L88 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 5.0EPSS: 0%CPEs: -EXPL: 1CVE-2025-3169 – Projeqtor saveAttachment.php unrestricted upload
https://notcve.org/view.php?id=CVE-2025-3169
03 Apr 2025 — A vulnerability was found in Projeqtor up to 12.0.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /tool/saveAttachment.php. The manipulation of the argument attachmentFiles leads to unrestricted upload. The attack may be launched remotely. • https://github.com/deadmilkman/cve-reports/blob/main/01-projeqtor-rce/readme.md • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31115 – XZ has a heap-use-after-free bug in threaded .xz decoder
https://notcve.org/view.php?id=CVE-2025-31115
03 Apr 2025 — If a user or automated system were tricked into processing an xz file, a remote attacker could use this issue to cause XZ Utils to crash, resulting in a denial of service, or possibly execute arbitrary code. • https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480 • CWE-366: Race Condition within a Thread CWE-416: Use After Free CWE-476: NULL Pointer Dereference CWE-826: Premature Release of Resource During Expected Lifetime •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13744 – Booster for WooCommerce 4.0.1 - 7.2.4 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-13744
03 Apr 2025 — The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the validate_product_input_fields_on_add_to_cart function in versions 4.0.1 to 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/changeset/3262569/woocommerce-jetpack/trunk/includes/input-fields/class-wcj-product-input-fields-core.php • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 24%CPEs: 2EXPL: 0CVE-2025-22457 – Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2025-22457
03 Apr 2025 — A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution. Ivanti Connect Secure, Policy Secure and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution. • https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457 • CWE-121: Stack-based Buffer Overflow •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3161 – Tenda AC10 ShutdownSetAdd stack-based overflow
https://notcve.org/view.php?id=CVE-2025-3161
03 Apr 2025 — A vulnerability was found in Tenda AC10 16.03.10.13 and classified as critical. This issue affects the function ShutdownSetAdd of the file /goform/ShutdownSetAdd. The manipulation of the argument list leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/LxxxtSec/CVE/blob/main/CVE_1.md#vulnerability-proof-supplement-remote-code-execution-rce • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2945 – pgAdmin 4: Remote Code Execution in Query Tool and Cloud Deployment
https://notcve.org/view.php?id=CVE-2025-2945
03 Apr 2025 — Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary ... • https://github.com/pgadmin-org/pgadmin4/issues/8603 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2025-2445
https://notcve.org/view.php?id=CVE-2025-2445
03 Apr 2025 — An attacker can craft a webpage once visited by the victim can trigger the exploit which can lead to executing arbitrary commands on the server (RCE). •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2025-2446
https://notcve.org/view.php?id=CVE-2025-2446
03 Apr 2025 — As a result, arbitrary files can be written to the server by providing a filename containing a "../" payload. ... This can lead to Remote Code Execution (RCE) on the server. •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2780 – Woffice Core <= 5.4.21 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-2780
03 Apr 2025 — The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • http://localhost:1337/wp-content/plugins/woffice-core/extensions/woffice-event/class-fw-extension-woffice-event.php#L1235 • CWE-434: Unrestricted Upload of File with Dangerous Type •