CVSS: 5.4EPSS: 0%CPEs: -EXPL: 0CVE-2025-28254
https://notcve.org/view.php?id=CVE-2025-28254
28 Mar 2025 — Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions(). • https://github.com/Leantime/leantime/blob/0e7ddbbe3d582f657a1dddfef7b3419ae588cbf7/app/Domain/Notifications/Services/Notifications.php#L128 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-28256
https://notcve.org/view.php?id=CVE-2025-28256
28 Mar 2025 — An issue in TOTOLINK A3100R V4.1.2cu.5247_B20211129 allows a remote attacker to execute arbitrary code via the setWebWlanIdx of the file /lib/cste_modules/wireless.so. • https://github.com/ZackSecurity/VulnerReport/blob/cve/totolink/A3100R/1.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2878 – Kentico CMS Additional Database Installation Wizard install.aspx cross site scripting
https://notcve.org/view.php?id=CVE-2025-2878
27 Mar 2025 — A vulnerability was found in Kentico CMS up to 13.0.178. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /CMSInstall/install.aspx of the component Additional Database Installation Wizard. The manipulation of the argument new database leads to cross site scripting. The attack can be launched remotely. • https://devnet.kentico.com/download/hotfixes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30067 – Apache Kylin: The remote code execution via jdbc url
https://notcve.org/view.php?id=CVE-2025-30067
27 Mar 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. • https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30358 – Mesop Class Pollution vulnerability leads to DoS and Jailbreak attacks
https://notcve.org/view.php?id=CVE-2025-30358
27 Mar 2025 — Just like the Javascript's prototype pollution, this vulnerability could leave a way for attackers to manipulate the intended data-flow or control-flow of the application at runtime and lead to severe consequences like remote code execution when gadgets are available. • https://github.com/mesop-dev/mesop/commit/748e20d4a363d89b841d62213f5b0c6b4bed788f • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes •
CVSS: 4.4EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2867 – Improper Control of Generation of Code ('Code Injection') in GitLab
https://notcve.org/view.php?id=CVE-2025-2867
27 Mar 2025 — An issue has been discovered in the GitLab Duo with Amazon Q affecting all versions from 17.8 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A specifically crafted issue could manipulate AI-assisted development features to potentially expose sensitive project data to unauthorized users. • https://gitlab.com/gitlab-org/gitlab/-/issues/512509 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 1CVE-2025-29306
https://notcve.org/view.php?id=CVE-2025-29306
27 Mar 2025 — An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component. • https://github.com/somatrasss/CVE-2025-29306 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30232 – Debian Security Advisory 5887-1
https://notcve.org/view.php?id=CVE-2025-30232
27 Mar 2025 — A remote attacker could use this issue to cause Exim to crash, resulting in a denial of service, or possibly execute arbitrary code. • https://www.exim.org/static/doc/security/CVE-2025-30232.txt • CWE-416: Use After Free •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30878 – WordPress JS Help Desk plugin <= 2.9.2 - Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2025-30878
27 Mar 2025 — The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 2.9.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/wordpress/plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-2-9-2-arbitrary-file-deletion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30910 – WordPress CM Download Manager plugin <= 2.9.6 - Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2025-30910
27 Mar 2025 — The CM Download Manager – Simplify file sharing with powerful download management plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deletescreenshot() function in all versions up to, and including, 2.9.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/wordpress/plugin/cm-download-manager/vulnerability/wordpress-cm-download-manager-plugin-2-9-6-arbitrary-file-deletion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •