CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-60803
https://notcve.org/view.php?id=CVE-2025-60803
24 Oct 2025 — Antabot White-Jotter up to commit 9bcadc was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the component /api/aaa;/.. • https://github.com/Antabot/White-Jotter/issues/162 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.5EPSS: 0%CPEs: -EXPL: 0CVE-2025-60801
https://notcve.org/view.php?id=CVE-2025-60801
24 Oct 2025 — jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function. • https://fushuling.com/index.php/2025/08/17/%e7%bb%95%e8%bf%87%e8%a1%a5%e4%b8%81%ef%bc%8c%e5%86%8d%e6%ac%a1%e5%ae%9e%e7%8e%b0%e5%8d%8e%e5%a4%8ferp%e6%9c%aa%e6%8e%88%e6%9d%83rce%e5%b7%b2%e4%bf%ae%e5%a4%8d • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-62498 – AutomationDirect Productivity Suite Relative Path Traversal
https://notcve.org/view.php?id=CVE-2025-62498
23 Oct 2025 — The vulnerability allows an attacker who can tamper with a productivity project to execute arbitrary code on the machine where the project is opened. • https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json • CWE-23: Relative Path Traversal •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-11889 – AIO Forms <= 1.3.15 - Authenticated (Admin+) Arbitrary File Upload via Zip Import
https://notcve.org/view.php?id=CVE-2025-11889
23 Oct 2025 — This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. ... This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc69491-0f40-4bab-9215-b25f72110e26?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6978 – Diagnostics command injection vulnerability
https://notcve.org/view.php?id=CVE-2025-6978
23 Oct 2025 — Diagnostics command injection vulnerability This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. ... An attacker can leverage this vulnerability to execute code in the context of root. • https://https://www.arista.com/en/support/advisories-notices/security-advisory/22535-security-advisory-0123 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2025-62713 – Kottster app reinitialization can be re-triggered allowing command injection in development mode
https://notcve.org/view.php?id=CVE-2025-62713
23 Oct 2025 — From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. • https://github.com/kottster/kottster/commit/0a7d24922a23aac98372155348787670937eef89 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-284: Improper Access Control •
CVSS: 8.4EPSS: 0%CPEs: -EXPL: 0CVE-2025-61865
https://notcve.org/view.php?id=CVE-2025-61865
23 Oct 2025 — A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege. ... A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege. • https://jvn.jp/en/jp/JVN03295012 • CWE-428: Unquoted Search Path or Element •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-6440 – WooCommerce Designer Pro <= 1.9.26 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-6440
23 Oct 2025 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. WordPress WooCommerce Designer Pro plugin versions 1.9.26 and below suffer from a remote shell upload vulnerability. • https://packetstorm.news/files/id/211066 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: -EXPL: 0CVE-2025-60859
https://notcve.org/view.php?id=CVE-2025-60859
23 Oct 2025 — Cross Site Scripting (XSS) vulnerability in Gnuboard 5.6.15 allows authenticated attackers to execute arbitrary code via crafted c_id parameter in bbs/view_comment.php. • https://creeperkirby.notion.site/Gnboard5-5-6-15-reflected-XSS-25c4fe7db8cf80efa20fc2ebefcfe61e?source=copy_link • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2025-57240
https://notcve.org/view.php?id=CVE-2025-57240
23 Oct 2025 — Cross site scripting (XSS) vulnerability in 17gz International Student service system 1.0 allows attackers to execute arbitrary code via the registration step. • https://github.com/samllpotato1/xss/blob/main/xss.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •