CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31119 – CWE-470 in generator-jhipster-entity-audit when having Javers selected as Entity Audit Framework
https://notcve.org/view.php?id=CVE-2025-31119
03 Apr 2025 — If an attacker manages to place some malicious classes into the classpath and also has access to these REST interface for calling the mentioned REST endpoints, using these lines of code can lead to unintended remote code execution. • https://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/_package_/web/rest/JaversEntityAuditResource.java.ejs#L88 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 5.0EPSS: 0%CPEs: -EXPL: 1CVE-2025-3169 – Projeqtor saveAttachment.php unrestricted upload
https://notcve.org/view.php?id=CVE-2025-3169
03 Apr 2025 — A vulnerability was found in Projeqtor up to 12.0.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /tool/saveAttachment.php. The manipulation of the argument attachmentFiles leads to unrestricted upload. The attack may be launched remotely. • https://github.com/deadmilkman/cve-reports/blob/main/01-projeqtor-rce/readme.md • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31115 – XZ has a heap-use-after-free bug in threaded .xz decoder
https://notcve.org/view.php?id=CVE-2025-31115
03 Apr 2025 — If a user or automated system were tricked into processing an xz file, a remote attacker could use this issue to cause XZ Utils to crash, resulting in a denial of service, or possibly execute arbitrary code. • https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480 • CWE-366: Race Condition within a Thread CWE-416: Use After Free CWE-476: NULL Pointer Dereference CWE-826: Premature Release of Resource During Expected Lifetime •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13645 – TagDiv Composer <= 5.3 - Unauthenticated Arbitrary PHP Object Instantiation
https://notcve.org/view.php?id=CVE-2024-13645
03 Apr 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. • https://tagdiv.com/tagdiv-composer-page-builder-basics • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13744 – Booster for WooCommerce 4.0.1 - 7.2.4 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-13744
03 Apr 2025 — The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the validate_product_input_fields_on_add_to_cart function in versions 4.0.1 to 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/changeset/3262569/woocommerce-jetpack/trunk/includes/input-fields/class-wcj-product-input-fields-core.php • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.8EPSS: 0%CPEs: 9EXPL: 1CVE-2025-3164 – Tencent Music Entertainment SuperSonic H2 Database Connection testConnect code injection
https://notcve.org/view.php?id=CVE-2025-3164
03 Apr 2025 — The manipulation leads to code injection. The attack may be launched remotely. ... Davon betroffen ist unbekannter Code der Datei /api/semantic/database/testConnect der Komponente H2 Database Connection Handler. Mittels dem Manipulieren mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. • https://vuldb.com/?id.303110 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2025-3163 – InternLM LMDeploy conf.py open code injection
https://notcve.org/view.php?id=CVE-2025-3163
03 Apr 2025 — The manipulation leads to code injection. It is possible to launch the attack on the local host. ... Durch Manipulation mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. • https://vuldb.com/?id.303109 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 24%CPEs: 2EXPL: 0CVE-2025-22457 – Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2025-22457
03 Apr 2025 — A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution. Ivanti Connect Secure, Policy Secure and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution. • https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457 • CWE-121: Stack-based Buffer Overflow •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3161 – Tenda AC10 ShutdownSetAdd stack-based overflow
https://notcve.org/view.php?id=CVE-2025-3161
03 Apr 2025 — A vulnerability was found in Tenda AC10 16.03.10.13 and classified as critical. This issue affects the function ShutdownSetAdd of the file /goform/ShutdownSetAdd. The manipulation of the argument list leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/LxxxtSec/CVE/blob/main/CVE_1.md#vulnerability-proof-supplement-remote-code-execution-rce • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3157 – Intelbras WRN 150 Wireless Menu cross site scripting
https://notcve.org/view.php?id=CVE-2025-3157
03 Apr 2025 — A vulnerability was found in Intelbras WRN 150 1.0.15_pt_ITB01. It has been rated as problematic. This issue affects some unknown processing of the component Wireless Menu. The manipulation of the argument SSID leads to cross site scripting. The attack may be initiated remotely. • https://vuldb.com/?id.303101 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •