CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3823 – SourceCodester Web-based Pharmacy Product Management System add-stock.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-3823
20 Apr 2025 — A vulnerability classified as problematic has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected is an unknown function of the file add-stock.php. The manipulation of the argument txttotalcost/txtproductID/txtprice/txtexpirydate leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?id.305730 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3822 – SourceCodester Web-based Pharmacy Product Management System changepassword.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-3822
20 Apr 2025 — A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file changepassword.php. The manipulation of the argument txtconfirm_password/txtnew_password/txtold_password leads to cross site scripting. The attack may be initiated remotely. • https://vuldb.com/?id.305729 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3821 – SourceCodester Web-based Pharmacy Product Management System add-admin.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-3821
20 Apr 2025 — This vulnerability affects unknown code of the file add-admin.php. • https://vuldb.com/?id.305728 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 1CVE-2025-3806 – dazhouda lecms Edit Profile admin cross site scripting
https://notcve.org/view.php?id=CVE-2025-3806
19 Apr 2025 — Davon betroffen ist unbekannter Code der Datei /admin der Komponente Edit Profile Handler. • https://vuldb.com/?id.305660 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 11EXPL: 1CVE-2025-3801 – songquanpeng one-api System Setting cross site scripting
https://notcve.org/view.php?id=CVE-2025-3801
19 Apr 2025 — A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content/About System/Footer leads to cross site scripting. It is possible to initiate the attack remotely. • https://vuldb.com/?id.305655 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 1CVE-2025-3795 – DaiCuo SEO Optimization Settings Section cross site scripting
https://notcve.org/view.php?id=CVE-2025-3795
18 Apr 2025 — A vulnerability was found in DaiCuo 1.3.13. It has been rated as problematic. Affected by this issue is some unknown functionality of the component SEO Optimization Settings Section. The manipulation leads to cross site scripting. The attack may be launched remotely. • https://vuldb.com/?id.305648 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3404 – Download Manager <= 3.3.12 - Authenticated (Author+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-3404
18 Apr 2025 — The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function in all versions up to, and including, 3.3.12. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://www.wordfence.com/threat-intel/vulnerabilities/id/21f8f5be-b513-4040-af39-c1a61d7e313f?source=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32434 – PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
https://notcve.org/view.php?id=CVE-2025-32434
18 Apr 2025 — In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. • https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29953 – Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass
https://notcve.org/view.php?id=CVE-2025-29953
18 Apr 2025 — Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. • https://lists.apache.org/thread/vc1sj9y3056d3kkhcvrs9fyw5w8kpmlx • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1093 – AIHub <= 1.3.7 - Unauthenticated Arbitrary File Upload in generate_image
https://notcve.org/view.php?id=CVE-2025-1093
18 Apr 2025 — The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/09adfe7e-f154-4143-827f-957ded3ffc8f?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •