
CVE-2025-53515 – Advantech iView SQL Injection
https://notcve.org/view.php?id=CVE-2025-53515
10 Jul 2025 — A vulnerability exists in Advantech iView that allows for SQL injection and remote code execution through NetworkServlet.archiveTrap(). ... Certain input parameters are not sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account. • https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2025-52577 – Advantech iView SQL Injection
https://notcve.org/view.php?id=CVE-2025-52577
10 Jul 2025 — A vulnerability exists in Advantech iView that could allow SQL injection and remote code execution through NetworkServlet.archiveTrapRange(). ... Certain input parameters are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account. • https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2025-53475 – Advantech iView SQL Injection
https://notcve.org/view.php?id=CVE-2025-53475
10 Jul 2025 — A vulnerability exists in Advantech iView that could allow for SQL injection and remote code execution through NetworkServlet.getNextTrapPage(). ... Certain parameters in this function are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account. • https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2025-3946 – Incorrect response generation during FTEB protocol processing
https://notcve.org/view.php?id=CVE-2025-3946
10 Jul 2025 — An attacker could potentially exploit this vulnerability, leading to Input Data Manipulation, which could result in incorrect handling of packets leading to remote code execution. ... An attacker could potentially exploit this vulnerability, leading to Input Data Manipulation, which could result in incorrect handling of packets leading to remote code execution. • https://process.honeywell.com • CWE-430: Deployment of Wrong Handler •

CVE-2025-2523 – Lack of buffer clearing before reuse may result in incorrect system behavior.
https://notcve.org/view.php?id=CVE-2025-2523
10 Jul 2025 — An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in a failure during subtraction allowing remote code execution. ... An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in a failure during subtraction allowing remote code execution. • https://process.honeywell.com • CWE-191: Integer Underflow (Wrap or Wraparound) •

CVE-2025-2521 – Lack of indexes’ validation against buffer borders leads to remote code execution.
https://notcve.org/view.php?id=CVE-2025-2521
10 Jul 2025 — An attacker could potentially exploit this vulnerability, leading to an Overread Buffers, which could result in improper index validation against buffer borders leading to remote code execution. ... An attacker could potentially exploit this vulnerability, leading to an Overread Buffers, which could result in improper index validation against buffer borders leading to remote code execution. • https://process.honeywell.com • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVE-2025-34100 – BuilderEngine 3.5.0 RCE via Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-34100
10 Jul 2025 — The plugin fails to properly validate or restrict file types or locations during upload operations, allowing an attacker to upload a malicious .php file and subsequently execute arbitrary PHP code on the server under the context of the web server process. While the root vulnerability lies within the jQuery File Upload component, BuilderEngine’s improper integration and lack of access controls expose this functionality to unauthenticated users, resulting in full remote code exe... • https://support.alertlogic.com/hc/en-us/articles/115004703183-BuilderEngine-Content-Management-System-CMS-elFinder-2-0-Arbitrary-File-Upload • CWE-20: Improper Input Validation CWE-306: Missing Authentication for Critical Function CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-34102 – CryptoLog Unauthenticated RCE via SQL Injection and Command Injection
https://notcve.org/view.php?id=CVE-2025-34102
10 Jul 2025 — A remote code execution vulnerability exists in CryptoLog (PHP version, discontinued since 2009) due to a chained exploitation of SQL injection and command injection vulnerabilities. An unauthenticated attacker can gain shell access as the web server user by first exploiting a SQL injection flaw in login.php to bypass authentication, followed by command injection in logshares_ajax.php to execute arbitrary operating system commands. ... Once authenticated, the attack... • https://pentest.blog/advisory-cryptolog-unauthenticated-remote-code-execution • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-306: Missing Authentication for Critical Function •

CVE-2025-34096 – Easy File Sharing HTTP Server 7.2 Buffer Overflow via POST to /sendemail.ghp
https://notcve.org/view.php?id=CVE-2025-34096
10 Jul 2025 — An unauthenticated remote attacker can exploit this to execute arbitrary code with the privileges of the server process. • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/easyfilesharing_post.rb • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVE-2025-34095 – Mako Server v2.5 and v2.6 OS Command Injection via examples/save.lsp
https://notcve.org/view.php?id=CVE-2025-34095
10 Jul 2025 — An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments. • https://vulncheck/advisories/mako-server-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •