CVSS: 8.7EPSS: %CPEs: -EXPL: 0CVE-2025-4992 – Stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2025x
https://notcve.org/view.php?id=CVE-2025-4992
30 May 2025 — A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. • https://www.3ds.com/vulnerability/advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.6EPSS: 0%CPEs: -EXPL: 0CVE-2025-4635 – Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-4635
30 May 2025 — A malicious user with administrative privileges in the web portal would be able to manipulate the Diagnostics module to obtain remote code execution on the local device as a low privileged user. • https://jct-aq.com/products/airpointer2d • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48492 – GetSimple CMS RCE in Edit component
https://notcve.org/view.php?id=CVE-2025-48492
30 May 2025 — In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE). This issue is set to be patched in version 3.3.22. • https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/security/advisories/GHSA-g435-p72m-p582 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4857 – Newsletters <= 4.9.9.9 - Authenticated (Administrator+) Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-4857
30 May 2025 — This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5307 – Santesoft Sante DICOM Viewer Pro Out-of-bounds Read
https://notcve.org/view.php?id=CVE-2025-5307
29 May 2025 — A local attacker could exploit this issue to potentially disclose information and to execute arbitrary code on affected installations of Sante DICOM Viewer Pro. • https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-148-01 • CWE-125: Out-of-bounds Read •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48471 – FreeScout Vulnerable to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-48471
29 May 2025 — This allows files to be uploaded with the phtml and phar extensions, which can lead to remote code execution if the Apache web server is used. • https://github.com/freescout-help-desk/freescout/commit/e136660e8dbc220454b8d3f646dd1b144e49e9ed • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48390 – FreeScout Vulnerable to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2025-48390
29 May 2025 — Prior to version 1.8.178, FreeScout is vulnerable to code injection due to insufficient validation of user input in the php_path parameter. ... Further in tools.php, the user can specify the path to this folder as php_path, which will lead to the execution of code in backticks. • https://github.com/freescout-help-desk/freescout/commit/fb33d672a2d67f5a2b3cf69c80945267f17908b2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27151 – redis-check-aof may lead to stack overflow and potential RCE
https://notcve.org/view.php?id=CVE-2025-27151
29 May 2025 — This allows an attacker to overflow the stack and potentially achieve code execution. • https://github.com/redis/redis/security/advisories/GHSA-5453-q98w-cmvm • CWE-20: Improper Input Validation CWE-121: Stack-based Buffer Overflow •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-1051 – Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-1051
29 May 2025 — This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. ... An attacker can leverage this vulnerability to execute code in the context of the anacapa user. •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48336 – WordPress Course Builder < 3.6.6 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-48336
29 May 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. • https://patchstack.com/database/wordpress/theme/course-builder/vulnerability/wordpress-course-builder-3-6-6-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •