CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53475 – Advantech iView SQL Injection
https://notcve.org/view.php?id=CVE-2025-53475
10 Jul 2025 — A vulnerability exists in Advantech iView that could allow for SQL injection and remote code execution through NetworkServlet.getNextTrapPage(). ... Certain parameters in this function are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account. • https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.5EPSS: 0%CPEs: 20EXPL: 0CVE-2025-3946 – Incorrect response generation during FTEB protocol processing
https://notcve.org/view.php?id=CVE-2025-3946
10 Jul 2025 — An attacker could potentially exploit this vulnerability, leading to Input Data Manipulation, which could result in incorrect handling of packets leading to remote code execution. ... An attacker could potentially exploit this vulnerability, leading to Input Data Manipulation, which could result in incorrect handling of packets leading to remote code execution. • https://process.honeywell.com • CWE-430: Deployment of Wrong Handler •
CVSS: 9.7EPSS: 0%CPEs: 20EXPL: 0CVE-2025-2523 – Lack of buffer clearing before reuse may result in incorrect system behavior.
https://notcve.org/view.php?id=CVE-2025-2523
10 Jul 2025 — An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in a failure during subtraction allowing remote code execution. ... An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in a failure during subtraction allowing remote code execution. • https://process.honeywell.com • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 9.0EPSS: 0%CPEs: 20EXPL: 0CVE-2025-2521 – Lack of indexes’ validation against buffer borders leads to remote code execution.
https://notcve.org/view.php?id=CVE-2025-2521
10 Jul 2025 — An attacker could potentially exploit this vulnerability, leading to an Overread Buffers, which could result in improper index validation against buffer borders leading to remote code execution. ... An attacker could potentially exploit this vulnerability, leading to an Overread Buffers, which could result in improper index validation against buffer borders leading to remote code execution. • https://process.honeywell.com • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2025-34100 – BuilderEngine 3.5.0 RCE via Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-34100
10 Jul 2025 — The plugin fails to properly validate or restrict file types or locations during upload operations, allowing an attacker to upload a malicious .php file and subsequently execute arbitrary PHP code on the server under the context of the web server process. While the root vulnerability lies within the jQuery File Upload component, BuilderEngine’s improper integration and lack of access controls expose this functionality to unauthenticated users, resulting in full remote code exe... • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/builderengine_upload_exec.rb • CWE-20: Improper Input Validation CWE-306: Missing Authentication for Critical Function CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 3CVE-2025-34102 – CryptoLog Unauthenticated RCE via SQL Injection and Command Injection
https://notcve.org/view.php?id=CVE-2025-34102
10 Jul 2025 — A remote code execution vulnerability exists in CryptoLog (PHP version, discontinued since 2009) due to a chained exploitation of SQL injection and command injection vulnerabilities. An unauthenticated attacker can gain shell access as the web server user by first exploiting a SQL injection flaw in login.php to bypass authentication, followed by command injection in logshares_ajax.php to execute arbitrary operating system commands. ... Once authenticated, the attack... • https://pentest.blog/advisory-cryptolog-unauthenticated-remote-code-execution • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-34096 – Easy File Sharing HTTP Server 7.2 Buffer Overflow via POST to /sendemail.ghp
https://notcve.org/view.php?id=CVE-2025-34096
10 Jul 2025 — An unauthenticated remote attacker can exploit this to execute arbitrary code with the privileges of the server process. • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/easyfilesharing_post.rb • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-34095 – Mako Server v2.5 and v2.6 OS Command Injection via examples/save.lsp
https://notcve.org/view.php?id=CVE-2025-34095
10 Jul 2025 — An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments. • https://vulncheck/advisories/mako-server-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 3CVE-2025-34093 – Polycom HDX Series Telnet Command Injection via lan traceroute
https://notcve.org/view.php?id=CVE-2025-34093
10 Jul 2025 — The lan traceroute command in the devcmds console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters through the traceroute interface, an attacker can achieve remote code execution under the context of the root user. • https://staaldraad.github.io/2017/11/12/polycom-hdx-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2025-34097 – ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE
https://notcve.org/view.php?id=CVE-2025-34097
10 Jul 2025 — An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the ... • https://process-maker-authenticated-plugin-upload-rce • CWE-434: Unrestricted Upload of File with Dangerous Type •