CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-22946
https://notcve.org/view.php?id=CVE-2025-22946
10 Jan 2025 — Tenda ac9 v1.0 firmware v15.03.05.19 contains a stack overflow vulnerability in /goform/SetOnlineDevName, which may lead to remote arbitrary code execution. • https://noisy-caravel-a9a.notion.site/Tenda_AC9V1-0_V15-03-05-19_formSetDeviceName_sprintf_bof-16f898c94eac8057afcbceb63fda7d24 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22777 – WordPress GiveWP Plugin <= 3.19.3 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-22777
10 Jan 2025 — The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. • https://patchstack.com/database/wordpress/plugin/give/vulnerability/wordpress-givewp-plugin-3-19-3-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 2CVE-2024-33298 – Microweber 2.0.9 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-33298
10 Jan 2025 — Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view? • https://packetstorm.news/files/id/188670 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: -EXPL: 2CVE-2024-33297 – Microweber 2.0.9 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-33297
10 Jan 2025 — Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function Microweber versions 2.0.9 and below suffer from multiple persistent cross site scripting vulnerabilities. • https://packetstorm.news/files/id/188670 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-57686
https://notcve.org/view.php?id=CVE-2024-57686
10 Jan 2025 — A Cross Site Scripting (XSS) vulnerability was found in /landrecordsys/admin/contactus.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the "pagetitle" parameter. • https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Land%20record/Reflected%20Cross%20Site%20Scripting.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-22949
https://notcve.org/view.php?id=CVE-2025-22949
10 Jan 2025 — Tenda ac9 v1.0 firmware v15.03.05.19 is vulnerable to command injection in /goform/SetSambaCfg, which may lead to remote arbitrary code execution. • https://noisy-caravel-a9a.notion.site/Tenda_AC9V1-0_V15-03-05-19_formSetSambaConf_doSystemCmd_CI-16f898c94eac80d5801bdaf777ac2b27 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12877 – GiveWP – Donation Plugin and Fundraising Platform <= 3.19.2 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-12877
10 Jan 2025 — The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. • https://plugins.trac.wordpress.org/changeset/3212723/give/tags/3.19.3/src/Helpers/Utils.php • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.7EPSS: 0%CPEs: -EXPL: 1CVE-2024-33299
https://notcve.org/view.php?id=CVE-2024-33299
10 Jan 2025 — Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view? • https://github.com/MathSabo/CVE-2024-33299 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-57687
https://notcve.org/view.php?id=CVE-2024-57687
10 Jan 2025 — An OS Command Injection vulnerability was found in /landrecordsys/admin/dashboard.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the "Cookie" GET request parameter. • https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Land%20record/Command%20Injection.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-46210
https://notcve.org/view.php?id=CVE-2024-46210
10 Jan 2025 — An arbitrary file upload vulnerability in the MediaPool module of Redaxo CMS v5.17.1 allows attackers to execute arbitrary code via uploading a crafted file. • https://gist.github.com/h4ckr4v3n/26eaa57d94f749b597ede8b404c234df • CWE-434: Unrestricted Upload of File with Dangerous Type •