CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 3CVE-2025-34093 – Polycom HDX Series Telnet Command Injection via lan traceroute
https://notcve.org/view.php?id=CVE-2025-34093
10 Jul 2025 — The lan traceroute command in the devcmds console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters through the traceroute interface, an attacker can achieve remote code execution under the context of the root user. • https://staaldraad.github.io/2017/11/12/polycom-hdx-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2025-34097 – ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE
https://notcve.org/view.php?id=CVE-2025-34097
10 Jul 2025 — An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege es... • https://process-maker-authenticated-plugin-upload-rce • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-7021 – OpenAI Operator - API Spoofing through Locking Operator on FullScreen
https://notcve.org/view.php?id=CVE-2025-7021
10 Jul 2025 — Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser controls and a distracting element (like a cookie consent screen) to obscure fullscreen notifications, tricking the user into interacting with the malicious site. • https://github.com/google/security-research/security/advisories/GHSA-mmgx-755h-wr74 • CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53503 – Trend Micro Cleaner One Pro Link Following Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-53503
10 Jul 2025 — An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Junk Files Cleanup functionality. By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. • https://helpcenter.trendmicro.com/en-us/article/tmka-12951 • CWE-64: Windows Shortcut Following (.LNK) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53626 – pdfme has Sandbox Escape and Prototype Pollution vulnerabilities in pdfme expression evaluation
https://notcve.org/view.php?id=CVE-2025-53626
10 Jul 2025 — pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1. • https://github.com/pdfme/pdfme/commit/0dd54739acff2c249ed68c001a896bee38f0fd85 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5392 – GB Forms DB <= 1.0.2 - Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-5392
10 Jul 2025 — The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. ... This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things. • https://www.wordfence.com/threat-intel/vulnerabilities/id/fe8723a7-bbb1-41a0-b222-3cf4eb44cd64?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53371 – DiscordNotifications allows DOS, SSRF, and possible RCE through requests to user-controlled URLs
https://notcve.org/view.php?id=CVE-2025-53371
10 Jul 2025 — DiscordNotifications allows sending requests via curl and file_get_contents to arbitrary URLs set via $wgDiscordIncomingWebhookUrl and $wgDiscordAdditionalIncomingWebhookUrls. ... SSRF is also possible if there are internal unprotected APIs that can be accessed using HTTP POST requests, which could also possibly lead to RCE. This vulnerability is fixed in commit 1f20d850cbcce5b15951c7c6127b87b927a5415e. • https://github.com/miraheze/DiscordNotifications/commit/1f20d850cbcce5b15951c7c6127b87b927a5415e • CWE-400: Uncontrolled Resource Consumption CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-7408 – SourceCodester Zoo Management System animal_form_template.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-7408
10 Jul 2025 — This vulnerability affects unknown code of the file /admin/templates/animal_form_template.php. • https://github.com/manyufann/CVE/issues/4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5040 – RTE File Parsing Heap-Based Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2025-5040
10 Jul 2025 — A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. • https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0012 • CWE-122: Heap-based Buffer Overflow •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5037 – RFA File Parsing Memory Corruption Vulnerability
https://notcve.org/view.php?id=CVE-2025-5037
10 Jul 2025 — A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. • https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0012 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •