CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2025-20236 – Cisco Webex App Client-Side Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-20236
16 Apr 2025 — A vulnerability in the custom URL parser of Cisco Webex App could allow an unauthenticated, remote attacker to persuade a user to download arbitrary files, which could allow the attacker to execute arbitrary commands on the host of the targeted user. This vulnerability is due to insufficient input validation when Cisco Webex App processes a meeting invite link. An attacker could exploit this vulnerability by persuading a user to click a crafted meeting invite link and download arbitrary files. A successful ... • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-app-client-rce-ufyMMYLC • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1980 – Remote Code Execution via Unrestricted File Upload in Ready_
https://notcve.org/view.php?id=CVE-2025-1980
16 Apr 2025 — If the server is misconfigured, as it was by default when installed at the turn of 2021 and 2022, it can result in Remote Code Execution. • https://cert.pl/en/posts/2025/04/CVE-2025-1980 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-22036 – Rancher Remote Code Execution via Cluster/Node Drivers
https://notcve.org/view.php?id=CVE-2024-22036
16 Apr 2025 — A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land within the Rancher container itself. For the test and development environments, based on a –privileged Docker container, it is possible to escape the Docker container and gain execution access on the host system. This issue affects rancher:... • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22036 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-3495 – COMMGR - Insufficient Randomization Authentication Bypass
https://notcve.org/view.php?id=CVE-2025-3495
16 Apr 2025 — An attacker could easily brute force a session ID and load and execute arbitrary code. ... An attacker could easily brute force a session ID and load and execute arbitrary code. • https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00005_COMMGR%20-%20Insufficient%20Randomization%20Authentication%20Bypass_v1.pdf • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-40070
https://notcve.org/view.php?id=CVE-2024-40070
16 Apr 2025 — This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. • https://github.com/DiliLearngent/BugReport/blob/main/php/Online-ID-Generator-System/bug6-File-upload-img2.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-40071
https://notcve.org/view.php?id=CVE-2024-40071
16 Apr 2025 — This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. • https://github.com/DiliLearngent/BugReport/blob/main/php/Online-ID-Generator-System/bug2-File-upload-img.md •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-39601 – WordPress Custom CSS, JS & PHP plugin <= 2.4.1 - CSRF to RCE vulnerability
https://notcve.org/view.php?id=CVE-2025-39601
16 Apr 2025 — WordPress Custom CSS, JS and PHP versions 2.4.1 and below suffer from a cross site request forgery vulnerability that leads to remote code execution. • https://patchstack.com/database/wordpress/plugin/custom-css/vulnerability/wordpress-custom-css-js-php-plugin-2-4-1-csrf-to-rce-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-53303
https://notcve.org/view.php?id=CVE-2024-53303
16 Apr 2025 — A remote code execution (RCE) vulnerability in the upload_file function of LRQA Nettitude PoshC2 after commit 123db87 allows authenticated attackers to execute arbitrary code via a crafted POST request. • https://gist.github.com/fern89/3464e8428d7675e4f0f390a6b2b2842e • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-53305
https://notcve.org/view.php?id=CVE-2024-53305
16 Apr 2025 — An issue in the component /models/config.py of Whoogle search v0.9.0 allows attackers to execute arbitrary code via supplying a crafted search query. • https://gist.github.com/fern89/ca5fe76ad81b4bc363e7341e523a1651 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-55371
https://notcve.org/view.php?id=CVE-2024-55371
16 Apr 2025 — Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to restore backups by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an authenticated attacker (being an administrator is not required) to upload malicious files to the server. Once a web shell is installed, the attacker gains the ability to execute arbitrary commands. • https://www.datafarm.co.th/blog/CVE-2024-55371-and-CVE-2024-55372-Malicious-File-Upload-to-RCE-in-Wallos-Application • CWE-73: External Control of File Name or Path •