CVSS: 9.0EPSS: 0%CPEs: 8EXPL: 0CVE-2025-20229 – Remote Code Execution through file upload to “$SPLUNK_HOME/var/run/splunk/apptemp“ directory in Splunk Enterprise
https://notcve.org/view.php?id=CVE-2025-20229
26 Mar 2025 — In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) through a file upload to the "$SPLUNK_HOME/var/run/splunk/apptemp" directory due to missing authorization checks. • https://advisory.splunk.com/advisories/SVD-2025-0301 • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2837 – Silicon Labs Gecko OS HTTP Request Handling Stack-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-2837
26 Mar 2025 — Silicon Labs Gecko OS HTTP Request Handling Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Silicon Labs Gecko OS. ... An attacker can leverage this vulnerability to execute code in the context of the device. • https://community.silabs.com/a45Vm0000000Atp • CWE-121: Stack-based Buffer Overflow •
CVSS: 9.9EPSS: 0%CPEs: -EXPL: 0CVE-2025-28893 – WordPress Visual Text Editor plugin <= 1.2.1 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-28893
26 Mar 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Visual Text Editor allows Remote Code Inclusion. • https://patchstack.com/database/wordpress/plugin/visual-text-editor/vulnerability/wordpress-visual-text-editor-plugin-1-2-1-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2025-29322
https://notcve.org/view.php?id=CVE-2025-29322
26 Mar 2025 — A cross-site scripting (XSS) vulnerability in ScriptCase before v1.0.003 - Build 3 allows attackers to execute arbitrary code via a crafted payload to the "Connection Name" in the New Connection and Rename Connection pages. • https://github.com/simalamuel/Research/tree/main/CVE-2025-29322 •
CVSS: 6.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-41643
https://notcve.org/view.php?id=CVE-2024-41643
26 Mar 2025 — An issue in Arris NVG443B 9.3.0h3d36 allows a physically proximate attacker to execute arbitrary code via the cshell login component. • https://gavpherk.github.io/GavinKelsey • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2332 – Export All Posts, Products, Orders, Refunds & Users <= 2.13 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2025-2332
26 Mar 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. • https://plugins.trac.wordpress.org/browser/wp-ultimate-exporter/trunk/exportExtensions/ExportExtension.php#L3332 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-55964
https://notcve.org/view.php?id=CVE-2024-55964
26 Mar 2025 — The attacker must be able to access Appsmith, login to it, create a datasource, create a query against that datasource, and execute that query. • https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m95x-4w54-gc83 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1913 – Product Import Export for WooCommerce <= 2.5.0 - Authenticated (Admin+) PHP Object Injection via form_data Parameter
https://notcve.org/view.php?id=CVE-2025-1913
25 Mar 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. • https://plugins.trac.wordpress.org/browser/product-import-export-for-woo/trunk/admin/modules/import/classes/class-import-ajax.php • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47516 – Pagure: argument injection in pagurerepo.log()
https://notcve.org/view.php?id=CVE-2024-47516
25 Mar 2025 — An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance. • https://access.redhat.com/security/cve/CVE-2024-47516 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2312 – cifs.upcall makes an upcall to the wrong namespace in containerized environments
https://notcve.org/view.php?id=CVE-2025-2312
25 Mar 2025 — A nearby attacker could use this to connect a rougue device and possibly execute arbitrary code. ... An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code. • https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 • CWE-488: Exposure of Data Element to Wrong Session •