
CVE-2025-54294 – Extension - stackideas.com - SQLi vulnerability in Komento component 4.0.0-4.0.7 for Joomla
https://notcve.org/view.php?id=CVE-2025-54294
23 Jul 2025 — A SQLi vulnerability in Komento component 4.0.0-4.0.7for Joomla was discovered. The issue allows unprivileged users to execute arbitrary SQL commands. • https://stackideas.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2025-50127 – Extension - dj-extensions.com - SQLi vulnerability in DJ-Flyer component 1.0-3.2 for Joomla
https://notcve.org/view.php?id=CVE-2025-50127
23 Jul 2025 — A SQLi vulnerability in DJ-Flyer component 1.0-3.2 for Joomla was discovered. The issue allows privileged users to execute arbitrary SQL commands. • https://dj-extensions.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2025-8070 – Windows service registered with an unquoted ImagePath vulnerability in the system registry
https://notcve.org/view.php?id=CVE-2025-8070
23 Jul 2025 — This allows a local attacker to execute arbitrary code by placing a malicious executable in a predictable location such as C:\Program.exe. ... This allows a local attacker to execute arbitrary code by placing a malicious executable in a predictable location such as C:\Program.exe. • https://www.asustor.com/security/security_advisory_detail?id=47 • CWE-428: Unquoted Search Path or Element •

CVE-2025-31701
https://notcve.org/view.php?id=CVE-2025-31701
23 Jul 2025 — ., crashes) or remote code execution (RCE). Some devices may have deployed protection mechanisms such as Address Space Layout Randomization (ASLR), which reduces the likelihood of successful RCE exploitation. However, denial-of-service (DoS) attacks remain a concern. • https://www.dahuasecurity.com/aboutUs/trustedCenter/details/775 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •

CVE-2025-31700
https://notcve.org/view.php?id=CVE-2025-31700
23 Jul 2025 — ., crashes) or remote code execution (RCE). Some devices may have deployed protection mechanisms such as Address Space Layout Randomization (ASLR), which reduces the likelihood of successful RCE exploitation. However, denial-of-service (DoS) attacks remain a concern. • https://www.dahuasecurity.com/aboutUs/trustedCenter/details/775 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •

CVE-2024-53286
https://notcve.org/view.php?id=CVE-2024-53286
23 Jul 2025 — Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to execute arbitrary code via unspecified vectors. • https://www.synology.com/en-global/security/advisory/Synology_SA_24_16 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVE-2025-7766 – Lantronix Provisioning Manager Improper Restriction of XML External Entity Reference
https://notcve.org/view.php?id=CVE-2025-7766
22 Jul 2025 — Lantronix Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed. Lantronix Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed. • https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/105906637/Latest+Version+of+Lantronix+Provisioning+Manager+LPM • CWE-611: Improper Restriction of XML External Entity Reference •

CVE-2025-54072 – yt-dlp allows `--exec` command injection when using placeholder on Windows
https://notcve.org/view.php?id=CVE-2025-54072
22 Jul 2025 — In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. • https://github.com/yt-dlp/yt-dlp/commit/959ac99e98c3215437e573c22d64be42d361e863 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVE-2025-54140 – pyLoad has Path Traversal Vulnerability in json/upload Endpoint that allows Arbitrary File Write
https://notcve.org/view.php?id=CVE-2025-54140
22 Jul 2025 — By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory, allowing them to write arbitrary files to any location on the system accessible to the pyLoad process. This may lead to: Remote Code Execution (RCE), local privilege escalation, system-wide compromise, persistence, and backdoors. • https://github.com/pyload/pyload/blob/df094db67ec6e25294a9ac0ddb4375fd7fb9ba00/src/pyload/webui/app/blueprints/json_blueprint.py#L109 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-54138 – LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE
https://notcve.org/view.php?id=CVE-2025-54138
22 Jul 2025 — LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. ... This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities. • https://github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •