CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53260 – WordPress File Manager Plugin For Wordpress plugin <= 7.5 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-53260
27 Jun 2025 — This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/file-manager-plugin-for-wordpress/vulnerability/wordpress-file-manager-plugin-for-wordpress-plugin-7-5-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.4EPSS: 0%CPEs: -EXPL: 1CVE-2025-34049 – OptiLink ONT1GEW GPON Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-34049
26 Jun 2025 — An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. • https://vulncheck.com/advisories/optilink-ont1gew-router-rce • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-34046 – Fanwei E-Office Unauthenticated File Upload
https://notcve.org/view.php?id=CVE-2025-34046
26 Jun 2025 — Successful exploitation could enable remote code execution on the affected server, leading to complete compromise of the web application and potentially the underlying system. • https://github.com/M0ge/CNVD-2021-49104-Fanwei-Eoffice-fileupload/blob/main/eoffice_fileupload.py • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-34044 – WIFISKY 7-Layer Flow Control Router Remote Command Execution
https://notcve.org/view.php?id=CVE-2025-34044
26 Jun 2025 — Insufficient input validation allows unauthenticated attackers to execute arbitrary OS commands. • https://s4e.io/tools/wifisky-7-layer-flow-control-router-remote-code-execution • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 1CVE-2025-34043 – Vacron NVR Remote Command Execution
https://notcve.org/view.php?id=CVE-2025-34043
26 Jun 2025 — These commands are executed with the privileges of the web server process, enabling remote code execution and potential full device compromise. • https://ssd-disclosure.com/ssd-advisory-vacron-nvr-remote-command-execution • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.4EPSS: 0%CPEs: -EXPL: 3CVE-2025-34042 – Beward N100 IP Camera Remote Command Execution
https://notcve.org/view.php?id=CVE-2025-34042
26 Jun 2025 — Successful exploitation results in remote code execution with root privileges. • https://cxsecurity.com/issue/WLB-2019020042 • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53002 – LLaMA-Factory Remote Code Execution (RCE) Vulnerability
https://notcve.org/view.php?id=CVE-2025-53002
26 Jun 2025 — A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. • https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-xj56-p8mm-qmxj • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49003 – Dataease H2 JDBC Connection Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-49003
26 Jun 2025 — A threat actor who uses a carefully crafted message that exploits this character conversion can cause remote code execution. • https://github.com/dataease/dataease/security/advisories/GHSA-x97w-69ff-r55q • CWE-153: Improper Neutralization of Substitution Characters •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-29331
https://notcve.org/view.php?id=CVE-2025-29331
26 Jun 2025 — An issue in MHSanaei 3x-ui before v.2.5.3 and before allows a remote attacker to execute arbitrary code via the management script x-ui passes the no check certificate option to wget when downloading updates • https://www.digilol.net/security-advisories/dlsec2025-001.html • CWE-295: Improper Certificate Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49303 – Frontend Admin by DynamiApps <= 3.28.7 - Authenticated (Editor+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-49303
26 Jun 2025 — This makes it possible for authenticated attackers, with Editor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •