CVSS: 10.0EPSS: 0%CPEs: -EXPL: 1CVE-2025-34043 – Vacron NVR Remote Command Execution
https://notcve.org/view.php?id=CVE-2025-34043
26 Jun 2025 — A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi script. ... These commands are executed with the privileges of the web server process, enabling remote code execution and potential full device compromise. • https://ssd-disclosure.com/ssd-advisory-vacron-nvr-remote-command-execution • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.4EPSS: 0%CPEs: -EXPL: 3CVE-2025-34042 – Beward N100 IP Camera Remote Command Execution
https://notcve.org/view.php?id=CVE-2025-34042
26 Jun 2025 — Successful exploitation results in remote code execution with root privileges. • https://vulncheck.com/advisories/beward-n100-remote-command-execution • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53002 – LLaMA-Factory Remote Code Execution (RCE) Vulnerability
https://notcve.org/view.php?id=CVE-2025-53002
26 Jun 2025 — A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. • https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-xj56-p8mm-qmxj • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49003 – Dataease H2 JDBC Connection Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-49003
26 Jun 2025 — A threat actor who uses a carefully crafted message that exploits this character conversion can cause remote code execution. • https://github.com/dataease/dataease/security/advisories/GHSA-x97w-69ff-r55q • CWE-153: Improper Neutralization of Substitution Characters •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-29331
https://notcve.org/view.php?id=CVE-2025-29331
26 Jun 2025 — An issue in MHSanaei 3x-ui before v.2.5.3 and before allows a remote attacker to execute arbitrary code via the management script x-ui passes the no check certificate option to wget when downloading updates • https://www.digilol.net/security-advisories/dlsec2025-001.html • CWE-295: Improper Certificate Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49303 – Frontend Admin by DynamiApps <= 3.28.7 - Authenticated (Editor+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-49303
26 Jun 2025 — This makes it possible for authenticated attackers, with Editor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-36038 – IBM WebSphere Application Server code execution
https://notcve.org/view.php?id=CVE-2025-36038
25 Jun 2025 — IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects. • https://www.ibm.com/support/pages/node/7237967 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52483 – Registrator.jl Vulnerable to Argument Injection and Command Injection
https://notcve.org/view.php?id=CVE-2025-52483
25 Jun 2025 — Alternatively, an argument injection is possible in the `gettreesha `function. either of these can then lead to a potential RCE. Users should upgrade immediately to v1.9.5 to receive a fix. • https://github.com/JuliaRegistries/Registrator.jl/pull/448 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52480 – Registrator.jl Argument Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-52480
25 Jun 2025 — This can then lead to a potential remote code execution. • https://github.com/JuliaRegistries/Registrator.jl/pull/449 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49153 – MICROSENS NMP Web+ Path Traversal
https://notcve.org/view.php?id=CVE-2025-49153
25 Jun 2025 — MICROSENS NMP Web+ could allow an unauthenticated attacker to overwrite files and execute arbitrary code. • https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-07 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •