
CVE-2025-29058
https://notcve.org/view.php?id=CVE-2025-29058
18 Apr 2025 — An issue in Qimou CMS v.3.34.0 allows a remote attacker to execute arbitrary code via the upgrade.php component. • https://cdn.wjlin0.com/halo-img/74CMSv3.34.0%E5%AD%98%E5%9C%A8%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.zip • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-3509 – Pre-Receive Hook Remote Code Execution vulnerability was identified in GitHub Enterprise Server that allowing Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-3509
17 Apr 2025 — A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute arbitrary code by exploiting the pre-receive hook functionality, potentially leading to privilege escalation and system compromise. • https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.14 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-32583 – WordPress PDF 2 Post Plugin <= 2.4.0 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-32583
17 Apr 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in termel PDF 2 Post allows Remote Code Inclusion. • https://patchstack.com/database/wordpress/plugin/pdf2post/vulnerability/wordpress-pdf-2-post-plugin-2-4-0-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-3520 – Avatar <= 0.1.4 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-3520
17 Apr 2025 — The Avatar plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 0.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://www.wordfence.com/threat-intel/vulnerabilities/id/01769760-5bfe-4352-bc5b-141f078c0b6d?source=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-1532 – Code Injection Vulnerability in Phoneservice
https://notcve.org/view.php?id=CVE-2025-1532
17 Apr 2025 — Phoneservice module is affected by code injection vulnerability, successful exploitation of this vulnerability may affect service confidentiality and integrity. • https://www.honor.com/global/security/cve-2025-1532 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2024-56518
https://notcve.org/view.php?id=CVE-2024-56518
17 Apr 2025 — Hazelcast Management Center through 6.0 allows remote code execution via a JndiLoginModule user.provider.url in a hazelcast-client XML document (aka a client configuration file), which can be uploaded at the /cluster-connections URI. • https://docs.hazelcast.com/management-center/6.0-snapshot/getting-started/install •

CVE-2025-29039
https://notcve.org/view.php?id=CVE-2025-29039
17 Apr 2025 — An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the function 0x41dda8 • https://gist.github.com/xyqer1/734fd1d93e4c08cea55dcb1e8b189a2b • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-29040
https://notcve.org/view.php?id=CVE-2025-29040
17 Apr 2025 — An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the target_addr key value and the function 0x41737c • https://gist.github.com/xyqer1/b3bebe4967a3093951273738f0be45ce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVE-2025-29041
https://notcve.org/view.php?id=CVE-2025-29041
17 Apr 2025 — An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the target_addr key value and the function 0x41710c • https://gist.github.com/xyqer1/101b7308bdf8618d8be30bd1d09ddd38 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVE-2025-29042
https://notcve.org/view.php?id=CVE-2025-29042
17 Apr 2025 — An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the macaddr key value to the function 0x42232c • https://gist.github.com/xyqer1/841e78a3c4029808dac8c439595a1358 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •