CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-37092 – Hewlett Packard Enterprise StoreOnce VSA queryHardwareReportLocally Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-37092
02 Jun 2025 — A command injection remote code execution vulnerability exists in HPE StoreOnce Software. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise StoreOnce VSA. ... The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. • https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-37096 – Hewlett Packard Enterprise StoreOnce VSA getServerCertificate Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-37096
02 Jun 2025 — A command injection remote code execution vulnerability exists in HPE StoreOnce Software. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise StoreOnce VSA. ... The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. • https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2025-49113
https://notcve.org/view.php?id=CVE-2025-49113
02 Jun 2025 — Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. • https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26396 – SolarWinds Dameware Mini Remote Control Service Incorrect Permissions Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-26396
02 Jun 2025 — An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. • https://documentation.solarwinds.com/en/success_center/dameware/content/release_notes/dameware_12-3-2_release_notes.htm • CWE-269: Improper Privilege Management •
CVSS: 5.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2939 – Ninja Tables – Easy Data Table Builder <= 5.0.18 - Unauthenticated PHP Object Injection to Limited Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-2939
02 Jun 2025 — The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited. • https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.18/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: -EXPL: 0CVE-2025-27953
https://notcve.org/view.php?id=CVE-2025-27953
02 Jun 2025 — An issue in Clinical Collaboration Platform 12.2.1.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the session management component. • https://github.com/intruderlabs/cvex/tree/main/Carestream/session-token-in-url • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: -EXPL: 0CVE-2025-27954
https://notcve.org/view.php?id=CVE-2025-27954
02 Jun 2025 — An issue in Clinical Collaboration Platform 12.2.1.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the usertoken function of default.aspx. • https://github.com/intruderlabs/cvex/tree/main/Carestream/session-token-in-url • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-27955
https://notcve.org/view.php?id=CVE-2025-27955
02 Jun 2025 — Clinical Collaboration Platform 12.2.1.5 has a weak logout system where the session token remains valid after logout and allows a remote attacker to obtain sensitive information and execute arbitrary code. • https://github.com/intruderlabs/cvex/tree/main/Carestream/session-token-in-url • CWE-1259: Improper Restriction of Security Token Assignment •
CVSS: -EPSS: 0%CPEs: -EXPL: 1CVE-2025-29093 – Motivian Content Management System 41.0.0 Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-29093
02 Jun 2025 — File Upload vulnerability in Motivian Content Mangment System v.41.0.0 allows a remote attacker to execute arbitrary code via the Content/Gallery/Images component. Motivian Content Management System version 41.0.0 suffers from an arbitrary file upload vulnerability. • https://github.com/FraMarcuccio/CVE-2025-29093-Arbitrary-File-Upload/blob/main/README.md •
CVSS: -EPSS: 0%CPEs: -EXPL: 1CVE-2025-29094 – Motivian Content Management System 41.0.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2025-29094
02 Jun 2025 — Cross Site Scripting vulnerability in Motivian Content Mangment System v.41.0.0 allows a remote attacker to execute arbitrary code via the Marketing/Forms, Marketing/Offers and Content/Pages components. • https://packetstorm.news/files/id/198931 •