CVSS: 8.3EPSS: 0%CPEs: -EXPL: 0CVE-2025-29661
https://notcve.org/view.php?id=CVE-2025-29661
17 Apr 2025 — Litepubl CMS <= 7.0.9 is vulnerable to RCE in admin/service/run. • https://github.com/litepubl/cms/issues/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-29662
https://notcve.org/view.php?id=CVE-2025-29662
17 Apr 2025 — A RCE vulnerability in the core application in LandChat 3.25.12.18 allows an unauthenticated attacker to execute system code via remote network access. • https://github.com/landchat/LandChat/issues/5 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39401 – WPAMS <= 44.0 (17-08-2023) - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-39401
17 Apr 2025 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39402 – WPAMS <= 44.0 (17-08-2023) - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-39402
17 Apr 2025 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39406 – WPAMS <= 44.0 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-39406
17 Apr 2025 — This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39436 – WordPress I Draw <= 1.0 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-39436
17 Apr 2025 — This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/idraw/vulnerability/wordpress-i-draw-1-0-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1568
https://notcve.org/view.php?id=CVE-2025-1568
16 Apr 2025 — Access Control Vulnerability in Gerrit chromiumos project configuration in Google ChromeOS 131.0.6778.268 allows an attacker with a registered Gerrit account to inject malicious code into ChromeOS projects and potentially achieve Remote Code Execution and Denial of Service via editing trusted pipelines by insufficient access controls and misconfigurations in Gerrit's project.config. • https://issues.chromium.org/issues/b/374279912 • CWE-284: Improper Access Control •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0756 – Hitachi Vantara Pentaho Data Integration & Analytics - Improper Control of Resource Identifiers ('Resource Injection')
https://notcve.org/view.php?id=CVE-2025-0756
16 Apr 2025 — This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users. • https://https://support.pentaho.com/hc/en-us/articles/35771876077709--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Control-of-Resource-Identifiers-Resource-Injection-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-0756 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32433 – Erlang/OTP SSH Vulnerable to Pre-Authentication RCE
https://notcve.org/view.php?id=CVE-2025-32433
16 Apr 2025 — Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. • https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32872
https://notcve.org/view.php?id=CVE-2025-32872
16 Apr 2025 — The affected application is vulnerable to SQL injection through the internally used 'GetOverview' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. • https://cert-portal.siemens.com/productcert/html/ssa-443402.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •