CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30206 – Dpanel's hard-coded JWT secret leads to remote code execution
https://notcve.org/view.php?id=CVE-2025-30206
15 Apr 2025 — Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and ga... • https://github.com/donknap/dpanel/security/advisories/GHSA-j752-cjcj-w847 • CWE-321: Use of Hard-coded Cryptographic Key CWE-453: Insecure Default Variable Initialization CWE-547: Use of Hard-coded, Security-relevant Constants •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32780 – BleachBit for Windows Has DLL Untrusted Path Vulnerability
https://notcve.org/view.php?id=CVE-2025-32780
15 Apr 2025 — By placing a malicious DLL with the name uuid.dll in the folder C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\, an attacker can execute arbitrary code every time BleachBit is run. • https://github.com/bleachbit/bleachbit/commit/dafeba57dcb14c7ec4a97224ff1408f6b0c2a7f8 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32779 – labsai/eddi Vulnerable to Path Traversal (Zip Slip) in ZIP Import Function
https://notcve.org/view.php?id=CVE-2025-32779
15 Apr 2025 — This overwrite can potentially lead to Remote Code Execution (RCE) within the application's context. • https://github.com/labsai/EDDI/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-28137
https://notcve.org/view.php?id=CVE-2025-28137
15 Apr 2025 — The TOTOLINK A810R V4.1.2cu.5182_B20201026 were found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter. • https://sudsy-eyeliner-a59.notion.site/RCE1-1ab72b8cd95f80d09eded269810f3756?pvs=4 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-33026
https://notcve.org/view.php?id=CVE-2025-33026
15 Apr 2025 — An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. • https://github.com/EnisAksu/Argonis/blob/main/CVEs/CVE-2025-33026%20%28PeaZip%29/CVE-2025-33026.md • CWE-830: Inclusion of Web Functionality from an Untrusted Source •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-33027
https://notcve.org/view.php?id=CVE-2025-33027
15 Apr 2025 — An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. • https://en.bandisoft.com/bandizip • CWE-830: Inclusion of Web Functionality from an Untrusted Source •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-33028
https://notcve.org/view.php?id=CVE-2025-33028
15 Apr 2025 — An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. • https://github.com/EnisAksu/Argonis/blob/main/CVEs/CVE-2025-33028%20%28WinZip%29/CVE-2025-33028.md • CWE-830: Inclusion of Web Functionality from an Untrusted Source •
CVSS: 7.5EPSS: 0%CPEs: -EXPL: 1CVE-2024-36842
https://notcve.org/view.php?id=CVE-2024-36842
15 Apr 2025 — An issue in Oncord+ Android Infotainment Systems OS Android 12, Model Hardware TS17,Hardware part Number F57L_V3.2_20220301, and Build Number PlatformVER:K24-2023/05/09-v0.01 allows a remote attacker to execute arbitrary code via the ADB port component. • https://github.com/abbiy/CVE-2024-36842-Backdooring-Oncord-Android-Sterio- • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-28100
https://notcve.org/view.php?id=CVE-2025-28100
15 Apr 2025 — A SQL Injection vulnerability in dingfanzuCMS v.1.0 allows a attacker to execute arbitrary code via not filtering the content correctly at the "operateOrder.php" id parameter. • https://github.com/gh3-dk/vul/blob/main/sql%20injection/dingfanzu/dingfanzu-CMS%20operateOrder.php%20id%20SQL-inject.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: -EXPL: 0CVE-2025-29213
https://notcve.org/view.php?id=CVE-2025-29213
15 Apr 2025 — A zip slip vulnerability in the component \service\migrate\MigrateForm.java of JEEWMS v3.7 allows attackers to execute arbitrary code via a crafted Zip file. • https://github.com/wy876/cve/issues/7 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •