
CVE-2025-53028 – Oracle VirtualBox VMSVGA Out-Of-Bounds Write Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-53028
15 Jul 2025 — An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the implemetation of the VMSVGA virtual device. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. • https://www.oracle.com/security-alerts/cpujul2025.html • CWE-284: Improper Access Control •

CVE-2025-53890 – pyLoad vulnerable to remote code execution through js2py onCaptchaResult
https://notcve.org/view.php?id=CVE-2025-53890
14 Jul 2025 — An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. • https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-53836 – XWiki Rendering is vulnerable to RCE attacks when processing nested macros
https://notcve.org/view.php?id=CVE-2025-53836
14 Jul 2025 — XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that a... • https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-863: Incorrect Authorization •

CVE-2025-53833 – LaRecipe is vulnerable to Server-Side Template Injection attacks
https://notcve.org/view.php?id=CVE-2025-53833
14 Jul 2025 — Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations. Attackers could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration. • https://github.com/B1ack4sh/Blackash-CVE-2025-53833 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •

CVE-2025-53825 – Dokploy's Preview Deployments are vulnerable to Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-53825
14 Jul 2025 — Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This exposes secrets and potentially enables remote code execution, putting all public Dokploy users using these preview deployments at risk. • https://github.com/Dokploy/dokploy/commit/1977235d313824b9764f1a06785fb7f73ab7eba2 • CWE-862: Missing Authorization •

CVE-2025-7340 – HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-7340
14 Jul 2025 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. ... This allows unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution. • https://packetstorm.news/files/id/206540 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-7360 – HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Directory Traversal to Arbitrary File Move
https://notcve.org/view.php?id=CVE-2025-7360
14 Jul 2025 — This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). • https://plugins.trac.wordpress.org/changeset/3326887/ht-contactform/trunk/admin/Includes/Api/Endpoints/Submission.php?contextall=1&old=3316109&old_path=%2Fht-contactform%2Ftrunk%2Fadmin%2FIncludes%2FApi%2FEndpoints%2FSubmission.php • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-7341 – HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-7341
14 Jul 2025 — This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/Includes/Services/FileManager.php#L107 • CWE-269: Improper Privilege Management •

CVE-2025-5393 – Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-5393
14 Jul 2025 — This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). ... This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939 • CWE-73: External Control of File Name or Path •

CVE-2025-5394 – Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
https://notcve.org/view.php?id=CVE-2025-5394
14 Jul 2025 — This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. • https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939 • CWE-862: Missing Authorization •