CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1412 – Session Persistence After User-to-Bot Conversion
https://notcve.org/view.php?id=CVE-2025-1412
24 Feb 2025 — Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. • https://mattermost.com/security-updates • CWE-384: Session Fixation •
CVSS: 7.5EPSS: 0%CPEs: -EXPL: 0CVE-2025-26200
https://notcve.org/view.php?id=CVE-2025-26200
24 Feb 2025 — SQL injection in SLIMS v.9.6.1 allows a remote attacker to escalate privileges via the month parameter in the visitor_report_day.php component. • https://github.com/slims/slims9_bulian/issues/269 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-26201
https://notcve.org/view.php?id=CVE-2025-26201
24 Feb 2025 — Credential disclosure vulnerability via the /staff route in GreaterWMS <= 2.1.49 allows a remote unauthenticated attackers to bypass authentication and escalate privileges. • http://greaterwms.com • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1265 – Elseta Vinci Protocol Analyzer OS Command Injection
https://notcve.org/view.php?id=CVE-2025-1265
20 Feb 2025 — An OS command injection vulnerability exists in Vinci Protocol Analyzer that could allow an attacker to escalate privileges and perform code execution on affected system. • https://elseta.com/support • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2025-25957
https://notcve.org/view.php?id=CVE-2025-25957
20 Feb 2025 — Cross Site Scripting vulnerabilities in Xunruicms v.4.6.3 and before allows a remote attacker to escalate privileges via a crafted script. • https://github.com/dayrui/xunruicms/issues/5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: -EXPL: 0CVE-2025-25958
https://notcve.org/view.php?id=CVE-2025-25958
20 Feb 2025 — Cross Site Scripting vulnerabilities in phpcmsv9 v.9.6.3 allows a remote attacker to escalate privileges via a crafted script. • https://github.com/Abel-Lan/phpcms/issues/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2025-25960
https://notcve.org/view.php?id=CVE-2025-25960
20 Feb 2025 — Cross Site Scripting vulnerability in phpcmsv9 v.9.6.3 allows a remote attacker to escalate privileges via the menu interface of the member center of the background administrator. • https://github.com/Abel-Lan/phpcms/issues/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-28777 – IBM Cognos Controller code execution
https://notcve.org/view.php?id=CVE-2024-28777
19 Feb 2025 — This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in the application. • https://www.ibm.com/support/pages/node/7183597 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26624 – Local Privilege Escalation in Rufus 4.6 and previous versions
https://notcve.org/view.php?id=CVE-2025-26624
18 Feb 2025 — A DLL hijacking vulnerability in Rufus 4.6.2208 and earlier versions allows an attacker loading and executing a malicious DLL with escalated privileges (since the executable has been granted higher privileges during the time of launch) due to the ability to inject a malicious `cfgmgr32.dll` in the same directory as the executable and have it side load automatically. • https://github.com/pbatard/rufus/commit/74dfa49707fd626b58d776d3400295740a29e23e • CWE-426: Untrusted Search Path CWE-427: Uncontrolled Search Path Element •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0425 – Local Privilege Escalation via Config Manipulation
https://notcve.org/view.php?id=CVE-2025-0425
18 Feb 2025 — By changing the server address to a malicious server, or a script simulating a server, the user is able to escalate his privileges by abusing certain features of the "bestinformed Web" server. By changing the server address to a malicious server, or a script simulating a server, the user is able to escalate his privileges by abusing certain features of the "bestinformed Web" server. Those features include: * Pushing of malicious update packages * Arbitrary Registry Read as "nt au... • https://www.cordaware.com/changelog/en/version-6_3_8_1.html • CWE-15: External Control of System or Configuration Setting •