CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39358 – WordPress WP Posts Carousel <= 1.3.12 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-39358
29 May 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://patchstack.com/database/wordpress/plugin/wp-posts-carousel/vulnerability/wordpress-wp-posts-carousel-1-3-12-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3357 – IBM Tivoli Monitoring code execution
https://notcve.org/view.php?id=CVE-2025-3357
28 May 2025 — IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 19 could allow a remote attacker to execute arbitrary code due to improper validation of an index value of a dynamically allocated array. IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 19 could allow a remote attacker to execute arbitrary code due to improper validation of an index value of a dynamically allocated array. • https://www.ibm.com/support/pages/node/7234923 • CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48734 – Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
https://notcve.org/view.php?id=CVE-2025-48734
28 May 2025 — Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. ... This vulnerability allows remote attackers to execute arbitrary code via uncontrolled access to the declaredClass property on Java enum objects, which can expose the class loader when property paths are passed from ... • https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9 • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-1753 – Command Injection in LLama-Index CLI in run-llama/llama_index
https://notcve.org/view.php?id=CVE-2025-1753
28 May 2025 — An attacker who controls the content of this argument can inject and execute arbitrary shell commands. ... This issue can lead to arbitrary code execution on the affected system. • https://github.com/run-llama/llama_index/commit/b57e76738c53ca82d88658b82f2d82d1c7839c7d • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2025-4009 – Unauthenticated Arbitrary Command Injection in Evertz SDVN
https://notcve.org/view.php?id=CVE-2025-4009
28 May 2025 — This web interface has two endpoints that are vulnerable to arbitrary command injection and the authentication mechanism has a flaw leading to authentication bypass. This web interface has two endpoints that are vulnerable to arbitrary command injection and the authentication mechanism has a flaw leading to authentication bypass. Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices. Remote unauthenticated attackers c... • https://www.onekey.com/resource/security-advisory-remote-code-execution-on-evertz-svdn-cve-2025-4009 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-57337
https://notcve.org/view.php?id=CVE-2024-57337
28 May 2025 — An arbitrary file upload vulnerability in the opcode 500 functionality of M2Soft CROWNIX Report & ERS v5.x to v5.5.14.1070, v7.x to v7.4.3.960, and v8.x to v8.2.0.345 allows attackers to execute arbitrary code via supplying a crafted file. • https://www.m2soft.co.kr/sub/board/news.asp?mode=view&idx=2411 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-57338
https://notcve.org/view.php?id=CVE-2024-57338
28 May 2025 — An arbitrary file upload vulnerability in M2Soft CROWNIX Report & ERS v5.x to v5.5.14.1070, v7.x to v7.4.3.960, and v8.x to v8.2.0.345 allows attackers to execute arbitrary code via supplying a crafted file. • https://www.m2soft.co.kr/sub/board/news.asp?mode=view&idx=2411 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-45343
https://notcve.org/view.php?id=CVE-2025-45343
28 May 2025 — An issue in Tenda W18E v.2.0 v.16.01.0.11 allows an attacker to execute arbitrary code via the editing functionality of the account module in the goform/setmodules route. • http://w18e.com • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5283 – Ubuntu Security Notice USN-7551-1
https://notcve.org/view.php?id=CVE-2025-5283
27 May 2025 — An attacker could possibly use this issue to cause applications using libvpx to crash, resulting in a denial of service, or possibly execute arbitrary code. • https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_27.html • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13966 – ZKTeco BioTime default password
https://notcve.org/view.php?id=CVE-2024-13966
27 May 2025 — ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value '123456'. Users should change their passwords (located under the Attendance Settings tab as "Self-Password"). • https://krashconsulting.com/fury-of-fingers-biotime-rce • CWE-1393: Use of Default Password •