CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 2CVE-2025-2583 – SimpleMachines SMF ManageNews.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-2583
21 Mar 2025 — A vulnerability was found in SimpleMachines SMF 2.1.4. It has been classified as problematic. This affects an unknown part of the file ManageNews.php. The manipulation of the argument subject/message leads to cross site scripting. It is possible to initiate the attack remotely. • https://github.com/Fewword/Poc/blob/main/smf/smf-poc5.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 2CVE-2025-2582 – SimpleMachines SMF ManageAttachments.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-2582
21 Mar 2025 — A vulnerability was found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this issue is some unknown functionality of the file ManageAttachments.php. The manipulation of the argument Notice leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Fewword/Poc/blob/main/smf/smf-poc3.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29807 – Microsoft Dataverse Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-29807
21 Mar 2025 — Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29807 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 8.3EPSS: 0%CPEs: -EXPL: 0CVE-2024-8953 – Unsafe eval usage in composiohq/composio
https://notcve.org/view.php?id=CVE-2024-8953
20 Mar 2025 — This can lead to arbitrary code execution if untrusted input is passed to the eval() function. • https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c • CWE-627: Dynamic Variable Evaluation •
CVSS: 9.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-10252 – Code Injection in langgenius/dify
https://notcve.org/view.php?id=CVE-2024-10252
20 Mar 2025 — A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. • https://github.com/langgenius/dify/commit/4ac99ffe0e1c9f4d7c523908e91bbc7739e0a8d4 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-10950 – Code Injection in binary-husky/gpt_academic
https://notcve.org/view.php?id=CVE-2024-10950
20 Mar 2025 — In binary-husky/gpt_academic version <= 3.83, the plugin `CodeInterpreter` is vulnerable to code injection caused by prompt injection. • https://huntr.com/bounties/9abb1617-0c1d-42c7-a647-d9d2b39c6866 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-9439 – Remote Code Execution in transformeroptimus/superagi
https://notcve.org/view.php?id=CVE-2024-9439
20 Mar 2025 — SuperAGI is vulnerable to remote code execution in the latest version. The `agent template update` API allows attackers to control certain parameters, which are then fed to the eval function without any sanitization or checks in place. This vulnerability can lead to full system compromise. • https://huntr.com/bounties/d710884f-b5ab-4b31-a2e6-e4b38488def1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-6982 – Remote Code Execution in Calculate Function in parisneo/lollms
https://notcve.org/view.php?id=CVE-2024-6982
20 Mar 2025 — A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in vers... • https://github.com/parisneo/lollms/commit/30e7eaba2ccfb751a81e7cb29fdef2ae8ffa6832 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-9070 – Deserialization Vulnerability in BentoML's Runner Server in bentoml/bentoml
https://notcve.org/view.php?id=CVE-2024-9070
20 Mar 2025 — The vulnerability is triggered when the args-number parameter is greater than 1, leading to automatic deserialization and arbitrary code execution. • https://huntr.com/bounties/7be6fc22-be18-44ee-a001-ac7158d5e1a5 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-10264 – HTTP Request Smuggling in netease-youdao/qanything
https://notcve.org/view.php?id=CVE-2024-10264
20 Mar 2025 — This can lead to unauthorized access, bypassing security controls, session hijacking, data leakage, and potentially arbitrary code execution. • https://huntr.com/bounties/988247d5-fd60-4d85-845a-e867d62c0d02 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •