
CVE-2025-6206 – Aiomatic - AI Content Writer, Editor, ChatBot & AI Toolkit <= 2.5.0 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-6206
23 Jun 2025 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/aiomatic-automatic-ai-content-writer/38877369#item-description__changelog • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2023-47029
https://notcve.org/view.php?id=CVE-2023-47029
23 Jun 2025 — An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted POST request to the UserService component • https://drive.google.com/file/d/1oX5uKnWGiYMaBxnBuqPiOA53XLxv1Ef4/view?usp=sharing • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVE-2023-47030
https://notcve.org/view.php?id=CVE-2023-47030
23 Jun 2025 — An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via a GET request to a UserService SOAP API endpoint to validate if a user exists. • https://drive.google.com/file/d/1ujUcB8XEs78WwWzs8cmD-u1Twqi10yEh/view?usp=sharing • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2023-47032
https://notcve.org/view.php?id=CVE-2023-47032
23 Jun 2025 — Password Vulnerability in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the UserService SOAP API function. • https://drive.google.com/file/d/1rTKc2nxEc40VTItJiJ9moZ5VrHG3xQuj/view?usp=sharing • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2023-48978
https://notcve.org/view.php?id=CVE-2023-48978
23 Jun 2025 — An issue in NCR ITM Web terminal v.4.4.0 and v.4.4.4 allows a remote attacker to execute arbitrary code via a crafted script to the IP camera URL component. • https://drive.google.com/file/d/13JrkDcVtcQFepeGoG8roBZ1xFy7iBx1R/view?usp=sharing • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-24765 – WordPress Image Shadow plugin <= 1.1.0 - Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2025-24765
23 Jun 2025 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/wordpress/plugin/image-shadow/vulnerability/wordpress-image-shadow-1-1-0-arbitrary-file-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-6445 – ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-6445
23 Jun 2025 — ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ServiceStack. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ServiceStack. ... An attacker can leverage this vulnerability to execute code in the context of the current process. An attacker can levera... • https://docs.servicestack.net/releases/v8_06#reported-vulnerabilities • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-25034 – SugarCRM PHP Deserialization RCE
https://notcve.org/view.php?id=CVE-2025-25034
20 Jun 2025 — The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. • https://vulncheck.com/advisories/sugarcrm-php-deserialization-rce • CWE-502: Deserialization of Untrusted Data •

CVE-2025-49132 – Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-49132
20 Jun 2025 — Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. ... Pterodactyl Panel versions prior to 1.11... • https://packetstorm.news/files/id/202893 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-4981 – Path Traversal Leading to RCE by Any Authenticated Mattermost User
https://notcve.org/view.php?id=CVE-2025-4981
20 Jun 2025 — Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. • https://mattermost.com/security-updates • CWE-427: Uncontrolled Search Path Element •