CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31499 – Jellyfin Vulnerable to Argument Injection in FFmpeg
https://notcve.org/view.php?id=CVE-2025-31499
15 Apr 2025 — This can be leveraged to possibly achieve remote code execution by anyone with credentials to a low-privileged user. ... This argument injection can be exploited to achieve arbitrary file write, leading to possible remote code execution through the plugin system. • https://github.com/jellyfin/jellyfin/commit/79f3ce53257c5291887cd52d8ac735b5252c9a97 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32012 – Jellyfin Vulnerable to Denial of Service (DoS) via IP Spoofing
https://notcve.org/view.php?id=CVE-2025-32012
15 Apr 2025 — This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. • https://github.com/jellyfin/jellyfin/commit/f625665cb116a7e3feb8b79aaf1ed39a956e0585 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30206 – Dpanel's hard-coded JWT secret leads to remote code execution
https://notcve.org/view.php?id=CVE-2025-30206
15 Apr 2025 — This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. ... Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. • https://github.com/donknap/dpanel/security/advisories/GHSA-j752-cjcj-w847 • CWE-321: Use of Hard-coded Cryptographic Key CWE-453: Insecure Default Variable Initialization CWE-547: Use of Hard-coded, Security-relevant Constants •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32780 – BleachBit for Windows Has DLL Untrusted Path Vulnerability
https://notcve.org/view.php?id=CVE-2025-32780
15 Apr 2025 — BleachBit for Windows up to version 4.6.2 is vulnerable to a DLL Hijacking vulnerability. By placing a malicious DLL with the name uuid.dll in the folder C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\, an attacker can execute arbitrary code every time BleachBit is run. • https://github.com/bleachbit/bleachbit/commit/dafeba57dcb14c7ec4a97224ff1408f6b0c2a7f8 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32779 – labsai/eddi Vulnerable to Path Traversal (Zip Slip) in ZIP Import Function
https://notcve.org/view.php?id=CVE-2025-32779
15 Apr 2025 — In versions before 5.5.0, an attacker with access to the `/backup/import` API endpoint can write arbitrary files to locations outside the intended extraction directory due to a Zip Slip vulnerability. ... This overwrite can potentially lead to Remote Code Execution (RCE) within the application's context. • https://github.com/labsai/EDDI/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3579 – Code Injection Vulnerability in AiDex
https://notcve.org/view.php?id=CVE-2025-3579
15 Apr 2025 — This execution is achieved by Prompt Injection attacks through the /api/<string-chat>/message endpoint, manipulating the content of the ‘content’ parameter. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-aidex • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3613 – Demtec Graphytics visualization cross site scripting
https://notcve.org/view.php?id=CVE-2025-3613
15 Apr 2025 — This vulnerability affects unknown code of the file /visualization. • https://github.com/HexC0d3/graphlytic-xss-exploits/blob/main/stored_xss.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3612 – Demtec Graphytics HTTP GET Parameter visualization cross site scripting
https://notcve.org/view.php?id=CVE-2025-3612
15 Apr 2025 — A vulnerability, which was classified as problematic, was found in Demtec Graphytics 5.0.7. This affects an unknown part of the file /visualization of the component HTTP GET Parameter Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/HexC0d3/graphlytic-xss-exploits/blob/main/reflected_xss.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: -EXPL: 0CVE-2024-50960
https://notcve.org/view.php?id=CVE-2024-50960
15 Apr 2025 — A command injection vulnerability in the Nmap diagnostic tool in the admin web console of Extron SMP 111 <=3.01, SMP 351 <=2.16, and SMP 352 <= 2.16 allows a remote authenticated attacker with administrative privileges to execute arbitrary commands as root on the underlying operating system. A command injection vulnerability in the Nmap diagnostic tool in the admin web console of Extron SMP 111 <=3.01, SMP 351 <=2.16, SMP 352 <= 2.16, and SME 211 <= 3.02, allows a remote authenticated attacker to exe... • https://github.com/layer8secure/extron-smp-inject • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.6EPSS: 0%CPEs: -EXPL: 0CVE-2024-49200
https://notcve.org/view.php?id=CVE-2024-49200
15 Apr 2025 — This can be leveraged by an attacker to perform arbitrary writes, potentially leading to arbitrary code execution. • https://www.insyde.com/security-pledge/SA-2024015 • CWE-787: Out-of-bounds Write •