CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48390 – FreeScout Vulnerable to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2025-48390
29 May 2025 — Prior to version 1.8.178, FreeScout is vulnerable to code injection due to insufficient validation of user input in the php_path parameter. • https://github.com/freescout-help-desk/freescout/commit/fb33d672a2d67f5a2b3cf69c80945267f17908b2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48389 – FreeScout Vulnerable to Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2025-48389
29 May 2025 — Through the set function, a string with a serialized object can be passed, and when getting an option through the get method, deserialization will occur, which will allow arbitrary code execution This issue has been patched in version 1.8.178. • https://github.com/freescout-help-desk/freescout/commit/f7548a7076a0b6e109001069d6be223fbd96c61e • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32801 – Loading a malicious hook library can lead to local privilege escalation
https://notcve.org/view.php?id=CVE-2025-32801
28 May 2025 — Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or pl... • https://kb.isc.org/docs/cve-2025-32801 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-1753 – Command Injection in LLama-Index CLI in run-llama/llama_index
https://notcve.org/view.php?id=CVE-2025-1753
28 May 2025 — This issue can lead to arbitrary code execution on the affected system. • https://github.com/run-llama/llama_index/commit/b57e76738c53ca82d88658b82f2d82d1c7839c7d • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-5222 – Icu: stack buffer overflow in the srbroot::addtag function
https://notcve.org/view.php?id=CVE-2025-5222
27 May 2025 — This issue may lead to memory corruption and local arbitrary code execution. • https://access.redhat.com/security/cve/CVE-2025-5222 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23247
https://notcve.org/view.php?id=CVE-2025-23247
27 May 2025 — A successful exploit of this vulnerability might lead to arbitrary code execution. • https://nvidia.custhelp.com/app/answers/detail/a_id/5643 • CWE-130: Improper Handling of Length Parameter Inconsistency •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48796 – Gimp: stack-based buffer overflows in file-ico
https://notcve.org/view.php?id=CVE-2025-48796
27 May 2025 — This flaw allows a malicious ANI file to trigger arbitrary code execution. • https://access.redhat.com/security/cve/CVE-2025-48796 • CWE-121: Stack-based Buffer Overflow •
CVSS: 5.1EPSS: 0%CPEs: 2EXPL: 1CVE-2025-5181 – Summer Pearl Group Vacation Rental Management Platform updateListing cross site scripting
https://notcve.org/view.php?id=CVE-2025-5181
26 May 2025 — A vulnerability, which was classified as problematic, was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. This affects an unknown part of the file /spgpm/updateListing. The manipulation of the argument spgLsTitle leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Stolichnayer/Summer-Pearl-Group-IDOR-XSS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-35003 – Apache NuttX RTOS: NuttX Bluetooth Stack HCI and UART DoS/RCE Vulnerabilities.
https://notcve.org/view.php?id=CVE-2025-35003
26 May 2025 — Improper Restriction of Operations within the Bounds of a Memory Buffer and Stack-based Buffer Overflow vulnerabilities were discovered in Apache NuttX RTOS Bluetooth Stack (HCI and UART components) that may result in system crash, denial of service, or arbitrary code execution, after receiving maliciously crafted packets. • https://github.com/apache/nuttx/pull/16179 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-5179 – Realce Tecnologia Queue Ticket Kiosk Cadastro de Administrador Page index.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-5179
26 May 2025 — A vulnerability classified as problematic was found in Realce Tecnologia Queue Ticket Kiosk up to 20250517. Affected by this vulnerability is an unknown functionality of the file /adm/index.php of the component Cadastro de Administrador Page. The manipulation of the argument Name/Usuário leads to cross site scripting. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. • https://vuldb.com/?ctiid.310267 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •