CVSS: 7.7EPSS: %CPEs: 1EXPL: 0CVE-2025-47273 – setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
https://notcve.org/view.php?id=CVE-2025-47273
17 May 2025 — An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. • https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3812 – WPBot Pro Wordpress Chatbot <= 13.6.2 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-3812
16 May 2025 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://www.wordfence.com/threat-intel/vulnerabilities/id/8fe1609d-17d6-4afe-90b2-5473dc9b6c3b?source=cve • CWE-73: External Control of File Name or Path •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4389 – Crawlomatic Multipage Scraper Post Generator <= 2.6.8.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-4389
16 May 2025 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/crawlomatic-multisite-scraper-post-generator-plugin-for-wordpress/20476010 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4391 – Echo RSS Feed Post Generator <= 5.4.8.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-4391
16 May 2025 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/echo-rss-feed-post-generator-plugin-for-wordpress/19486974 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6486 – ImageMagick Engine < 1.7.11 - Administrator+ OS Command Injection
https://notcve.org/view.php?id=CVE-2024-6486
15 May 2025 — This allows authenticated attackers, with administrator-level permission to execute arbitrary OS commands on the server leading to remote code execution. • https://wpscan.com/vulnerability/a57c0c59-8b5c-4221-a9db-19f141650d9b •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47785 – EMLOG SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-47785
15 May 2025 — In versions up to and including 2.5.9, SQL injection occurs because the $origContent parameter in admin/article_save.php is not strictly filtered. Since admin/article_save.php can be accessed by ordinary registered users, this will cause SQL injection to occur when the registered site is enabled, resulting in the injection of the admin account and password, which is then exploited by the backend remote code execution. • https://github.com/emlog/emlog/security/advisories/GHSA-939m-47f7-m559 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47787 – Emlog Pro Contains a File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-47787
15 May 2025 — This insufficient validation allows attackers to execute arbitrary code on the vulnerable system. • https://github.com/emlog/emlog/commit/691c13e90df2fb35e120f4e0735078bad018eed7 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: -EXPL: 0CVE-2025-44182
https://notcve.org/view.php?id=CVE-2025-44182
15 May 2025 — This allows attackers to execute arbitrary code. • https://phpgurukul.com/vehicle-record-system-using-php-and-mysql • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0134 – Cortex XDR Broker VM: Authenticated Code Injection Vulnerability in Broker VM
https://notcve.org/view.php?id=CVE-2025-0134
14 May 2025 — A code injection vulnerability in the Palo Alto Networks Cortex XDR® Broker VM allows an authenticated user to execute arbitrary code with root privileges on the host operating system running Broker VM. • https://security.paloaltonetworks.com/CVE-2025-0134 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47782 – motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution
https://notcve.org/view.php?id=CVE-2025-47782
14 May 2025 — motionEye is an online interface for the software motion, a video surveillance program with motion detection. In versions 0.43.1b1 through 0.43.1b3, using a constructed (camera) device path with the `add`/`add_camera` motionEye web API allows an attacker with motionEye admin user credentials to execute any command within a non-interactive shell as motionEye run user, `motion` by default. The vulnerability has been patched with motionEye v0.43.1b4. As a workaround, apply the patch manually. • https://github.com/motioneye-project/motioneye/issues/3142 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •