CVSS: 9.0EPSS: %CPEs: 1EXPL: 0CVE-2025-0134 – Cortex XDR Broker VM: Authenticated Code Injection Vulnerability in Broker VM
https://notcve.org/view.php?id=CVE-2025-0134
14 May 2025 — A code injection vulnerability in the Palo Alto Networks Cortex XDR® Broker VM allows an authenticated user to execute arbitrary code with root privileges on the host operating system running Broker VM. • https://security.paloaltonetworks.com/CVE-2025-0134 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2025-47782 – motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution
https://notcve.org/view.php?id=CVE-2025-47782
14 May 2025 — In versions 0.43.1b1 through 0.43.1b3, using a constructed (camera) device path with the `add`/`add_camera` motionEye web API allows an attacker with motionEye admin user credentials to execute any command within a non-interactive shell as motionEye run user, `motion` by default. • https://github.com/motioneye-project/motioneye/issues/3142 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: %CPEs: 1EXPL: 0CVE-2025-47777 – 5ire Client Vulnerable to Cross-Site Scripting (XSS) and Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2025-47777
14 May 2025 — This, in turn, can lead to Remote Code Execution (RCE) via unsafe Electron protocol handling and exposed Electron APIs. • https://positive.security/blog/url-open-rce • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2025-3917 – 百度站长SEO合集(支持百度/神马/Bing/头条推送) <= 2.0.6 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-3917
14 May 2025 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/baiduseo/tags/2.0.6/inc/index/youhua.php#L371 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47292 – Cap Collectif vulnerable to insecure deserialization leading to remote code execution
https://notcve.org/view.php?id=CVE-2025-47292
14 May 2025 — Exploitation of this vulnerability can lead to Remote Code Execution. • https://github.com/cap-collectif/cap-collectif/commit/812f2a7d271b76deab1175bdaf2be0b8102dd198 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24780 – Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function
https://notcve.org/view.php?id=CVE-2024-24780
14 May 2025 — Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. ... Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. • https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: -EPSS: 0%CPEs: -EXPL: 1CVE-2025-47916 – Invision Community 5.0.6 Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-47916
14 May 2025 — Invision Community versions 5.0.0 through 5.0.6 suffer from a customCss related remote code execution vulnerability. • https://packetstorm.news/files/id/192096 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3053 – UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.07 - Authenticated (Subscriber+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-3053
14 May 2025 — The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. This is due to the function taking user supplied inputs to execute arbitrary functions with arbitrary data, and does not have any sort of capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to executeCode ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-32363
https://notcve.org/view.php?id=CVE-2025-32363
14 May 2025 — mediDOK before 2.5.18.43 allows remote attackers to achieve remote code execution on a target system via deserialization of untrusted data. • https://code-white.com/public-vulnerability-list/#unauthenticated-remote-code-execution-via-deserialization-of-untrusted-data-in-m •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4564 – TicketBAI Facturas para WooCommerce <= 3.18 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-4564
14 May 2025 — This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •