CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2006 – Inline Image Upload for BBPress <= 1.1.19 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-2006
28 Mar 2025 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/image-upload-for-bbpress/tags/1.1.19/bbp-image-upload.php#L136 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2249 – SoJ Soundslides <= 1.2.2 - Authenticated (Contributor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-2249
28 Mar 2025 — This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/soj-soundslides/tags/1.2.2/soj-soundslides.php • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2870 – Reflected Cross-Site Scripting (XSS) vulnerability in Clinic Queuing System
https://notcve.org/view.php?id=CVE-2025-2870
28 Mar 2025 — This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the page parameter in /patient_side.php. ... This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the page parameter in /patient_side.php. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-clinic-queuing-system • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2869 – Reflected Cross-Site Scripting (XSS) vulnerability in Clinic Queuing System
https://notcve.org/view.php?id=CVE-2025-2869
28 Mar 2025 — This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the id parameter in /manage_user.php. ... This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the id parameter in /manage_user.php. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-clinic-queuing-system • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2868 – Reflected Cross-Site Scripting (XSS) vulnerability in Clinic Queuing System
https://notcve.org/view.php?id=CVE-2025-2868
28 Mar 2025 — This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the page parameter in /index.php. ... This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the page parameter in /index.php. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-clinic-queuing-system • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16149
https://notcve.org/view.php?id=CVE-2019-16149
28 Mar 2025 — An Improper Neutralization of Input During Web Page Generation in FortiClientEMS version 6.2.0 may allow a remote attacker to execute unauthorized code by injecting malicious payload in the user profile of a FortiClient instance being managed by the vulnerable system. • https://fortiguard.fortinet.com/psirt/FG-IR-19-072 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-24292
https://notcve.org/view.php?id=CVE-2024-24292
28 Mar 2025 — A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js component. • https://gist.github.com/tariqhawis/a8b2c936622c885558173c37df0a77d9 •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-38985
https://notcve.org/view.php?id=CVE-2024-38985
28 Mar 2025 — This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. • https://gist.github.com/mestrtee/32c0a48023036e51918f6a098f21953d •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-38988
https://notcve.org/view.php?id=CVE-2024-38988
28 Mar 2025 — This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. • https://gist.github.com/mestrtee/4c5dfb66bea377889c44dd6c8af28713 •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 1CVE-2025-22953
https://notcve.org/view.php?id=CVE-2025-22953
28 Mar 2025 — A SQL injection vulnerability exists in the Epicor HCM 2021 1.9, specifically in the filter parameter of the JsonFetcher.svc endpoint. ... If certain features (like xp_cmdshell) are enabled, this may lead to remote code execution. • https://tinted-hollyhock-92d.notion.site/EPICOR-HCM-Unauthenticated-Blind-SQL-Injection-CVE-2025-22953-170f1fdee211803988d1c9255a8cb904? •