CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2025-1568
https://notcve.org/view.php?id=CVE-2025-1568
16 Apr 2025 — Access Control Vulnerability in Gerrit chromiumos project configuration in Google ChromeOS 131.0.6778.268 allows an attacker with a registered Gerrit account to inject malicious code into ChromeOS projects and potentially achieve Remote Code Execution and Denial of Service via editing trusted pipelines by insufficient access controls and misconfigurations in Gerrit's project.config. • https://issues.chromium.org/issues/b/374279912 •
CVSS: 9.1EPSS: %CPEs: 1EXPL: 0CVE-2025-0756 – Hitachi Vantara Pentaho Data Integration & Analytics - Improper Control of Resource Identifiers ('Resource Injection')
https://notcve.org/view.php?id=CVE-2025-0756
16 Apr 2025 — This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users. • https://https://support.pentaho.com/hc/en-us/articles/35771876077709--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Control-of-Resource-Identifiers-Resource-Injection-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-0756 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 10.0EPSS: %CPEs: 3EXPL: 0CVE-2025-32433 – Erlang/OTP SSH Vulnerable to Pre-Authentication RCE
https://notcve.org/view.php?id=CVE-2025-32433
16 Apr 2025 — Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). • https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: %CPEs: 1EXPL: 1CVE-2025-3729 – SourceCodester Web-based Pharmacy Product Management System Database Backup backup.php os command injection
https://notcve.org/view.php?id=CVE-2025-3729
16 Apr 2025 — A vulnerability, which was classified as critical, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. This issue affects some unknown processing of the file backup.php of the component Database Backup Handler. The manipulation of the argument txtdbname leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/yaklang/IRifyScanResult/blob/main/Web-based%20Pharmacy%20Product%20Management%20System/rce_in_backup.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: %CPEs: 1EXPL: 0CVE-2025-3294 – WP Editor <= 1.2.9.1 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Update
https://notcve.org/view.php?id=CVE-2025-3294
16 Apr 2025 — This makes it possible for authenticated attackers, with Administrator-level access and above, to overwrite arbitrary files on the affected site's server which may make remote code execution possible assuming the files can be written to by the web server. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3269832%40wp-editor%2Ftrunk&old=3151053%40wp-editor%2Ftrunk&sfp_email=&sfph_mail= • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: %CPEs: 6EXPL: 0CVE-2025-20236 – Cisco Webex App Client-Side Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-20236
16 Apr 2025 — A vulnerability in the custom URL parser of Cisco Webex App could allow an unauthenticated, remote attacker to persuade a user to download arbitrary files, which could allow the attacker to execute arbitrary commands on the host of the targeted user. This vulnerability is due to insufficient input validation when Cisco Webex App processes a meeting invite link. An attacker could exploit this vulnerability by persuading a user to click a crafted meeting invite link and download arbitrary files. A successful ... • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-app-client-rce-ufyMMYLC • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.4EPSS: %CPEs: 2EXPL: 0CVE-2025-1980 – Remote Code Execution via Unrestricted File Upload in Ready_
https://notcve.org/view.php?id=CVE-2025-1980
16 Apr 2025 — If the server is misconfigured, as it was by default when installed at the turn of 2021 and 2022, it can result in Remote Code Execution. • https://cert.pl/en/posts/2025/04/CVE-2025-1980 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-22036 – Rancher Remote Code Execution via Cluster/Node Drivers
https://notcve.org/view.php?id=CVE-2024-22036
16 Apr 2025 — A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land within the Rancher container itself. For the test and development environments, based on a –privileged Docker container, it is possible to escape the Docker container and gain execution access on the host system. This issue affects rancher:... • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22036 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-3495 – COMMGR - Insufficient Randomization Authentication Bypass
https://notcve.org/view.php?id=CVE-2025-3495
16 Apr 2025 — An attacker could easily brute force a session ID and load and execute arbitrary code. ... An attacker could easily brute force a session ID and load and execute arbitrary code. • https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00005_COMMGR%20-%20Insufficient%20Randomization%20Authentication%20Bypass_v1.pdf • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-39601 – WordPress Custom CSS, JS & PHP plugin <= 2.4.1 - CSRF to RCE vulnerability
https://notcve.org/view.php?id=CVE-2025-39601
16 Apr 2025 — WordPress Custom CSS, JS and PHP versions 2.4.1 and below suffer from a cross site request forgery vulnerability that leads to remote code execution. • https://patchstack.com/database/wordpress/plugin/custom-css/vulnerability/wordpress-custom-css-js-php-plugin-2-4-1-csrf-to-rce-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •