
CVE-2024-13804
https://notcve.org/view.php?id=CVE-2024-13804
30 Mar 2025 — Vulnerability in Hewlett Packard Enterprise HPE Insight Cluster Management Utility (CMU).This issue affects HPE Insight Cluster Management Utility (CMU): 8.2. • https://red.0xbad53c.com/vulnerability-research/rce-in-hpe-insight-cluster-management-utility-cve-2024-13804 •

CVE-2025-2006 – Inline Image Upload for BBPress <= 1.1.19 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-2006
28 Mar 2025 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/image-upload-for-bbpress/tags/1.1.19/bbp-image-upload.php#L136 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-2249 – SoJ Soundslides <= 1.2.2 - Authenticated (Contributor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-2249
28 Mar 2025 — This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/Nxploited/CVE-2025-2249 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2024-38988
https://notcve.org/view.php?id=CVE-2024-38988
28 Mar 2025 — This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. • https://gist.github.com/mestrtee/4c5dfb66bea377889c44dd6c8af28713 •

CVE-2024-24292
https://notcve.org/view.php?id=CVE-2024-24292
28 Mar 2025 — A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js component. • https://gist.github.com/tariqhawis/a8b2c936622c885558173c37df0a77d9 •

CVE-2025-28254
https://notcve.org/view.php?id=CVE-2025-28254
28 Mar 2025 — Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions(). • https://github.com/Leantime/leantime/blob/0e7ddbbe3d582f657a1dddfef7b3419ae588cbf7/app/Domain/Notifications/Services/Notifications.php#L128 •

CVE-2024-38985
https://notcve.org/view.php?id=CVE-2024-38985
28 Mar 2025 — This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. • https://gist.github.com/mestrtee/32c0a48023036e51918f6a098f21953d •

CVE-2024-56975
https://notcve.org/view.php?id=CVE-2024-56975
28 Mar 2025 — InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the upload_file method of the Upload controller. • https://github.com/InvoicePlane/InvoicePlane/pull/1127 •

CVE-2025-22953
https://notcve.org/view.php?id=CVE-2025-22953
28 Mar 2025 — A SQL injection vulnerability exists in the Epicor HCM 2021 1.9, specifically in the filter parameter of the JsonFetcher.svc endpoint. An attacker can exploit this vulnerability by injecting malicious SQL payloads into the filter parameter, enabling the unauthorized execution of arbitrary SQL commands on the backend database. If certain features (like xp_cmdshell) are enabled, this may lead to remote code execution. • https://tinted-hollyhock-92d.notion.site/EPICOR-HCM-Unauthenticated-Blind-SQL-Injection-CVE-2025-22953-170f1fdee211803988d1c9255a8cb904? •

CVE-2025-28256
https://notcve.org/view.php?id=CVE-2025-28256
28 Mar 2025 — An issue in TOTOLINK A3100R V4.1.2cu.5247_B20211129 allows a remote attacker to execute arbitrary code via the setWebWlanIdx of the file /lib/cste_modules/wireless.so. • https://github.com/ZackSecurity/VulnerReport/blob/cve/totolink/A3100R/1.md •