CVSS: 4.6EPSS: %CPEs: 1EXPL: 0CVE-2025-54940
https://notcve.org/view.php?id=CVE-2025-54940
08 Aug 2025 — An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered. • https://www.advancedcustomfields.com/blog/acf-6-4-3-security-release • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.4EPSS: %CPEs: 1EXPL: 0CVE-2025-54886 – skops: Card.get_model does not block arbitrary code execution
https://notcve.org/view.php?id=CVE-2025-54886
08 Aug 2025 — In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. ... Unlike skops, joblib allows arbitrary code execution during loading, bypassing security measures and potentially enabling malicious code execution. • https://github.com/skops-dev/skops/security/advisories/GHSA-378x-6p4f-8jgm • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3770 – SMM IDT Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-3770
07 Aug 2025 — Successful exploitation of this vulnerability will lead to arbitrary code execution and impact Confidentiality, Integrity, and Availability. • https://github.com/tianocore/edk2/security/advisories/GHSA-vx5v-4gg6-6qxr • CWE-693: Protection Mechanism Failure •
CVSS: 5.4EPSS: 0%CPEs: -EXPL: 0CVE-2025-54393
https://notcve.org/view.php?id=CVE-2025-54393
07 Aug 2025 — Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows Static Code Injection. • https://community.netwrix.com/t/adv-2025-015-critical-vulnerabilities-in-netwrix-directory-manager-formerly-imanami-groupid-v11/17192 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-54594 – react-native-bottom-tabs: Arbitrary code execution in GitHub Actions canary workflow leads to secret exfiltration
https://notcve.org/view.php?id=CVE-2025-54594
05 Aug 2025 — This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. • https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 4CVE-2012-10027 – WordPress Plugin WP-Property <= 1.35.0 PHP File Upload
https://notcve.org/view.php?id=CVE-2012-10027
05 Aug 2025 — WP-Property plugin for WordPress through version 1.35.0 contains an unauthenticated file upload vulnerability in the third-party `uploadify.php` script. A remote attacker can upload arbitrary PHP files to a temporary directory without authentication, leading to remote code execution. • https://wordpress.org/plugins/wp-property • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 4CVE-2012-10026 – WordPress Plugin Asset-Manager <= 2.0 PHP File Upload
https://notcve.org/view.php?id=CVE-2012-10026
05 Aug 2025 — The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded file types, allowing remote attackers to upload malicious PHP scripts to a predictable temporary directory. Once uploaded, the attacker can execute the file via a direct HTTP GET request, resulting in remote code execution under the web server’s context. • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2012-10025 – WordPress Plugin Advanced Custom Fields <= 3.5.1 Remote File Inclusion
https://notcve.org/view.php?id=CVE-2012-10025
05 Aug 2025 — The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host. • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2013-10070 – PHP-Charts v1.0 PHP Code Execution
https://notcve.org/view.php?id=CVE-2013-10070
05 Aug 2025 — PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution under the web server's context. The vulnerability allows unauthenticated attackers to execute system-level commands via base64-encoded payloads embedded in parameter names, leading to full compromise of the host sys... • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/php_charts_exec.rb • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 3CVE-2012-10032 – Maxthon3 about:history XCS Trusted Zone Code Execution
https://notcve.org/view.php?id=CVE-2012-10032
05 Aug 2025 — Maxthon3 versions prior to 3.3 are vulnerable to cross context scripting (XCS) via the about:history page. The browser’s trusted zone improperly handles injected script content, allowing attackers to execute arbitrary JavaScript in a privileged context. This flaw enables modification of browser configuration and execution of arbitrary code through Maxthon’s exposed DOM APIs, including maxthon.program.Program.launch() and maxthon.io.writeDataURL(). Exploitation requires user interaction, typically by visitin... • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/maxthon_history_xcs.rb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •