CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2025-3616 – Greenshift 11.4 - 11.4.5 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-3616
21 Apr 2025 — The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspb_make_proxy_api_request() function in versions 11.4 to 11.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The arbitrary file upload was sufficiently patched in... • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2025-3837 – Improper Input Validation vulnerability in the End of Life (EOL) OVA based connect component
https://notcve.org/view.php?id=CVE-2025-3837
21 Apr 2025 — Under certain circumstances, an actor can manipulate a specific request parameter and inject code execution payload which could lead to a remote code execution on the infrastructure hosting this component. • https://saviynt.com/trust-compliance-security • CWE-20: Improper Input Validation •
CVSS: 9.2EPSS: 0%CPEs: -EXPL: 0CVE-2025-0632 – Local File Inclusion (LFI) leading to sensitive data exposure
https://notcve.org/view.php?id=CVE-2025-0632
21 Apr 2025 — Local File Inclusion (LFI) vulnerability in a Render function of Formulatrix Rock Maker Web (RMW) allows a remote attacker to obtain sensitive data via arbitrary code execution. • https://www.formulatrix.com/downloads/apps/repository/rockmaker • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2025-28121
https://notcve.org/view.php?id=CVE-2025-28121
21 Apr 2025 — code-projects Online Exam Mastering System 1.0 is vulnerable to Cross Site Scripting (XSS) in feedback.php via the "q" parameter allowing remote attackers to execute arbitrary code. • https://code-projects.org/online-exam-mastering-system-php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-29287
https://notcve.org/view.php?id=CVE-2025-29287
21 Apr 2025 — An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file. • http://cms.com • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-29659
https://notcve.org/view.php?id=CVE-2025-29659
21 Apr 2025 — Yi IOT XY-3820 6.0.24.10 is vulnerable to Remote Command Execution via the "cmd_listen" function located in the "cmd" binary. • https://github.com/Yasha-ops/RCE-YiIOT • CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-29660
https://notcve.org/view.php?id=CVE-2025-29660
21 Apr 2025 — This service lacks proper input validation, allowing attackers to execute arbitrary scripts present on the device by sending specially crafted TCP requests using directory traversal techniques. • https://github.com/Yasha-ops/RCE-YiIOT • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3826 – SourceCodester Web-based Pharmacy Product Management System add-supplier.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-3826
20 Apr 2025 — A vulnerability, which was classified as problematic, was found in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part of the file add-supplier.php. The manipulation of the argument txtsupplier_name/txtaddress leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?id.305733 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3825 – SourceCodester Web-based Pharmacy Product Management System add-category.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-3825
20 Apr 2025 — A vulnerability, which was classified as problematic, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this issue is some unknown functionality of the file add-category.php. The manipulation of the argument txtcategory_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?id.305732 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3824 – SourceCodester Web-based Pharmacy Product Management System add-product.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-3824
20 Apr 2025 — A vulnerability classified as problematic was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this vulnerability is an unknown functionality of the file add-product.php. The manipulation of the argument txtprice/txtproduct_name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?id.305731 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •