CVSS: 10.0EPSS: %CPEs: -EXPL: 0CVE-2025-34028 – Commvault Command Center Innovation Release Unathenticated Path Traversal
https://notcve.org/view.php?id=CVE-2025-34028
22 Apr 2025 — A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. • https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.6EPSS: %CPEs: 1EXPL: 0CVE-2025-23251
https://notcve.org/view.php?id=CVE-2025-23251
22 Apr 2025 — NVIDIA NeMo Framework contains a vulnerability where a user could cause an improper control of generation of code by remote code execution. A successful exploit of this vulnerability might lead to code execution and data tampering. • https://nvidia.custhelp.com/app/answers/detail/a_id/5641 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.6EPSS: %CPEs: 1EXPL: 0CVE-2025-23250
https://notcve.org/view.php?id=CVE-2025-23250
22 Apr 2025 — NVIDIA NeMo Framework contains a vulnerability where an attacker could cause an improper limitation of a pathname to a restricted directory by an arbitrary file write. A successful exploit of this vulnerability might lead to code execution and data tampering. • https://nvidia.custhelp.com/app/answers/detail/a_id/5641 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.6EPSS: %CPEs: 1EXPL: 0CVE-2025-23249
https://notcve.org/view.php?id=CVE-2025-23249
22 Apr 2025 — NVIDIA NeMo Framework contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. A successful exploit of this vulnerability might lead to code execution and data tampering. • https://nvidia.custhelp.com/app/answers/detail/a_id/5641 • CWE-502: Deserialization of Untrusted Data •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2024-40445
https://notcve.org/view.php?id=CVE-2024-40445
22 Apr 2025 — Directory Traversal vulnerability in forkosh Mime Tex before v.1.77 allows an attacker to execute arbitrary code via a crafted file upload • https://github.com/Oefenweb/mimetex/blob/master/mimetex.c#L12414-L12423 •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2024-40446
https://notcve.org/view.php?id=CVE-2024-40446
22 Apr 2025 — An issue in forkosh Mime Tex before v.1.77 allows an attacker to execute arbitrary code via a crafted script • https://youtu.be/S3cmZkWIi6o •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3842 – panhainan DS-Java FileUpload.java uploadUserPic.action code injection
https://notcve.org/view.php?id=CVE-2025-3842
21 Apr 2025 — The manipulation of the argument fileUpload leads to code injection. The attack may be initiated remotely. ... Durch Manipulation des Arguments fileUpload mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. • https://vuldb.com/?id.305771 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3616 – Greenshift 11.4 - 11.4.5 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-3616
21 Apr 2025 — The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspb_make_proxy_api_request() function in versions 11.4 to 11.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The arbitrary file upload was sufficiently patched in... • https://www.wordfence.com/threat-intel/vulnerabilities/id/0db4671e-1989-44a4-babe-ed699c7f3a52?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-3837 – Improper Input Validation vulnerability in the End of Life (EOL) OVA based connect component
https://notcve.org/view.php?id=CVE-2025-3837
21 Apr 2025 — Under certain circumstances, an actor can manipulate a specific request parameter and inject code execution payload which could lead to a remote code execution on the infrastructure hosting this component. • https://saviynt.com/trust-compliance-security • CWE-20: Improper Input Validation •
CVSS: 9.2EPSS: 0%CPEs: -EXPL: 0CVE-2025-0632 – Local File Inclusion (LFI) leading to sensitive data exposure
https://notcve.org/view.php?id=CVE-2025-0632
21 Apr 2025 — Local File Inclusion (LFI) vulnerability in a Render function of Formulatrix Rock Maker Web (RMW) allows a remote attacker to obtain sensitive data via arbitrary code execution. ... This issue affects Rock Maker Web: from 3.2.1.1 and later Local File Inclusion (LFI) vulnerability in a Render function of Formulatrix Rock Maker Web (RMW) allows a remote attacker to obtain sensitive data via arbitrary code execution. • https://www.formulatrix.com/downloads/apps/repository/rockmaker • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •