CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-13089 – Authenticated RCE in update functionality in Guardian/CMC before 24.6.0
https://notcve.org/view.php?id=CVE-2024-13089
10 Jun 2025 — An OS command injection vulnerability within the update functionality may allow an authenticated administrator to execute unauthorized arbitrary OS commands. ... This issue could potentially enable users to execute commands remotely on the appliance, thereby impacting confidentiality, integrity, and availability. • https://security.nozominetworks.com/NN-2025:1-01 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27819 – Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration
https://notcve.org/view.php?id=CVE-2025-27819
10 Jun 2025 — In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. • https://kafka.apache.org/cve-list • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27818 – Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration
https://notcve.org/view.php?id=CVE-2025-27818
10 Jun 2025 — A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka clusters since Apache Kafka 2.0.0 (Kafka Connect 2.3.0). This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify c... • https://kafka.apache.org/cve-list • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1041 – Avaya Call Management System RCE vulnerability
https://notcve.org/view.php?id=CVE-2025-1041
10 Jun 2025 — An improper input validation discovered in Avaya Call Management System could allow an unauthorized remote command via a specially crafted web request. Affected versions include 18.x, 19.x prior to 19.2.0.7, and 20.x prior to 20.0.1.0. An improper input validation discovered in Avaya Call Management System could allow an unauthorized remote command via a specially crafted web request. Affected versions include 18.x, 19.x prior to 19.2.0.7, and 20.x prior to 20.0.1.0. • https://support.avaya.com/css/public/documents/101093084 • CWE-20: Improper Input Validation •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49004 – Hijacking Caido instance during the initial setup via DNS Rebinding to achieve RCE
https://notcve.org/view.php?id=CVE-2025-49004
09 Jun 2025 — This allows a malicious website to hijack the authentication flow of Caido and achieve code execution. • https://github.com/caido/caido/security/advisories/GHSA-jmxf-xw2r-vjrg • CWE-290: Authentication Bypass by Spoofing •
CVSS: 3.9EPSS: 0%CPEs: 3EXPL: 0CVE-2025-5914 – Libarchive: double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c
https://notcve.org/view.php?id=CVE-2025-5914
09 Jun 2025 — Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition. • https://access.redhat.com/security/cve/CVE-2025-5914 • CWE-415: Double Free •
CVSS: 9.9EPSS: 0%CPEs: 8EXPL: 0CVE-2025-49013 – WilderForge vulnerable to code Injection via GitHub Actions Workflows
https://notcve.org/view.php?id=CVE-2025-49013
09 Jun 2025 — This introduces a code injection vulnerability: a malicious actor submitting a crafted pull request review containing shell metacharacters or commands could execute arbitrary shell code on the GitHub Actions runner. This can lead to arbitrary command execution with the permissions of the workflow, potentially compromising CI infrastructure, secrets, and build outputs. • https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49131 – FastGPT Sandbox Vulnerable to Sandbox Bypass
https://notcve.org/view.php?id=CVE-2025-49131
09 Jun 2025 — The Sandbox container (fastgpt-sandbox) is a specialized, isolated environment used by FastGPT to safely execute user-submitted or dynamically generated code in isolation. The sandbox before version 4.9.11 has insufficient isolation and inadequate restrictions on code execution by allowing overly permissive syscalls, which allows attackers to escape the intended sandbox boundaries. Attackers could exploit this to read and overwrite arbitrary files and bypass Python module import ... • https://github.com/labring/FastGPT/commit/bb810a43a1c70683fab7f5fe993771e930a94426 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3835 – Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-3835
09 Jun 2025 — Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior are vulnerable to Remote code execution in the Content Search module. ... Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior are vulnerable to Remote code execution in the Content Search module. • https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-3835.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49127 – Kafbat UI vulnerable to Remote Code Execution by JMX in Metrices Configuration
https://notcve.org/view.php?id=CVE-2025-49127
06 Jun 2025 — An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server. • https://github.com/kafbat/kafka-ui/releases/tag/v1.1.0 • CWE-502: Deserialization of Untrusted Data •