CVSS: 8.7EPSS: %CPEs: 1EXPL: 1CVE-2025-34181 – NetSupport Manager < 14.12.0001 Authenticated Path Traversal Arbitrary File Write RCE
https://notcve.org/view.php?id=CVE-2025-34181
15 Dec 2025 — This can be leveraged to place attacker-controlled DLLs or executables in privileged paths and achieve remote code execution in the context of the NetSupport Manager connectivity service. • https://www.vulncheck.com/advisories/netsupport-manager-authenticated-path-traversal-arbitrary-write-rce • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: %CPEs: -EXPL: 0CVE-2025-60786
https://notcve.org/view.php?id=CVE-2025-60786
15 Dec 2025 — A Zip Slip vulnerability in the import a Project component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via uploading a crafted Zip file. • https://www.icescrum.com/download • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2025-65213
https://notcve.org/view.php?id=CVE-2025-65213
15 Dec 2025 — An attacker can craft a malicious pickle file that executes arbitrary Python code when loaded, enabling remote code execution with the privileges of the victim process. • https://github.com/MooreThreads/torch_musa/issues/110#issuecomment-3475809588 •
CVSS: 7.6EPSS: 0%CPEs: -EXPL: 0CVE-2025-14542 – Command execution in python-utcp allows attackers to achieve remote code execution when fetching a remote Manual from a malicious endpoint
https://notcve.org/view.php?id=CVE-2025-14542
13 Dec 2025 — The vulnerability arises when a client fetches a tools’ JSON specification, known as a Manual, from a remote Manual Endpoint. While a provider may initially serve a benign manual (e.g., one defining an HTTP tool call), earning the clients’ trust, a malicious provider can later change the manual to exploit the client. • https://github.com/universal-tool-calling-protocol/python-utcp/commit/2dc9c02df72cad3770c934959325ec344b441444 • CWE-501: Trust Boundary Violation •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-58314 – Atcom 2.7.x.x Authenticated Command Injection via Web Configuration CGI
https://notcve.org/view.php?id=CVE-2024-58314
12 Dec 2025 — Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote code execution with administrative credentials. • https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-58305 – WonderCMS 4.3.2 Cross-Site Scripting Remote Code Execution via Module Installation
https://notcve.org/view.php?id=CVE-2024-58305
12 Dec 2025 — WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by tricking an authenticated administrator into accessing a malicious link. • https://www.vulncheck.com/advisories/wondercms-cross-site-scripting-remote-code-execution-via-module-installation • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-58299 – PCMan FTP Server 2.0 Remote Buffer Overflow via 'pwd' Command
https://notcve.org/view.php?id=CVE-2024-58299
12 Dec 2025 — PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. • https://sourceforge.net/projects/pcmanftpd • CWE-121: Stack-based Buffer Overflow •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-14010 – Typora 1.7.4 OS Command Injection via Export PDF Preferences
https://notcve.org/view.php?id=CVE-2024-14010
12 Dec 2025 — Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution. • http://www.typora.io • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13094 – WP3D Model Import Viewer <= 1.0.7 - Authenticated (Contributor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-13094
12 Dec 2025 — This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://wordpress.org/plugins/wp3d-model-import-block • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14476 – Doubly <= 1.0.46 - Authenticated (Subscriber+) PHP Object Injection via ZIP File Import
https://notcve.org/view.php?id=CVE-2025-14476
12 Dec 2025 — The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. • https://plugins.trac.wordpress.org/browser/doubly/tags/1.0.46/inc_php/functions.class.php#L1040 • CWE-502: Deserialization of Untrusted Data •