CVSS: 5.3EPSS: %CPEs: -EXPL: 1CVE-2025-10485 – pojoin h3blog HTTP Header login ppt_log cross site scripting
https://notcve.org/view.php?id=CVE-2025-10485
15 Sep 2025 — The attack may be performed from remote. ... Der Angriff kann remote ausgeführt werden. • https://vuldb.com/?id.323919 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2025-58748 – Dataease H2 data source JDBC URL validation bypass leads to remote code execution
https://notcve.org/view.php?id=CVE-2025-58748
15 Sep 2025 — This lack of validation allows a crafted JDBC configuration that substitutes the Amazon Redshift driver and leverages the socketFactory and socketFactoryArg parameters to invoke org.springframework.context.support.FileSystemXmlApplicationContext or ClassPathXmlApplicationContext with an attacker‑controlled remote XML resource, resulting in remote code execution. • https://github.com/dataease/dataease/security/advisories/GHSA-23qw-9qrh-9rr8 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2025-58046 – Dataease has a JDBC attack vulnerability in the Impala datasource
https://notcve.org/view.php?id=CVE-2025-58046
15 Sep 2025 — In versions up to and including 2.10.12, the Impala data source is vulnerable to remote code execution due to insufficient filtering in the getJdbc method of the io.dataease.datasource.type.Impala class. Attackers can construct malicious JDBC connection strings that exploit JNDI injection and trigger RMI deserialization, ultimately enabling remote command execution. The vulnerability can be exploited by editing the data source and providing a crafted JDBC connection string... • https://github.com/dataease/dataease/security/advisories/GHSA-mvwc-x8x9-46c3 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2025-58045 – Dataease server-side request forgery via unfiltered DB2 JDBC ldap parameter
https://notcve.org/view.php?id=CVE-2025-58045
15 Sep 2025 — In Dataease versions up to 2.10.12, the patch introduced to mitigate DB2 JDBC deserialization remote code execution attacks only blacklisted the rmi parameter. ... In higher versions of Java, ldap deserialization (autoDeserialize) is disabled by default, preventing remote code execution, but SSRF remains exploitable. • https://github.com/dataease/dataease/security/advisories/GHSA-fmq3-6xhc-r845 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-59361 – OS command injection in Chaos Mesh via the cleanIptables mutation
https://notcve.org/view.php?id=CVE-2025-59361
15 Sep 2025 — In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. • https://github.com/chaos-mesh/chaos-mesh/pull/4702 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-59360 – OS command injection in Chaos Mesh via the killProcesses mutation
https://notcve.org/view.php?id=CVE-2025-59360
15 Sep 2025 — In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. • https://github.com/chaos-mesh/chaos-mesh/pull/4702 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-59359 – OS command injection in Chaos Mesh via the cleanTcs mutation
https://notcve.org/view.php?id=CVE-2025-59359
15 Sep 2025 — In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. • https://github.com/chaos-mesh/chaos-mesh/pull/4702 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 1CVE-2025-10433 – 1Panel-dev MaxKB debug deserialization
https://notcve.org/view.php?id=CVE-2025-10433
15 Sep 2025 — Executing manipulation of the argument code can lead to deserialization. ... Mittels dem Manipulieren des Arguments code mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. • https://zealous-brand-b4a.notion.site/MaxKB-2-1-0-tool-debug-RCE-2647244a828c80e7850dc6503061b88b • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 6.4EPSS: 0%CPEs: -EXPL: 0CVE-2025-56252
https://notcve.org/view.php?id=CVE-2025-56252
15 Sep 2025 — Cross Site Scripting (xss) vulnerability in ServitiumCRM 2.10 allowing attackers to execute arbitrary code via a crafted URL to the mobile parameter. • https://gist.github.com/fir3storm/5a9c367b4fc1efbc444d72d800c175bb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-57174
https://notcve.org/view.php?id=CVE-2025-57174
15 Sep 2025 — An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other previous versions. The rfpiped service listening on TCP port 555 which uses static AES encryption keys hardcoded in the binary. These keys are identical across all devices, allowing attackers to craft encrypted packets that execute arbitrary commands without authentication. This is a failed patch for CVE-2017-7318. This issue may affect other Etherhaul series devices with sha... • https://semaja2.net/2025/08/02/siklu-eh-unauthenticated-rce • CWE-321: Use of Hard-coded Cryptographic Key •