CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2025-3616 – Greenshift 11.4 - 11.4.5 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-3616
21 Apr 2025 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2025-3837 – Improper Input Validation vulnerability in the End of Life (EOL) OVA based connect component
https://notcve.org/view.php?id=CVE-2025-3837
21 Apr 2025 — Under certain circumstances, an actor can manipulate a specific request parameter and inject code execution payload which could lead to a remote code execution on the infrastructure hosting this component. • https://saviynt.com/trust-compliance-security • CWE-20: Improper Input Validation •
CVSS: 9.2EPSS: 0%CPEs: -EXPL: 0CVE-2025-0632 – Local File Inclusion (LFI) leading to sensitive data exposure
https://notcve.org/view.php?id=CVE-2025-0632
21 Apr 2025 — Local File Inclusion (LFI) vulnerability in a Render function of Formulatrix Rock Maker Web (RMW) allows a remote attacker to obtain sensitive data via arbitrary code execution. A malicious actor could execute malicious scripts to automatically download configuration files in known locations to exfiltrate data including credentials, and with no rate limiting a malicious actor could enumerate the filesystem of the host machine and potentially lead to full host compromise. • https://www.formulatrix.com/downloads/apps/repository/rockmaker • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2025-28121
https://notcve.org/view.php?id=CVE-2025-28121
21 Apr 2025 — code-projects Online Exam Mastering System 1.0 is vulnerable to Cross Site Scripting (XSS) in feedback.php via the "q" parameter allowing remote attackers to execute arbitrary code. • https://code-projects.org/online-exam-mastering-system-php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-29287
https://notcve.org/view.php?id=CVE-2025-29287
21 Apr 2025 — An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file. • http://cms.com • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-29659
https://notcve.org/view.php?id=CVE-2025-29659
21 Apr 2025 — Yi IOT XY-3820 6.0.24.10 is vulnerable to Remote Command Execution via the "cmd_listen" function located in the "cmd" binary. • https://github.com/Yasha-ops/RCE-YiIOT • CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-29660
https://notcve.org/view.php?id=CVE-2025-29660
21 Apr 2025 — This service lacks proper input validation, allowing attackers to execute arbitrary scripts present on the device by sending specially crafted TCP requests using directory traversal techniques. • https://github.com/Yasha-ops/RCE-YiIOT • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3404 – Download Manager <= 3.3.12 - Authenticated (Author+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-3404
18 Apr 2025 — This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://www.wordfence.com/threat-intel/vulnerabilities/id/21f8f5be-b513-4040-af39-c1a61d7e313f?source=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32434 – PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
https://notcve.org/view.php?id=CVE-2025-32434
18 Apr 2025 — In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. • https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1093 – AIHub <= 1.3.7 - Unauthenticated Arbitrary File Upload in generate_image
https://notcve.org/view.php?id=CVE-2025-1093
18 Apr 2025 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/09adfe7e-f154-4143-827f-957ded3ffc8f?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •