Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE-2024-0521

Description: Code Injection in paddlepaddle/paddle

CVSS: CRITICAL (9.3)

SSVC Exploitation: poc

Source: CVE
May 30th, 2025 (about 2 hours ago)

CVE-2025-2500

Description: A vulnerability exists in the SOAP Web services of the Asset Suite versions listed below. If successfully exploited, an attacker could gain unauthorized access to the product and the time window of a possible password attack could be expanded.

CVSS: CRITICAL (9.1)

Source: CVE
May 30th, 2025 (about 4 hours ago)

CVE-2025-48865

Description: Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities. Some of these custom headers can be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been patched in version 1.6.6.

CVSS: CRITICAL (9.1)

Source: CVE
May 30th, 2025 (about 10 hours ago)

CVE-2025-48757

Description: An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites.

CVSS: CRITICAL (9.3)

Source: CVE
May 30th, 2025 (about 14 hours ago)

CVE-2025-46352

Description: The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running VNC. This password cannot be altered, allowing anyone with knowledge of it to gain remote access to the panel. Such access could enable an attacker to operate the panel remotely, potentially putting the fire panel into a non-functional state and causing serious safety issues.

CVSS: CRITICAL (9.8)

Source: CVE
May 30th, 2025 (about 17 hours ago)

CVE-2025-41438

Description: The CS5000 Fire Panel is vulnerable due to a default account that exists on the panel. Even though it is possible to change this by SSHing into the device, it has remained unchanged on every installed system observed. This account is not root but holds high-level permissions that could severely impact the device's operation if exploited.

CVSS: CRITICAL (9.8)

Source: CVE
May 30th, 2025 (about 17 hours ago)

CVE-2025-1907

Description: Instantel Micromate lacks authentication on a configuration port which could allow an attacker to execute commands if connected.

CVSS: CRITICAL (9.8)

Source: CVE
May 30th, 2025 (about 17 hours ago)

CVE-2025-4967

Description: Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portal’s SSRF protections.

CVSS: CRITICAL (9.1)

SSVC Exploitation: none

Source: CVE
May 29th, 2025 (about 20 hours ago)

CVE-2025-47933

Description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.

CVSS: CRITICAL (9.1)

Source: CVE
May 29th, 2025 (about 21 hours ago)

CVE-2025-48336

Description: Deserialization of Untrusted Data vulnerability in ThimPress Course Builder allows Object Injection.This issue affects Course Builder: from n/a before 3.6.6.

CVSS: CRITICAL (9.8)

Source: CVE
May 29th, 2025 (about 22 hours ago)