CyberAlerts

CVE-2024-0521

Code Injection in paddlepaddle/paddle

Description: Code Injection in paddlepaddle/paddle

CVSS: CRITICAL (9.3)

SSVC Exploitation: poc

Source: CVE

May 30th, 2025 (about 2 hours ago)

CVE-2025-2500

A vulnerability exists in the SOAP Web services of the Asset Suite versions listed below. If successfully exploited, an attacker could gain...

Description: A vulnerability exists in the SOAP Web services of the Asset Suite versions listed below. If successfully exploited, an attacker could gain unauthorized access to the product and the time window of a possible password attack could be expanded.

CVSS: CRITICAL (9.1)

Source: CVE

May 30th, 2025 (about 4 hours ago)

CVE-2025-48865

Fabio allows HTTP clients to manipulate custom headers it adds

Description: Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities. Some of these custom headers can be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been patched in version 1.6.6.

CVSS: CRITICAL (9.1)

Source: CVE

May 30th, 2025 (about 10 hours ago)

CVE-2025-48757

An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to...

Description: An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites.

CVSS: CRITICAL (9.3)

Source: CVE

May 30th, 2025 (about 14 hours ago)

CVE-2025-46352

Consilium Safety CS5000 Fire Panel Use of Hard-coded Credentials

Description: The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running VNC. This password cannot be altered, allowing anyone with knowledge of it to gain remote access to the panel. Such access could enable an attacker to operate the panel remotely, potentially putting the fire panel into a non-functional state and causing serious safety issues.

CVSS: CRITICAL (9.8)

Source: CVE

May 30th, 2025 (about 17 hours ago)

CVE-2025-41438

Consilium Safety CS5000 Fire Panel Initialization of a Resource with an Insecure Default

Description: The CS5000 Fire Panel is vulnerable due to a default account that exists on the panel. Even though it is possible to change this by SSHing into the device, it has remained unchanged on every installed system observed. This account is not root but holds high-level permissions that could severely impact the device's operation if exploited.

CVSS: CRITICAL (9.8)

Source: CVE

May 30th, 2025 (about 17 hours ago)

CVE-2025-1907

Instantel Micromate Missing Authentication for Critical Function

Description: Instantel Micromate lacks authentication on a configuration port which could allow an attacker to execute commands if connected.

CVSS: CRITICAL (9.8)

Source: CVE

May 30th, 2025 (about 17 hours ago)

CVE-2025-4967

Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS

Description: Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portal’s SSRF protections.

CVSS: CRITICAL (9.1)

SSVC Exploitation: none

Source: CVE

May 29th, 2025 (about 20 hours ago)

CVE-2025-47933

Argo CD allows cross-site scripting on repositories page

Description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.

CVSS: CRITICAL (9.1)

Source: CVE

May 29th, 2025 (about 21 hours ago)

CVE-2025-48336

WordPress Course Builder < 3.6.6 - PHP Object Injection Vulnerability

Description: Deserialization of Untrusted Data vulnerability in ThimPress Course Builder allows Object Injection.This issue affects Course Builder: from n/a before 3.6.6.

CVSS: CRITICAL (9.8)

Source: CVE

May 29th, 2025 (about 22 hours ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-0521	Code Injection in paddlepaddle/paddle Description: Code Injection in paddlepaddle/paddle CVSS: CRITICAL (9.3) SSVC Exploitation: poc Source: CVE May 30th, 2025 (about 2 hours ago)
CVE-2025-2500	A vulnerability exists in the SOAP Web services of the Asset Suite versions listed below. If successfully exploited, an attacker could gain... Description: A vulnerability exists in the SOAP Web services of the Asset Suite versions listed below. If successfully exploited, an attacker could gain unauthorized access to the product and the time window of a possible password attack could be expanded. CVSS: CRITICAL (9.1) Source: CVE May 30th, 2025 (about 4 hours ago)
CVE-2025-48865	Fabio allows HTTP clients to manipulate custom headers it adds Description: Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities. Some of these custom headers can be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been patched in version 1.6.6. CVSS: CRITICAL (9.1) Source: CVE May 30th, 2025 (about 10 hours ago)
CVE-2025-48757	An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to... Description: An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. CVSS: CRITICAL (9.3) Source: CVE May 30th, 2025 (about 14 hours ago)
CVE-2025-46352	Consilium Safety CS5000 Fire Panel Use of Hard-coded Credentials Description: The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running VNC. This password cannot be altered, allowing anyone with knowledge of it to gain remote access to the panel. Such access could enable an attacker to operate the panel remotely, potentially putting the fire panel into a non-functional state and causing serious safety issues. CVSS: CRITICAL (9.8) Source: CVE May 30th, 2025 (about 17 hours ago)
CVE-2025-41438	Consilium Safety CS5000 Fire Panel Initialization of a Resource with an Insecure Default Description: The CS5000 Fire Panel is vulnerable due to a default account that exists on the panel. Even though it is possible to change this by SSHing into the device, it has remained unchanged on every installed system observed. This account is not root but holds high-level permissions that could severely impact the device's operation if exploited. CVSS: CRITICAL (9.8) Source: CVE May 30th, 2025 (about 17 hours ago)
CVE-2025-1907	Instantel Micromate Missing Authentication for Critical Function Description: Instantel Micromate lacks authentication on a configuration port which could allow an attacker to execute commands if connected. CVSS: CRITICAL (9.8) Source: CVE May 30th, 2025 (about 17 hours ago)
CVE-2025-4967	Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS Description: Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portal’s SSRF protections. CVSS: CRITICAL (9.1) SSVC Exploitation: none Source: CVE May 29th, 2025 (about 20 hours ago)
CVE-2025-47933	Argo CD allows cross-site scripting on repositories page Description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4. CVSS: CRITICAL (9.1) Source: CVE May 29th, 2025 (about 21 hours ago)
CVE-2025-48336	WordPress Course Builder < 3.6.6 - PHP Object Injection Vulnerability Description: Deserialization of Untrusted Data vulnerability in ThimPress Course Builder allows Object Injection.This issue affects Course Builder: from n/a before 3.6.6. CVSS: CRITICAL (9.8) Source: CVE May 29th, 2025 (about 22 hours ago)