Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE-2025-3611

Description: Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.

CVSS: LOW (3.1)

SSVC Exploitation: none

Source: CVE
May 30th, 2025 (about 2 hours ago)

CVE-2025-1792

Description: Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.

CVSS: LOW (3.1)

SSVC Exploitation: none

Source: CVE
May 30th, 2025 (about 2 hours ago)

CVE-2024-0773

Description: A vulnerability classified as problematic was found in CodeAstro Internet Banking System 1.0. Affected by this vulnerability is an unknown functionality of the file pages_client_signup.php. The manipulation of the argument Client Full Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-251677 was assigned to this vulnerability. In CodeAstro Internet Banking System 1.0 wurde eine problematische Schwachstelle entdeckt. Betroffen ist eine unbekannte Verarbeitung der Datei pages_client_signup.php. Durch Manipulieren des Arguments Client Full Name mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: LOW (3.5)

SSVC Exploitation: poc

Source: CVE
May 30th, 2025 (about 2 hours ago)

CVE-2025-48491

Description: Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in the source code. This issue has been patched in the pre-beta version.

CVSS: LOW (2.7)

Source: CVE
May 30th, 2025 (about 13 hours ago)

CVE-2025-48068

Description: Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in version 15.2.2.

CVSS: LOW (2.3)

Source: CVE
May 30th, 2025 (about 13 hours ago)

CVE-2025-47952

Description: Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1.

CVSS: LOW (2.9)

Source: CVE
May 30th, 2025 (about 13 hours ago)

CVE-2025-47288

Description: Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the group members could be shown to non-group members. This issue has been patched in version 0.1.1. A workaround involves moving any policy topics with private groups to restricted categories.

CVSS: LOW (3.5)

Source: CVE
May 29th, 2025 (about 21 hours ago)

CVE-2025-46570

Description: vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). These timing differences caused by matching chunks are significant enough to be recognized and exploited. This issue has been patched in version 0.9.0.

CVSS: LOW (2.6)

Source: CVE
May 29th, 2025 (1 day ago)

CVE-2024-23825

Description: TablePress is a table plugin for Wordpress. For importing tables, TablePress makes external HTTP requests based on a URL that is provided by the user. That user input is filtered insufficiently, which makes it is possible to send requests to unintended network locations and receive responses. On sites in a cloud environment like AWS, an attacker can potentially make GET requests to the instance's metadata REST API. If the instance's configuration is insecure, this can lead to the exposure of internal data, including credentials. This vulnerability is fixed in 2.2.5.

CVSS: LOW (3.0)

EPSS Score: 0.29%

SSVC Exploitation: poc

Source: CVE
May 29th, 2025 (1 day ago)

CVE-2024-22200

Description: vantage6-UI is the User Interface for vantage6. The docker image used to run the UI leaks the nginx version. To mitigate the vulnerability, users can run the UI as an angular application. This vulnerability was patched in 4.2.0.

CVSS: LOW (3.3)

EPSS Score: 0.13%

SSVC Exploitation: none

Source: CVE
May 29th, 2025 (1 day ago)