CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-25306
Misskey's Incomplete Patch of CVE-2024-52591 Leads to Forgery of Federated Notes
Description: Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the `id` and `url` fields of ActivityPub objects. An attacker can forge an object where they claim authority in the `url` field even if the specific ActivityPub object type require authority in the `id` field. Version 2025.2.1 addresses the issue.

CVSS: CRITICAL (9.3)

EPSS Score: 0.02%

Source: CVE
March 10th, 2025 (3 months ago)

CVE-2025-24813
Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
🚨 Marked as known exploited on March 17th, 2025 (3 months ago).
Description: Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.

CVSS: CRITICAL (9.8)

EPSS Score: 93.55%

Source: CVE
March 10th, 2025 (3 months ago)

CVE-2024-57968
Advantive VeraCore Unrestricted File Upload Vulnerability
Description: Advantive VeraCore contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx.

CVSS: CRITICAL (9.9)

Source: CISA KEV
March 10th, 2025 (3 months ago)

CVE-2024-13159
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Description: Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.

CVSS: CRITICAL (9.8)

Source: CISA KEV
March 10th, 2025 (3 months ago)

CVE-2024-13160
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Description: Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.

CVSS: CRITICAL (9.8)

Source: CISA KEV
March 10th, 2025 (3 months ago)

CVE-2024-13161
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Description: Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.

CVSS: CRITICAL (9.8)

Source: CISA KEV
March 10th, 2025 (3 months ago)

CVE-2025-26936
CVE-2025-26936: WordPress Fresh Framework Plugin <= 1.70.0 is vulnerable to Remote Code Execution (RCE)
Description: CVE-2025-26936: WordPress Fresh Framework Plugin <= 1.70.0 is vulnerable to Remote Code Execution (RCE)

CVSS: CRITICAL (10.0)

EPSS Score: 0.07%

Source: DarkWebInformer
March 10th, 2025 (3 months ago)

CVE-2025-26936
WordPress Fresh Framework plugin <= 1.70.0 - Unauthenticated Remote Code Execution (RCE) vulnerability
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Fresh Framework allows Code Injection. This issue affects Fresh Framework: from n/a through 1.70.0.

CVSS: CRITICAL (10.0)

EPSS Score: 0.07%

Source: CVE
March 10th, 2025 (3 months ago)

CVE-2025-26916
WordPress Massive Dynamic theme <= 8.2 - Unauthenticated Local File Inclusion vulnerability
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EPC Massive Dynamic. This issue affects Massive Dynamic: from n/a through 8.2.

CVSS: CRITICAL (9.0)

EPSS Score: 0.14%

SSVC Exploitation: none

Source: CVE
March 10th, 2025 (3 months ago)

CVE-2025-1497
Remote Code Execution in PlotAI
Description: A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk. The vendor does not plan to release a patch to fix this vulnerability.

CVSS: CRITICAL (9.3)

EPSS Score: 0.42%

Source: CVE
March 10th, 2025 (3 months ago)