CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-24924
GMOD Apollo Missing Authentication for Critical Function
Description: Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username

CVSS: CRITICAL (9.3)

EPSS Score: 0.07%

SSVC Exploitation: none

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2024-13147
SQLi in Merkur Software's B2B Login Panel
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Merkur Software B2B Login Panel allows SQL Injection.This issue affects B2B Login Panel: before 15.01.2025.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2024-12799
Insufficiently Protected Credentials
Description: Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64 bit allows Privilege Abuse. This vulnerability could allow an authenticated user to obtain higher privileged user’s sensitive information via crafted payload. This issue affects Identity Manager Advanced Edition: from 4.8.0.0 through 4.8.7.0102, 4.9.0.0.

CVSS: CRITICAL (10.0)

EPSS Score: 0.05%

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2024-12097
SQLi in Boceksoft Informatics' E-Travel
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Boceksoft Informatics E-Travel allows SQL Injection.This issue affects E-Travel: before 15.12.2025.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2024-12281
Homey <= 2.4.2 - Unauthenticated Privilege Escalation in homey_save_profile
Description: The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the Editor or Shop Manager role.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2024-11951
Homey Login Register <= 2.4.0 - Unauthenticated Privilege Escalation in homey_register
Description: The Homey Login Register plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.0. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2025-25015
Kibana arbitrary code execution via prototype pollution
Description: Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors

CVSS: CRITICAL (9.9)

EPSS Score: 0.21%

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2025-1515
WP Real Estate Manager <= 2.8 - Authentication Bypass via Account Takeover
Description: The WP Real Estate Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.8. This is due to insufficient identity verification on the LinkedIn login request process. This makes it possible for unauthenticated attackers to bypass official authentication and log in as any user on the site, including administrators.

CVSS: CRITICAL (9.8)

EPSS Score: 0.15%

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2024-13787
VEDA - MultiPurpose WordPress Theme <= 4.2 - Authenticated (Subscriber+) PHP Object Injection
Description: The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the 'veda_backup_and_restore_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CVSS: CRITICAL (9.8)

EPSS Score: 0.12%

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2025-1393
Weidmueller: Authentication Vulnerability due to Hard-coded Credentials
Description: An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product.

CVSS: CRITICAL (9.8)

EPSS Score: 0.12%

Source: CVE
March 5th, 2025 (3 months ago)