Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-4009 |
Description: The Evertz SVDN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product
features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz.
This web interface has two endpoints that are vulnerable to arbitrary command injection and the authentication mechanism has a flaw leading to authentication bypass.
Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.
This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others.
CVSS: CRITICAL (9.3) EPSS Score: 0.24%
May 28th, 2025 (10 days ago)
|
|
CVE-2025-22252 |
Description: A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager version 7.2.5, and FortiOS versions 7.4.4 through 7.4.6 and version 7.6.0 may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass.
CVSS: CRITICAL (9.0) EPSS Score: 0.07%
May 28th, 2025 (10 days ago)
|
|
CVE-2025-32440 |
Description: NetAlertX is a network, presence scanner and alert framework. Prior to version 25.4.14, it is possible to bypass the authentication mechanism of NetAlertX to update settings without authentication. An attacker can trigger sensitive functions within util.php by sending crafted requests to /index.php. This issue has been patched in version 25.4.14.
CVSS: CRITICAL (10.0) EPSS Score: 0.08%
May 27th, 2025 (10 days ago)
|
|
Description: CVE-2025-48827 – Critical Unauthenticated API Access in vBulletin
CVSS: CRITICAL (10.0) EPSS Score: 13.27%
May 27th, 2025 (11 days ago)
|
|
CVE-2025-48057 |
Description: Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.14.6, the VerifyCertificate() function can be tricked into incorrectly treating certificates as valid. This allows an attacker to send a malicious certificate request that is then treated as a renewal of an already existing certificate, resulting in the attacker obtaining a valid certificate that can be used to impersonate trusted nodes. This only occurs when Icinga 2 is built with OpenSSL older than version 1.1.0. This issue has been patched in versions 2.12.12, 2.13.12, and 2.14.6.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
May 27th, 2025 (11 days ago)
|
|
Description: The TI WooCommerce Wishlist plugin, with over 100,000 active installs, is vulnerable to an unauthenticated file upload vulnerability (CVE-2025-47577).
The post Unpatched Critical Vulnerability in TI WooCommerce Wishlist Plugin appeared first on Patchstack.
CVSS: CRITICAL (10.0) EPSS Score: 0.06%
May 27th, 2025 (11 days ago)
|
|
CVE-2025-41652 |
Description: The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. An unauthenticated remote attacker could exploit this weakness by performing brute-force attacks to guess valid credentials or by using MD5 collision techniques to forge authentication hashes, potentially compromising the device.
CVSS: CRITICAL (9.8) EPSS Score: 0.15%
May 27th, 2025 (11 days ago)
|
|
CVE-2025-41651 |
Description: Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of configuration files and leading to full system compromise.
CVSS: CRITICAL (9.8) EPSS Score: 0.16%
May 27th, 2025 (11 days ago)
|
|
CVE-2025-2407 |
Description: Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5.
CVSS: CRITICAL (9.3) EPSS Score: 0.06%
May 27th, 2025 (11 days ago)
|
|
CVE-2025-48828 |
Description: Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "var_dump"("test") syntax, attackers can bypass security checks and execute arbitrary PHP code.
CVSS: CRITICAL (9.0) EPSS Score: 10.71%
May 27th, 2025 (11 days ago)
|