CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-1874 |
Description: In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
CVSS: CRITICAL (9.4) EPSS Score: 0.04%
February 14th, 2025 (4 months ago)
|
|
CVE-2024-1597 |
Description: pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
CVSS: CRITICAL (10.0) EPSS Score: 0.28%
February 14th, 2025 (4 months ago)
|
|
CVE-2024-13182 |
Description: The WP Directorybox Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_parse_request' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
February 14th, 2025 (4 months ago)
|
|
CVE-2024-10763 |
Description: The Campress theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.35 via the 'campress_woocommerce_get_ajax_products' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
February 14th, 2025 (4 months ago)
|
|
CVE-2024-0917 |
Description: remote code execution in paddlepaddle/paddle 2.6.0
CVSS: CRITICAL (9.4) EPSS Score: 0.29%
February 14th, 2025 (4 months ago)
|
|
CVE-2024-0818 |
Description: Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6
CVSS: CRITICAL (9.1) EPSS Score: 0.06%
February 14th, 2025 (4 months ago)
|
|
CVE-2024-0817 |
Description: Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
February 14th, 2025 (4 months ago)
|
|
CVE-2024-0815 |
Description: Command injection in paddle.utils.download._wget_download (bypass filter) in paddlepaddle/paddle 2.6.0
CVSS: CRITICAL (9.3) EPSS Score: 0.05%
February 14th, 2025 (4 months ago)
|
|
CVE-2024-0204 |
Description: Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
CVSS: CRITICAL (9.8) EPSS Score: 64.5%
February 14th, 2025 (4 months ago)
|
|
CVE-2025-26361 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests.
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
February 13th, 2025 (4 months ago)
|