Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-26892 |
Description: Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura allows Using Malicious Files.This issue affects Celestial Aura: from n/a through 2.2.
CVSS: CRITICAL (9.9) EPSS Score: 0.05% SSVC Exploitation: none
May 19th, 2025 (19 days ago)
|
|
CVE-2025-26872 |
Description: Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Eximius allows Using Malicious Files.This issue affects Eximius: from n/a through 2.2.
CVSS: CRITICAL (9.9) EPSS Score: 0.05%
May 19th, 2025 (19 days ago)
|
|
CVE-2025-47282 |
Description: Gardener External DNS Management is an environment to manage external DNS entries for a kubernetes cluster. A security vulnerability was discovered in Gardener's External DNS Management prior to version 0.23.6 that could allow a user with administrative privileges for a Gardener project or a user with administrative privileges for a shoot cluster, including administrative privileges for a single namespace of the shoot cluster, to obtain control over the seed cluster where the shoot cluster is managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. The affected component is `gardener/external-dns-management`. The `external-dns-management` component may also be deployed on the seeds by the `gardener/gardener-extension-shoot-dns-service` extension when the extension is enabled. In this case, all versions of the `shoot-dns-service` extension `<= v1.60.0` are affected by this vulnerability. Version 0.23.6 of Gardener External DNS Management fixes the issue.
CVSS: CRITICAL (9.9) EPSS Score: 0.1%
May 19th, 2025 (19 days ago)
|
|
CVE-2024-2692 |
Description: SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS.
CVSS: CRITICAL (9.0) EPSS Score: 0.22% SSVC Exploitation: poc
May 19th, 2025 (19 days ago)
|
|
CVE-2025-27920 |
Description: Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.
CVSS: CRITICAL (9.8) EPSS Score: 61.11%
May 19th, 2025 (19 days ago)
|
|
CVE-2025-46801 |
Description: Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
May 19th, 2025 (19 days ago)
|
|
CVE-2025-23123 |
Description: A malicious actor with access to the management network could execute a remote code execution (RCE) by exploiting a heap buffer overflow vulnerability in the UniFi Protect Cameras (Version 4.75.43 and earlier) firmware.
CVSS: CRITICAL (10.0) EPSS Score: 0.34%
May 19th, 2025 (20 days ago)
|
|
CVE-2025-47945 |
Description: Donetick an open-source app for managing tasks and chores. Prior to version 0.1.44, the application uses JSON Web Tokens (JWT) for authentication, but the signing secret has a weak default value. While the responsibility is left to the system administrator to change it, this approach is inadequate. The vulnerability is proven by existence of the issue in the live version as well. This issue can result in full account takeover of any user. Version 0.1.44 contains a patch.
CVSS: CRITICAL (9.1) EPSS Score: 0.06%
May 17th, 2025 (21 days ago)
|
|
Description: Overview
Session cookies of applications using the Auth0 symfony SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.
Am I Affected?
You are affected by this vulnerability if you meet the following pre-conditions:
Applications using the Auth0 symfony SDK with version <=5.3.1
Auth0/Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0.
Session storage configured with CookieStore.
Fix
Upgrade Auth0/symfony to v5.4.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.
Acknowledgement
Okta would like to thank Félix Charette for discovering this vulnerability.
References
https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch
https://nvd.nist.gov/vuln/detail/CVE-2025-47275
https://github.com/auth0/symfony/commit/9a7294f08a32f17a0e77c8522a648195b6940340
https://github.com/auth0/symfony/releases/tag/5.4.0
https://github.com/advisories/GHSA-9wg9-93h9-j8ch
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
May 17th, 2025 (21 days ago)
|
|
|
Description: Overview
Session cookies of applications using the Auth0 Wordpress plugin configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.
Am I Affected?
You are affected by this vulnerability if you meet the following pre-conditions:
Applications using the Auth0 WordPress Plugin with version <=5.2.1
Auth0 WordPress Plugin uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0.
Session storage configured with CookieStore.
Fix
Upgrade Auth0/wordpress plugin to v5.3.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.
Acknowledgement
Okta would like to thank Félix Charette for discovering this vulnerability.
References
https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q
https://nvd.nist.gov/vuln/detail/CVE-2025-47275
https://github.com/auth0/wordpress/commit/06b64468089472d8b62c881708be7eb3749b35ac
https://github.com/auth0/wordpress/releases/tag/5.3.0
https://github.com/advisories/GHSA-2f4r-34m4-3w8q
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
May 17th, 2025 (21 days ago)
|