Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-47275 |
Description: Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected.
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
May 15th, 2025 (23 days ago)
|
|
CVE-2025-47928 |
Description: Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using `pull_request_target` on `.github/workflows/integration_tests.yml` followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be executed having full access to secrets (from the base repo). By exploiting the vulnerability is possible to exfiltrate `GITHUB_TOKEN` and secrets `SPOTIPY_CLIENT_ID`, `SPOTIPY_CLIENT_SECRET`. In particular `GITHUB_TOKEN` which can be used to completely overtake the repo since the token has content write privileges. The `pull_request_target` in GitHub Actions is a major security concern—especially in public repositories—because it executes untrusted code from a PR, but with the context of the base repository, including access to its secrets. Commit 9dfb7177b8d7bb98a5a6014f8e6436812a47576f reverted the change that caused the issue.
CVSS: CRITICAL (9.1) EPSS Score: 0.04% SSVC Exploitation: poc
May 15th, 2025 (23 days ago)
|
|
CVE-2024-8673 |
Description: The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.
CVSS: CRITICAL (9.1) EPSS Score: 6.0%
May 15th, 2025 (23 days ago)
|
|
CVE-2024-6809 |
Description: The Simple Video Directory WordPress plugin before 1.4.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
CVSS: CRITICAL (9.8) EPSS Score: 0.15%
May 15th, 2025 (23 days ago)
|
|
CVE-2024-6584 |
Description: The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs.
CVSS: CRITICAL (9.1) EPSS Score: 0.05%
May 15th, 2025 (23 days ago)
|
|
CVE-2024-6159 |
Description: The Push Notification for Post and BuddyPress WordPress plugin before 1.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
CVSS: CRITICAL (9.8) EPSS Score: 3.42%
May 15th, 2025 (23 days ago)
|
|
CVE-2025-47788 |
Description: Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the `$target` parameter in `/controller.php` was not properly validated, which could allow an attacker to execute arbitrary files on the server via path traversal. v602 contains a fix for the issue.
CVSS: CRITICAL (9.4) EPSS Score: 0.06%
May 15th, 2025 (23 days ago)
|
|
CVE-2024-25314 |
Description: Code-projects Hotel Managment System 1.0, allows SQL Injection via the 'sid' parameter in Hotel/admin/show.php?sid=2.
CVSS: CRITICAL (9.8) EPSS Score: 0.13% SSVC Exploitation: poc
May 15th, 2025 (23 days ago)
|
|
CVE-2024-24811 |
Description: SQLAlchemyDA is a generic database adapter for ZSQL methods. A vulnerability found in versions prior to 2.2 allows unauthenticated execution of arbitrary SQL statements on the database to which the SQLAlchemyDA instance is connected. All users are affected. The problem has been patched in version 2.2. There is no workaround for the problem.
CVSS: CRITICAL (9.8) EPSS Score: 0.63% SSVC Exploitation: none
May 15th, 2025 (23 days ago)
|
|
CVE-2024-24543 |
Description: Buffer Overflow vulnerability in the function setSchedWifi in Tenda AC9 v.3.0, firmware version v.15.03.06.42_multi allows a remote attacker to cause a denial of service or run arbitrary code via crafted overflow data.
CVSS: CRITICAL (9.8) EPSS Score: 1.4% SSVC Exploitation: poc
May 15th, 2025 (23 days ago)
|