Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-29202
JumpServer vulnerable to Jinja2 template injection in Ansible leads to RCE in Celery
Description: JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.

CVSS: CRITICAL (10.0)

EPSS Score: 50.44%

SSVC Exploitation: poc

Source: CVE
March 25th, 2025 (26 days ago)

CVE-2024-29201
JumpServer's insecure Ansible playbook validation leads to RCE in Celery
Description: JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can bypass the input validation mechanism in JumpServer's Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7.

CVSS: CRITICAL (10.0)

EPSS Score: 41.29%

SSVC Exploitation: poc

Source: CVE
March 25th, 2025 (26 days ago)

CVE-2025-28904
WordPress Web Directory Free plugin <= 1.7.6 - SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shamalli Web Directory Free allows Blind SQL Injection. This issue affects Web Directory Free: from n/a through 1.7.6.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE
March 25th, 2025 (26 days ago)

CVE-2024-24681
An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There...
Description: An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers' installations.

CVSS: CRITICAL (9.8)

EPSS Score: 0.1%

SSVC Exploitation: none

Source: CVE
March 25th, 2025 (26 days ago)

CVE-2024-24722
An unquoted service path vulnerability in the 12d Synergy Server and File Replication Server components may allow an attacker to gain elevated...
Description: An unquoted service path vulnerability in the 12d Synergy Server and File Replication Server components may allow an attacker to gain elevated privileges via the 12d Synergy Server and/or 12d Synergy File Replication Server executable service path. This is fixed in 4.3.10.192, 5.1.5.221, and 5.1.6.235.

CVSS: CRITICAL (9.1)

EPSS Score: 0.12%

SSVC Exploitation: none

Source: CVE
March 25th, 2025 (26 days ago)
[k8s.io/ingress-nginx] ingress-nginx admission controller RCE escalation
Description: A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) References https://nvd.nist.gov/vuln/detail/CVE-2025-1974 https://github.com/kubernetes/kubernetes/issues/131009 https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5 https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1 https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ https://github.com/advisories/GHSA-mgvx-rpfc-9mpv

CVSS: CRITICAL (9.8)

EPSS Score: 75.83%

Source: Github Advisory Database (Go)
March 25th, 2025 (26 days ago)

CVE-2024-29667
SQL Injection vulnerability in Tongtianxing Technology Co., Ltd CMSV6 v.7.31.0.2 through v.7.31.0.3 allows a remote attacker to escalate privileges...
Description: SQL Injection vulnerability in Tongtianxing Technology Co., Ltd CMSV6 v.7.31.0.2 through v.7.31.0.3 allows a remote attacker to escalate privileges and obtain sensitive information via the ids parameter.

CVSS: CRITICAL (9.8)

EPSS Score: 0.22%

SSVC Exploitation: poc

Source: CVE
March 25th, 2025 (26 days ago)
Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP
Description: Rapid7 is warning customers of two notable vulnerabilities affecting Next.js (CVE-2025-29927) and file transfer software CrushFTP (no CVE).

CVSS: CRITICAL (9.1)

EPSS Score: 91.42%

Source: Rapid7
March 25th, 2025 (26 days ago)

CVE-2025-30091
In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated...
Description: In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be inserted into config.php, and InstallCommand is available after an installation has completed.

CVSS: CRITICAL (9.4)

EPSS Score: 0.3%

Source: CVE
March 25th, 2025 (26 days ago)

CVE-2024-45480
Unauthorized local file reading in B&R APROL
Description: An improper control of generation of code ('Code Injection') vulnerability in the AprolCreateReport component of B&R APROL <4.4-00P5 may allow an unauthenticated network-based attacker to read files from the local system.

CVSS: CRITICAL (9.2)

EPSS Score: 0.06%

Source: CVE
March 25th, 2025 (26 days ago)