Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-2311 |
Description: Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Nebula Informatics SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.This issue affects SecHard: before 3.3.0.20220411.
CVSS: CRITICAL (9.0) EPSS Score: 0.02%
March 20th, 2025 (about 1 month ago)
|
|
Description: Posted by Lucas Lalumière on Mar 20[Author]: Lucas Lalumiere
[Contact]: lucas.lalum () gmail com
[Date]: 2025-3-17
[Vendor]: Tripp Lite
[Product]: SU750XL UPS
[Firmware]: 12.04.0052
[CVE Reference]: CVE-2019-16261
============================
Affected Products (Tested):
============================
- Tripp Lite PDU's (e.g., PDUMH15AT)
- Tripp Lite UPS's (e.g., SU750XL) *NEW*
======================
Vulnerability Summary:
======================
CVE-2019-16261 describes...
CVSS: CRITICAL (9.1)
March 20th, 2025 (about 1 month ago)
|
|
CVE-2024-9701 |
Description: A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized.
CVSS: CRITICAL (9.8) EPSS Score: 0.29%
March 20th, 2025 (about 1 month ago)
|
|
CVE-2024-9309 |
Description: A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 (LLaVA-1.6). This vulnerability allows attackers to exploit the victim Controller API Server's credentials to perform unauthorized web actions or access unauthorized web resources.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
March 20th, 2025 (about 1 month ago)
|
|
CVE-2024-9095 |
Description: In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is protected by a config check (`config.DATA_WAREHOUSE_EXPORTS_ALLOWED`), but it does not verify the user's access level or implement any access control middleware. This vulnerability can lead to the extraction of sensitive data, disruption of services, credential compromise, and service integrity breaches.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 20th, 2025 (about 1 month ago)
|
|
CVE-2024-9070 |
Description: A deserialization vulnerability exists in BentoML's runner server in bentoml/bentoml versions <=1.3.4.post1. By setting specific parameters, an attacker can execute unauthorized arbitrary code on the server, causing severe harm. The vulnerability is triggered when the args-number parameter is greater than 1, leading to automatic deserialization and arbitrary code execution.
CVSS: CRITICAL (9.8) EPSS Score: 0.08%
March 20th, 2025 (about 1 month ago)
|
|
CVE-2024-9053 |
Description: vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.
CVSS: CRITICAL (9.8) EPSS Score: 0.29%
March 20th, 2025 (about 1 month ago)
|
|
CVE-2024-8999 |
Description: lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/v1/data-warehouse/bigquery endpoint. This vulnerability allows any user to export the entire database data by creating a stream to Google BigQuery without proper authentication or authorization. The issue is fixed in version 1.4.26.
CVSS: CRITICAL (9.8) EPSS Score: 0.08%
March 20th, 2025 (about 1 month ago)
|
|
CVE-2024-8954 |
Description: In composiohq/composio version 0.5.10, the API does not validate the `x-api-key` header's value during the authentication step. This vulnerability allows an attacker to bypass authentication by providing any random value in the `x-api-key` header, thereby gaining unauthorized access to the server.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
March 20th, 2025 (about 1 month ago)
|
|
CVE-2024-8769 |
Description: A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.
CVSS: CRITICAL (9.1) EPSS Score: 0.26%
March 20th, 2025 (about 1 month ago)
|