Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-26389
A vulnerability has been identified in OZW672 (All versions < V8.0), OZW772 (All versions < V8.0). The web service in affected devices does not...
Description: A vulnerability has been identified in OZW672 (All versions < V8.0), OZW772 (All versions < V8.0). The web service in affected devices does not sanitize the input parameters required for the `exportDiagramPage` endpoint. This could allow an unauthenticated remote attacker to execute arbitrary code with root privileges.

CVSS: CRITICAL (10.0)

EPSS Score: 0.28%

Source: CVE
May 13th, 2025 (26 days ago)

CVE-2025-22248
[pgpool] Unauthenticated access to postgres through pgpool
Description: The bitnami/pgpool Docker image, and the bitnami/postgres-ha k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster. The PGPOOL_SR_CHECK_USER is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust level. This allows to log into a PostgreSQL database using the repgmr user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha Kubernetes Helm chart.

CVSS: CRITICAL (9.4)

EPSS Score: 0.03%

Source: CVE
May 13th, 2025 (26 days ago)

CVE-2025-4632
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to...
🚨 Marked as known exploited on May 14th, 2025 (24 days ago).
Description: Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority.

CVSS: CRITICAL (9.8)

EPSS Score: 57.86%

Source: CVE
May 13th, 2025 (26 days ago)

CVE-2025-42999
Insecure Deserialization in SAP NetWeaver (Visual Composer development server)
🚨 Marked as known exploited on May 15th, 2025 (23 days ago).
Description: SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

CVSS: CRITICAL (9.1)

EPSS Score: 14.71%

Source: CVE
May 13th, 2025 (26 days ago)

CVE-2025-30448
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.7.6, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5,...
Description: This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.7.6, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, visionOS 2.5, macOS Ventura 13.7.6, macOS Sequoia 15.4. An attacker may be able to turn on sharing of an iCloud folder without authentication.

CVSS: CRITICAL (9.1)

EPSS Score: 0.13%

Source: CVE
May 12th, 2025 (26 days ago)

CVE-2025-3659
Improper authentication handling for Digi PortServer TS; Digi One SP, SP IA, IA; Digi One IAP
Description: Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022 * Digi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020 * Digi One IAP – prior to and including 82000770 Z, build date 10/19/2020 A specially crafted POST request to the device’s web interface may allow an unauthenticated attacker to modify configuration settings.

CVSS: CRITICAL (9.4)

EPSS Score: 0.19%

Source: CVE
May 12th, 2025 (26 days ago)

CVE-2025-47682
WordPress SMS Alert Order Notifications – WooCommerce <= 3.8.2 - SQL Injection Vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision Technologies Pvt. Ltd. SMS Alert Order Notifications – WooCommerce allows SQL Injection.This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.8.2.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE
May 12th, 2025 (26 days ago)
Zero-day Flaw in Output Messenger Exploited in Espionage Attacks
Description: Microsoft has uncovered a sophisticated cyberespionage campaign by the threat actor Marbled Dust, which exploited a previously unknown vulnerability in the popular messaging platform Output Messenger. The group, believed to be affiliated with Turkey, has used this zero-day exploit (CVE-2025-27920) since April 2024 to gather intelligence on Kurdish military targets in Iraq. According to Microsoft … The post Zero-day Flaw in Output Messenger Exploited in Espionage Attacks appeared first on CyberInsider.

CVSS: CRITICAL (9.8)

EPSS Score: 61.11%

Source: CyberInsider
May 12th, 2025 (26 days ago)

CVE-2025-44022
An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism.
Description: An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism.

CVSS: CRITICAL (9.8)

EPSS Score: 0.32%

Source: CVE
May 12th, 2025 (26 days ago)

CVE-2024-25223
Simple Admin Panel App v1.0 was discovered to contain a SQL injection vulnerability via the orderID parameter at /adminView/viewEachOrder.php.
Description: Simple Admin Panel App v1.0 was discovered to contain a SQL injection vulnerability via the orderID parameter at /adminView/viewEachOrder.php.

CVSS: CRITICAL (9.8)

EPSS Score: 0.11%

SSVC Exploitation: poc

Source: CVE
May 12th, 2025 (26 days ago)