Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-25022
IBM QRadar Suite Software and IBM Cloud Pak for Security information disclosure
Description: IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an unauthenticated user in the environment to obtain highly sensitive information in configuration files.

CVSS: CRITICAL (9.6)

EPSS Score: 0.03%

SSVC Exploitation: none

Source: CVE
June 3rd, 2025 (2 days ago)

CVE-2023-4041
Schneider Electric Wiser Home Automation
Description: View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Wiser AvatarOn 6K Freelocate, Wiser Cuadro H 5P Socket Vulnerability: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to inject code or bypass authentication. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Schneider Electric products are affected: Wiser AvatarOn 6K Freelocate: All versions Wiser Cuadro H 5P Socket: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Out-of-bounds Write, Download of Code Without Integrity Check vulnerability in Silicon Labs Gecko Bootloader on ARM (Firmware Update File Parser modules) allows Code Injection, Authentication Bypass. This issue affects "Standalone" and "Application" versions of Gecko Bootloader. CVE-2023-4041 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2023-4041. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy COUNTRI...

CVSS: CRITICAL (9.8)

Source: All CISA Advisories
June 3rd, 2025 (2 days ago)

CVE-2025-3755
Mitsubishi Electric MELSEC iQ-F Series
Description: View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: MELSEC iQ-F Series Vulnerability: Improper Validation of Specified Index, Position, or Offset in Input 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to read confidential information, cause a denial-of-service condition, or stop operations by sending specially crafted packets. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Mitsubishi Electric MELSEC iQ-F Series are affected. Products with [Note *1] are sold in limited regions: FX5U-xMy/z x=32, 64, 80, y=T, R, z=ES,DS, ESS, DSS: All versions FX5UC-xMy/z x=32, 64, 96, y=T, z=D, DSS: All versions FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: All versions FX5UJ-xMy/z x=24, 40, 60, y=T, R, z=ES,DS,ESS,DSS: All versions FX5UJ-xMy/ES-A[Note *1] x=24, 40, 60, y=T, R: All versions FX5S-xMy/z x=30, 40, 60, 80[Note *1], y=T, R, z= ES,DS,ESS,DSS: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER VALIDATION OF SPECIFIED INDEX, POSITION, OR OFFSET IN INPUT CWE-1285 This vulnerability allows a remote attacker to read information in the product, cause a Denial-of-Service (DoS) condition in MELSOFT connection communication with Mitsubishi Electric FA products such as GX Works3 and GOT, or stop the operation of the CPU module (causing a DoS condition on the CPU module), by sending specially crafted packets. The product is need...

CVSS: CRITICAL (9.1)

EPSS Score: 0.05%

Source: All CISA Advisories
June 3rd, 2025 (2 days ago)

CVE-2024-23059
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the username parameter in the setDdnsCfg...
Description: TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the username parameter in the setDdnsCfg function.

CVSS: CRITICAL (9.8)

EPSS Score: 2.3%

SSVC Exploitation: poc

Source: CVE
June 3rd, 2025 (2 days ago)

CVE-2024-22942
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the hostName parameter in the setWanCfg...
Description: TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the hostName parameter in the setWanCfg function.

CVSS: CRITICAL (9.8)

EPSS Score: 3.13%

SSVC Exploitation: poc

Source: CVE
June 3rd, 2025 (2 days ago)

CVE-2024-22087
route in main.c in Pico HTTP Server in C through f3b69a6 has an sprintf stack-based buffer overflow via a long URI, leading to remote code execution.
Description: route in main.c in Pico HTTP Server in C through f3b69a6 has an sprintf stack-based buffer overflow via a long URI, leading to remote code execution.

CVSS: CRITICAL (9.8)

EPSS Score: 4.83%

SSVC Exploitation: poc

Source: CVE
June 3rd, 2025 (2 days ago)

CVE-2024-21669
Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC
Description: Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.

CVSS: CRITICAL (9.9)

EPSS Score: 0.14%

SSVC Exploitation: poc

Source: CVE
June 3rd, 2025 (2 days ago)

CVE-2024-21638
Azure IPAM solution Elevation of Privilege Vulnerability
Description: Azure IPAM (IP Address Management) is a lightweight solution developed on top of the Azure platform designed to help Azure customers manage their IP Address space easily and effectively. By design there is no write access to customers' Azure environments as the Service Principal used is only assigned the Reader role at the root Management Group level. Until recently, the solution lacked the validation of the passed in authentication token which may result in attacker impersonating any privileged user to access data stored within the IPAM instance and subsequently from Azure, causing an elevation of privilege. This vulnerability has been patched in version 3.0.0.

CVSS: CRITICAL (9.1)

EPSS Score: 3.55%

SSVC Exploitation: none

Source: CVE
June 3rd, 2025 (2 days ago)

CVE-2024-0322
Out-of-bounds Read in gpac/gpac
Description: Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.

CVSS: CRITICAL (9.1)

EPSS Score: 0.11%

SSVC Exploitation: poc

Source: CVE
June 3rd, 2025 (2 days ago)
Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code
Description: Cybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code. The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case of post-authenticated remote code execution via

CVSS: CRITICAL (9.9)

EPSS Score: 0.66%

Source: TheHackerNews
June 3rd, 2025 (3 days ago)