Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-0756 |
Description: Overview
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)
Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources.
Impact
An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.
CVSS: CRITICAL (9.1)
April 16th, 2025 (about 21 hours ago)
|
|
CVE-2025-32433 |
Description: Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
CVSS: CRITICAL (10.0)
April 16th, 2025 (about 22 hours ago)
|
|
CVE-2025-27540 |
Description: A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'Authenticate' method. This could allow an unauthenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on. (ZDI-CAN-25913)
CVSS: CRITICAL (9.8)
April 16th, 2025 (1 day ago)
|
|
CVE-2025-27539 |
Description: A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'VerifyUser' method. This could allow an unauthenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on. (ZDI-CAN-25914)
CVSS: CRITICAL (9.8)
April 16th, 2025 (1 day ago)
|
|
CVE-2025-27495 |
Description: A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'CreateTrace' method. This could allow an unauthenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on. (ZDI-CAN-25911)
CVSS: CRITICAL (9.8)
April 16th, 2025 (1 day ago)
|
|
CVE-2025-39601 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Custom CSS, JS & PHP allows Remote Code Inclusion. This issue affects Custom CSS, JS & PHP: from n/a through 2.4.1.
CVSS: CRITICAL (9.6)
April 16th, 2025 (1 day ago)
|
|
CVE-2025-39557 |
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Ben Ritner - Kadence WP Kadence WooCommerce Email Designer allows Upload a Web Shell to a Web Server. This issue affects Kadence WooCommerce Email Designer: from n/a through 1.5.14.
CVSS: CRITICAL (9.1)
April 16th, 2025 (1 day ago)
|
|
CVE-2025-1981 |
Description: Improper neutralization of input provided by a low-privileged user into a file search functionality in Ready_'s Invoices module allows for SQL Injection attacks.
CVSS: CRITICAL (9.4)
April 16th, 2025 (1 day ago)
|
|
CVE-2024-22036 |
Description: A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot
jail and gain root access to the Rancher container itself. In
production environments, further privilege escalation is possible based
on living off the land within the Rancher container itself. For the test
and development environments, based on a –privileged Docker container,
it is possible to escape the Docker container and gain execution access
on the host system.
This issue affects rancher: from 2.7.0 before 2.7.16, from 2.8.0 before 2.8.9, from 2.9.0 before 2.9.3.
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
April 16th, 2025 (1 day ago)
|
|
CVE-2025-3495 |
Description: Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.
CVSS: CRITICAL (9.8) EPSS Score: 0.07%
April 16th, 2025 (1 day ago)
|