Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-22267 |
Description: VMware Workstation and Fusion contain a use-after-free vulnerability in the vbluetooth device. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
CVSS: CRITICAL (9.3) EPSS Score: 0.09% SSVC Exploitation: none
March 14th, 2025 (about 1 month ago)
|
|
CVE-2025-2000 |
Description: A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. A python process calling Qiskit 0.18.0 through 1.4.1's `qiskit.qpy.load()` function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of specially constructed payload.
CVSS: CRITICAL (9.8) EPSS Score: 0.04% SSVC Exploitation: none
March 14th, 2025 (about 1 month ago)
|
|
CVE-2024-37079 |
Description: vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.
CVSS: CRITICAL (9.8) EPSS Score: 24.4% SSVC Exploitation: poc
March 14th, 2025 (about 1 month ago)
|
|
CVE-2025-27595 |
Description: The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily calculated by an attacker. This impacts the security and the integrity of the device.
CVSS: CRITICAL (9.8) EPSS Score: 0.05%
March 14th, 2025 (about 1 month ago)
|
|
CVE-2025-27593 |
Description: The product can be used to distribute malicious code using SDD Device Drivers due to missing download verification checks, leading to code execution on target systems.
CVSS: CRITICAL (9.3) EPSS Score: 0.03%
March 14th, 2025 (about 1 month ago)
|
|
CVE-2025-2304 |
Description: A Privilege Escalation through a Mass Assignment exists in Camaleon CMS
When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to pass through without any filtering.
CVSS: CRITICAL (9.4) EPSS Score: 0.06%
March 14th, 2025 (about 1 month ago)
|
|
CVE-2025-2232 |
Description: The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. This is due to insufficient role restrictions in the 'do_register_user' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.
CVSS: CRITICAL (9.8) EPSS Score: 0.21%
March 14th, 2025 (about 1 month ago)
|
|
CVE-2024-13771 |
Description: The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 14th, 2025 (about 1 month ago)
|
|
CVE-2024-9264 |
Description: The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
CVSS: CRITICAL (9.4) EPSS Score: 89.04% SSVC Exploitation: poc
March 14th, 2025 (about 1 month ago)
|
|
CVE-2024-13824 |
Description: The CiyaShop - Multipurpose WooCommerce Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.19.0 via deserialization of untrusted input in the 'add_ciyashop_wishlist' and 'ciyashop_get_compare' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
CVSS: CRITICAL (9.8) EPSS Score: 0.33%
March 14th, 2025 (about 1 month ago)
|