Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-45841 |
Description: TOTOLINK NR1800X V9.1.0u.6681_B20230703 was discovered to contain an authenticated stack overflow via the text parameter in the setSmsCfg function.
CVSS: CRITICAL (9.8) EPSS Score: 0.07%
May 8th, 2025 (about 1 month ago)
|
|
CVE-2025-26844 |
Description: An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.
CVSS: CRITICAL (9.8) EPSS Score: 0.05%
May 8th, 2025 (about 1 month ago)
|
|
CVE-2024-25215 |
Description: Employee Managment System v1.0 was discovered to contain a SQL injection vulnerability via the pwd parameter at /aprocess.php.
CVSS: CRITICAL (9.8) EPSS Score: 0.08% SSVC Exploitation: poc
May 8th, 2025 (about 1 month ago)
|
|
Description: Cisco has released software fixes to address a maximum-severity security flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system.
The vulnerability, tracked as CVE-2025-20188, has been rated 10.0 on the CVSS scoring system.
"This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an
CVSS: CRITICAL (10.0) EPSS Score: 3.8%
May 8th, 2025 (about 1 month ago)
|
|
CVE-2024-25108 |
Description: Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server. This vulnerability affects every version of Pixelfed between v0.10.4 and v0.11.9, inclusive. A proof of concept of this vulnerability exists. This vulnerability affects every local user of a Pixelfed server, and can potentially affect the servers' ability to federate. Some user interaction is required to setup the conditions to be able to exercise the vulnerability, but the attacker could conduct this attack time-delayed manner, where user interaction is not actively required. This vulnerability has been addressed in version 0.11.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: CRITICAL (9.9) EPSS Score: 0.06% SSVC Exploitation: poc
May 7th, 2025 (about 1 month ago)
|
|
CVE-2024-23763 |
Description: SQL Injection vulnerability in Gambio through 4.9.2.0 allows attackers to run arbitrary SQL commands via crafted GET request using modifiers[attribute][] parameter.
CVSS: CRITICAL (9.8) EPSS Score: 0.05% SSVC Exploitation: none
May 7th, 2025 (about 1 month ago)
|
|
CVE-2024-22320 |
Description: IBM Operational Decision Manager 8.10.3 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.
CVSS: CRITICAL (9.8) EPSS Score: 90.43% SSVC Exploitation: none
May 7th, 2025 (about 1 month ago)
|
|
CVE-2025-3476 |
Description: Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allows privilege escalation by authenticated users.This issue affects Operations Bridge Manager: 2023.05, 23.4, 24.2, 24.4.
CVSS: CRITICAL (9.4) EPSS Score: 0.04%
May 7th, 2025 (about 1 month ago)
|
|
CVE-2024-6047 |
🚨 Marked as known exploited on May 7th, 2025 (about 1 month ago).
Description: CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-6047 GeoVision Devices OS Command Injection Vulnerability
CVE-2024-11120 GeoVision Devices OS Command Injection Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CVSS: CRITICAL (9.8) EPSS Score: 75.4%
May 7th, 2025 (about 1 month ago)
|
|
CVE-2025-46828 |
Description: WeGIA is a web manager for charitable institutions. An unauthenticated SQL Injection vulnerability was identified in versions up to and including 3.3.0 in the endpoint `/html/socio/sistema/get_socios.php`, specifically in the query parameter. This issue allows attackers to inject and execute arbitrary SQL statements against the application's underlying database. As a result, it may lead to data exfiltration, authentication bypass, or complete database compromise. Version 3.3.1 fixes the issue.
CVSS: CRITICAL (10.0) EPSS Score: 0.18%
May 7th, 2025 (about 1 month ago)
|