CyberAlerts

CVE-2025-0668

Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: before 1.4.5.

CVSS: CRITICAL (9.3)

EPSS Score: 0.06%

Source: CVE

May 7th, 2025 (about 1 month ago)

CVE-2024-6047

GeoVision EOL device - OS Command Injection

🚨 Marked as known exploited on May 7th, 2025 (about 1 month ago).

Description: Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.

CVSS: CRITICAL (9.8)

EPSS Score: 75.4%

SSVC Exploitation: active

Source: CVE

May 7th, 2025 (about 1 month ago)

CVE-2024-11120

GeoVision EOL devices - OS Command Injection

🚨 Marked as known exploited on May 7th, 2025 (about 1 month ago).

Description: Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.

CVSS: CRITICAL (9.8)

EPSS Score: 54.56%

SSVC Exploitation: active

Source: CVE

May 7th, 2025 (about 1 month ago)

CVE-2025-3844

PeproDev Ultimate Profile Solutions 1.9.1 - 7.5.2 - Authentication Bypass to Account Takeover

Description: The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. This is due to handel_ajax_req() function not having proper restrictions on the change_user_meta functionality that makes it possible to set a OTP code and subsequently log in with that OTP code. This makes it possible for unauthenticated attackers to login as other users on the site, including administrators.

CVSS: CRITICAL (9.8)

EPSS Score: 0.31%

Source: CVE

May 7th, 2025 (about 1 month ago)

CVE-2025-0855

PGS Core <= 5.8.0 - Unauthenticated PHP Object Injection

Description: The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS: CRITICAL (9.8)

EPSS Score: 0.15%

Source: CVE

May 6th, 2025 (about 1 month ago)

CVE-2025-34028

Researcher Says Patched Commvault Bug Still Exploitable

Description: CISA added CVE-2025-34028 to its catalog of known exploited vulnerabilities, citing active attacks in the wild.

CVSS: CRITICAL (10.0)

EPSS Score: 63.86%

Source: Dark Reading

May 6th, 2025 (about 1 month ago)

CVE-2025-47419

Non-Secure Access

Description: Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic. The device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords. This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.

CVSS: CRITICAL (10.0)

EPSS Score: 0.02%

Source: CVE

May 6th, 2025 (about 1 month ago)

CVE-2025-44899

There is a stack overflow vulnerability in Tenda RX3 V1.0br_V16.03.13.11 In the fromSetWifiGusetBasic function of the web url /goform/...

Description: There is a stack overflow vulnerability in Tenda RX3 V1.0br_V16.03.13.11 In the fromSetWifiGusetBasic function of the web url /goform/ WifiGuestSet, the manipulation of the parameter shareSpeed leads to stack overflow.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE

May 6th, 2025 (about 1 month ago)

Google Chrome DevTools Flaw (CVE-2025-4052) Enables Critical Access Control Bypass

Description: Google Chrome DevTools Flaw (CVE-2025-4052) Enables Critical Access Control Bypass

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

Source: DarkWebInformer

May 6th, 2025 (about 1 month ago)

CVE-2025-46816

goshs route not protected, allows command execution

Description: goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.

CVSS: CRITICAL (9.4)

EPSS Score: 0.09%

Source: CVE

May 6th, 2025 (about 1 month ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-0668	BOINC Server Multiple SQL Injections Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: before 1.4.5. CVSS: CRITICAL (9.3) EPSS Score: 0.06% Source: CVE May 7th, 2025 (about 1 month ago)
CVE-2024-6047	GeoVision EOL device - OS Command Injection 🚨 Marked as known exploited on May 7th, 2025 (about 1 month ago). Description: Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. CVSS: CRITICAL (9.8) EPSS Score: 75.4% SSVC Exploitation: active Source: CVE May 7th, 2025 (about 1 month ago)
CVE-2024-11120	GeoVision EOL devices - OS Command Injection 🚨 Marked as known exploited on May 7th, 2025 (about 1 month ago). Description: Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports. CVSS: CRITICAL (9.8) EPSS Score: 54.56% SSVC Exploitation: active Source: CVE May 7th, 2025 (about 1 month ago)
CVE-2025-3844	PeproDev Ultimate Profile Solutions 1.9.1 - 7.5.2 - Authentication Bypass to Account Takeover Description: The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. This is due to handel_ajax_req() function not having proper restrictions on the change_user_meta functionality that makes it possible to set a OTP code and subsequently log in with that OTP code. This makes it possible for unauthenticated attackers to login as other users on the site, including administrators. CVSS: CRITICAL (9.8) EPSS Score: 0.31% Source: CVE May 7th, 2025 (about 1 month ago)
CVE-2025-0855	PGS Core <= 5.8.0 - Unauthenticated PHP Object Injection Description: The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. CVSS: CRITICAL (9.8) EPSS Score: 0.15% Source: CVE May 6th, 2025 (about 1 month ago)
CVE-2025-34028	Researcher Says Patched Commvault Bug Still Exploitable Description: CISA added CVE-2025-34028 to its catalog of known exploited vulnerabilities, citing active attacks in the wild. CVSS: CRITICAL (10.0) EPSS Score: 63.86% Source: Dark Reading May 6th, 2025 (about 1 month ago)
CVE-2025-47419	Non-Secure Access Description: Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic. The device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords. This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49. CVSS: CRITICAL (10.0) EPSS Score: 0.02% Source: CVE May 6th, 2025 (about 1 month ago)
CVE-2025-44899	There is a stack overflow vulnerability in Tenda RX3 V1.0br_V16.03.13.11 In the fromSetWifiGusetBasic function of the web url /goform/... Description: There is a stack overflow vulnerability in Tenda RX3 V1.0br_V16.03.13.11 In the fromSetWifiGusetBasic function of the web url /goform/ WifiGuestSet, the manipulation of the parameter shareSpeed leads to stack overflow. CVSS: CRITICAL (9.8) EPSS Score: 0.06% Source: CVE May 6th, 2025 (about 1 month ago)
	Google Chrome DevTools Flaw (CVE-2025-4052) Enables Critical Access Control Bypass Description: Google Chrome DevTools Flaw (CVE-2025-4052) Enables Critical Access Control Bypass CVSS: CRITICAL (9.8) EPSS Score: 0.05% Source: DarkWebInformer May 6th, 2025 (about 1 month ago)
CVE-2025-46816	goshs route not protected, allows command execution Description: goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue. CVSS: CRITICAL (9.4) EPSS Score: 0.09% Source: CVE May 6th, 2025 (about 1 month ago)