Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-45607 |
Description: An issue in the component /manage/ of itranswarp v2.19 allows attackers to bypass authentication via a crafted request.
CVSS: CRITICAL (9.8) EPSS Score: 0.12%
May 5th, 2025 (about 1 month ago)
|
|
CVE-2025-1909 |
Description: The BuddyBoss Platform Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.01. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
CVSS: CRITICAL (9.8) EPSS Score: 0.33%
May 5th, 2025 (about 1 month ago)
|
|
Description: An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution.
This vulnerability can be exploited by an unauthenticated remote attacker to read files from the serverâs filesystem or perform denial-of-service (DoS) attacks.
On systems running JDK 7 or early JDK 8, full file contents may be exposed.
On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior.
DoS attacks such as "Billion Laughs" payloads can cause service disruption.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-2905
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993
https://github.com/advisories/GHSA-h94w-8qhg-3xmc
CVSS: CRITICAL (9.1) EPSS Score: 0.08%
May 5th, 2025 (about 1 month ago)
|
|
CVE-2025-4318 |
Description: The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an authenticated user who has access to create or modify components to run arbitrary JavaScript code during the component rendering and build process.
CVSS: CRITICAL (9.5) EPSS Score: 0.06% SSVC Exploitation: none
May 5th, 2025 (about 1 month ago)
|
|
CVE-2025-4052 |
Description: Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
CVSS: CRITICAL (9.8) EPSS Score: 0.05%
May 5th, 2025 (about 1 month ago)
|
|
CVE-2025-3248 |
đ¨ Marked as known exploited on May 5th, 2025 (about 1 month ago).
Description: CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-3248 Langflow Missing Authentication Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CVSS: CRITICAL (9.8) EPSS Score: 90.92%
May 5th, 2025 (about 1 month ago)
|
|
CVE-2025-45238 |
Description: foxcms v1.2.5 was discovered to contain an arbitrary file deletion vulnerability via the delRestoreSerie method.
CVSS: CRITICAL (9.1) EPSS Score: 0.19%
May 5th, 2025 (about 1 month ago)
|
|
CVE-2025-24977 |
Description: OpenCTI is an open cyber threat intelligence (CTI) platform. Prior to version 6.4.11 any user with the capability `manage customizations` can execute commands on the underlying infrastructure where OpenCTI is hosted and can access internal server side secrets by misusing the web-hooks. Since the malicious user gets a root shell inside a container this opens up the the infrastructure environment for further attacks and exposures. Version 6.4.11 fixes the issue.
CVSS: CRITICAL (9.1) EPSS Score: 0.1%
May 5th, 2025 (about 1 month ago)
|
|
Description: Critical Vulnerability in OpenCTI (CVE-2025-24977) Allows Infrastructure Takeover via Webhook Abuse
CVSS: CRITICAL (9.1) EPSS Score: 0.1%
May 5th, 2025 (about 1 month ago)
|
|
đ¨ Marked as known exploited on May 5th, 2025 (about 1 month ago).
Description: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity security flaw impacting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog, a little over a week after it was publicly disclosed.
The vulnerability in question is CVE-2025-34028 (CVSS score: 10.0), a path traversal bug that affects 11.38 Innovation Release, from versions
CVSS: CRITICAL (10.0) EPSS Score: 63.86%
May 5th, 2025 (about 1 month ago)
|