Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-34028
CISA Adds Two Known Exploited Vulnerabilities to Catalog
🚨 Marked as known exploited on May 2nd, 2025 (about 1 month ago).
Description: CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-34028 Commvault Command Center Path Traversal Vulnerability CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CVSS: CRITICAL (10.0)

EPSS Score: 63.86%

Source: All CISA Advisories
May 2nd, 2025 (about 1 month ago)

CVE-2024-58136
Yiiframework Yii Improper Protection of Alternate Path Vulnerability
Description: Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432.

CVSS: CRITICAL (9.0)

EPSS Score: 36.6%

Source: CISA KEV
May 2nd, 2025 (about 1 month ago)

CVE-2025-34028
Commvault Command Center Path Traversal Vulnerability
Description: Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code.

CVSS: CRITICAL (10.0)

EPSS Score: 63.86%

Source: CISA KEV
May 2nd, 2025 (about 1 month ago)

CVE-2025-45800
TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a command execution vulnerability in the setDeviceName interface of the...
Description: TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a command execution vulnerability in the setDeviceName interface of the /lib/cste_modules/global.so library, specifically in the processing of the deviceMac parameter.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE
May 2nd, 2025 (about 1 month ago)

CVE-2025-2605
Authenticated command injection
Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB-Secure allows Privilege Abuse. This issue affects MB-Secure: from V11.04 before V12.53 and MB-Secure PRO from V01.06 before V03.09.Honeywell also recommends updating to the most recent version of this product.

CVSS: CRITICAL (9.9)

EPSS Score: 0.18%

Source: CVE
May 2nd, 2025 (about 1 month ago)

CVE-2025-2812
SQLi in Mydata Informatics' Ticket Sales Automation
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind SQL Injection.This issue affects Ticket Sales Automation: before 03.04.2025 (DD.MM.YYYY).

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
May 2nd, 2025 (about 1 month ago)

CVE-2025-3746
OTP-less one tap Sign in 2.0.14 - 2.0.59 - Unauthenticated Arbitrary Email Update to Account Takeover/Privilege Escalation
Description: The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly.

CVSS: CRITICAL (9.8)

EPSS Score: 0.18%

Source: CVE
May 2nd, 2025 (about 1 month ago)

CVE-2025-3709
Flowring Technology Agentflow - Account Lockout Bypass
Description: Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

Source: CVE
May 2nd, 2025 (about 1 month ago)

CVE-2025-3708
Le-show Medical Practice Management System - SQL Injection
Description: Le-show medical practice management system from Le-yan has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

CVSS: CRITICAL (9.8)

EPSS Score: 0.11%

Source: CVE
May 2nd, 2025 (about 1 month ago)

CVE-2024-48905
Sematell ReplyOne 7.4.3.0 has Insecure Permissions for the /rest/sessions endpoint.
Description: Sematell ReplyOne 7.4.3.0 has Insecure Permissions for the /rest/sessions endpoint.

CVSS: CRITICAL (9.1)

EPSS Score: 0.04%

Source: CVE
May 1st, 2025 (about 1 month ago)