Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-35996 |
Description: KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. Due to a missing escape or sanitization, the filename could be executed as HTML script tag resulting in a cross-site-scripting attack.
CVSS: CRITICAL (9.0) EPSS Score: 0.08%
May 1st, 2025 (about 1 month ago)
|
|
CVE-2025-32011 |
Description: KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal.
CVSS: CRITICAL (9.8) EPSS Score: 0.4%
May 1st, 2025 (about 1 month ago)
|
|
CVE-2025-24522 |
Description: KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands on the underlying operating system.
CVSS: CRITICAL (10.0) EPSS Score: 0.14% SSVC Exploitation: none
May 1st, 2025 (about 1 month ago)
|
|
CVE-2025-46337 |
Description: ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data. This issue has been patched in version 5.22.9.
CVSS: CRITICAL (10.0) EPSS Score: 0.08%
May 1st, 2025 (about 1 month ago)
|
|
CVE-2025-47154 |
Description: LibJS in Ladybird before f5a6704 mishandles the freeing of the vector that arguments_list references, leading to a use-after-free, and allowing remote attackers to execute arbitrary code via a crafted .js file. NOTE: the GitHub README says "Ladybird is in a pre-alpha state, and only suitable for use by developers."
CVSS: CRITICAL (9.0) EPSS Score: 0.23% SSVC Exploitation: poc
May 1st, 2025 (about 1 month ago)
|
|
CVE-2025-27007 |
🚨 Marked as known exploited on May 7th, 2025 (about 1 month ago).
Description: Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers: from n/a through 1.0.82.
CVSS: CRITICAL (9.8) EPSS Score: 17.88% SSVC Exploitation: none
May 1st, 2025 (about 1 month ago)
|
|
CVE-2024-5989 |
Description: Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the Rockwell Automation ThinManager® ThinServer™.
CVSS: CRITICAL (9.8) EPSS Score: 0.87% SSVC Exploitation: none
May 1st, 2025 (about 1 month ago)
|
|
CVE-2024-5988 |
Description: Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the Rockwell Automation ThinManager® ThinServer™.
CVSS: CRITICAL (9.8) EPSS Score: 1.22% SSVC Exploitation: none
May 1st, 2025 (about 1 month ago)
|
|
CVE-2024-39872 |
Description: A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly assign rights to temporary files created during its update process. This could allow an authenticated attacker with the 'Manage firmware updates' role to escalate their privileges on the underlying OS level.
CVSS: CRITICAL (9.6) EPSS Score: 0.25% SSVC Exploitation: none
May 1st, 2025 (about 1 month ago)
|
|
CVE-2025-24522 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: KUNBUS
Equipment: Revolution Pi
Vulnerabilities: Missing Authentication for Critical Function, Authentication Bypass by Primary Weakness, Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to bypass authentication, gain unauthorized access to critical functions, and execute malicious server-side includes (SSI) within a web page.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of KUNBUS Revolution Pi are affected:
Revolution Pi OS Bookworm: Versions 01/2025 and earlierRevolution Pi PiCtory: Versions 2.5.0 through 2.11.1Revolution Pi PiCtory: Versions 2.11.1 and earlier
3.2 VULNERABILITY OVERVIEW
3.2.1 Missing Authentication for Critical Function CWE-306
KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands on the underlying operating system.
CVE-2025-24522 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-24522. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:...
CVSS: CRITICAL (10.0) EPSS Score: 0.14%
May 1st, 2025 (about 1 month ago)
|