Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-4517 |
Description: Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data".
You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.
Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.
Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
CVSS: CRITICAL (9.4) EPSS Score: 0.07%
June 3rd, 2025 (3 days ago)
|
|
CVE-2025-4797 |
Description: The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address.
CVSS: CRITICAL (9.8) EPSS Score: 0.07%
June 3rd, 2025 (3 days ago)
|
|
Description: This vulnerability allows remote attackers to bypass authentication on affected installations of Hewlett Packard Enterprise StoreOnce VSA. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-37093.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
June 2nd, 2025 (3 days ago)
|
|
CVE-2024-1015 |
Description: Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration functionality of the device.
CVSS: CRITICAL (9.8) EPSS Score: 1.56% SSVC Exploitation: none
June 2nd, 2025 (3 days ago)
|
|
CVE-2021-32030 |
🚨 Marked as known exploited on June 2nd, 2025 (3 days ago).
Description: CISA added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2021-32030 ASUS Routers Improper Authentication Vulnerability
CVE-2023-39780 ASUS RT-AX55 Routers OS Command Injection Vulnerability
CVE-2024-56145 Craft CMS Code Injection Vulnerability
CVE-2025-3935 ConnectWise ScreenConnect Improper Authentication Vulnerability
CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Please share your thoughts with us thro...
CVSS: CRITICAL (9.8)
June 2nd, 2025 (3 days ago)
|
|
CVE-2025-5086 |
Description: A deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025Â could lead to a remote code execution.
CVSS: CRITICAL (10.0) EPSS Score: 0.34%
June 2nd, 2025 (3 days ago)
|
|
CVE-2021-32030 |
Description: ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVSS: CRITICAL (9.8)
June 2nd, 2025 (3 days ago)
|
|
CVE-2024-22406 |
Description: Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
CVSS: CRITICAL (9.3) EPSS Score: 0.31% SSVC Exploitation: none
June 2nd, 2025 (3 days ago)
|
|
CVE-2024-22317 |
Description: IBM App Connect Enterprise 11.0.0.1 through 11.0.0.24 and 12.0.1.0 through 12.0.11.0 could allow a remote attacker to obtain sensitive information or cause a denial of service due to improper restriction of excessive authentication attempts. IBM X-Force ID: 279143.
CVSS: CRITICAL (9.1) EPSS Score: 0.07% SSVC Exploitation: none
June 2nd, 2025 (3 days ago)
|
|
CVE-2024-0643 |
Description: Unrestricted upload of dangerous file types in the C21 Live Encoder and Live Mosaic product, version 5.3. This vulnerability allows a remote attacker to upload different file extensions without any restrictions, resulting in a full system compromise.
CVSS: CRITICAL (10.0) EPSS Score: 0.32% SSVC Exploitation: none
June 2nd, 2025 (3 days ago)
|