Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-30215 |
Description: NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents. This vulnerability is fixed in v2.11.1 or v2.10.27.
CVSS: CRITICAL (9.6) EPSS Score: 0.03%
April 16th, 2025 (2 days ago)
|
|
CVE-2025-30967 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard allows Upload a Web Shell to a Web Server. This issue affects WPJobBoard: from n/a through n/a.
CVSS: CRITICAL (9.6) EPSS Score: 0.02%
April 15th, 2025 (2 days ago)
|
|
CVE-2025-30510 |
Description: An attacker can upload an arbitrary file instead of a plant image.
CVSS: CRITICAL (9.3) EPSS Score: 0.02%
April 15th, 2025 (2 days ago)
|
|
CVE-2025-26927 |
Description: Unrestricted Upload of File with Dangerous Type vulnerability in EPC AI Hub allows Upload a Web Shell to a Web Server. This issue affects AI Hub: from n/a through 1.3.3.
CVSS: CRITICAL (10.0) EPSS Score: 0.04%
April 15th, 2025 (2 days ago)
|
|
CVE-2025-24297 |
Description: Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.
CVSS: CRITICAL (9.3) EPSS Score: 0.05%
April 15th, 2025 (2 days ago)
|
|
CVE-2025-32778 |
Description: Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments.
CVSS: CRITICAL (9.3) EPSS Score: 0.44% SSVC Exploitation: none
April 15th, 2025 (2 days ago)
|
|
CVE-2025-30727 |
Description: Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: iSurvey Module). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks of this vulnerability can result in takeover of Oracle Scripting. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
April 15th, 2025 (2 days ago)
|
|
CVE-2025-32445 |
Description: Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext , volumeMount can be specified, and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under template. This vulnerability is fixed in v1.9.6.
CVSS: CRITICAL (10.0) EPSS Score: 0.04%
April 15th, 2025 (2 days ago)
|
|
CVE-2025-30206 |
Description: Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. This issue is patched in version 1.6.1. A workaround for this vulnerability involves replacing the hardcoded secret with a securely generated value and load it from secure configuration storage.
CVSS: CRITICAL (9.8) EPSS Score: 0.06% SSVC Exploitation: poc
April 15th, 2025 (2 days ago)
|
|
CVE-2025-2567 |
Description: An attacker could modify or disable settings, disrupt fuel monitoring
and supply chain operations, leading to disabling of ATG monitoring.
This would result in potential safety hazards in fuel storage and
transportation.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
April 15th, 2025 (2 days ago)
|