Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-46558 |
Description: XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting (XSS) through HTML. In particular, using Markdown syntax, it's possible for any user to embed Javascript code that will then be executed on the browser of any other user visiting either the document or the comment that contains it. In the instance that this code is executed by a user with admins or programming rights, this issue compromises the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in version 8.9.
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
April 30th, 2025 (about 1 month ago)
|
|
CVE-2025-44192 |
Description: SourceCodester Simple Barangay Management System v1.0 has a SQL injection vulnerability in /barangay_management/admin/?page=view_clearance.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
April 30th, 2025 (about 1 month ago)
|
|
CVE-2025-30392 |
Description: Improper authorization in Azure Bot Framework SDK allows an unauthorized attacker to elevate privileges over a network.
CVSS: CRITICAL (9.8) EPSS Score: 0.09% SSVC Exploitation: none
April 30th, 2025 (about 1 month ago)
|
|
CVE-2025-30390 |
Description: Improper authorization in Azure allows an authorized attacker to elevate privileges over a network.
CVSS: CRITICAL (9.9) EPSS Score: 0.07% SSVC Exploitation: none
April 30th, 2025 (about 1 month ago)
|
|
Description: An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution. This issue affects ShowDoc: before 2.8.7.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-0520
https://github.com/star7th/showdoc/pull/1059
https://github.com/vulhub/vulhub/tree/master/showdoc/CNVD-2020-26585
https://www.cnvd.org.cn/flaw/show/CNVD-2020-26585
https://github.com/advisories/GHSA-6jmr-r7p6-f5wr
CVSS: CRITICAL (9.4) EPSS Score: 0.3%
April 30th, 2025 (about 1 month ago)
|
|
CVE-2025-32974 |
Description: XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.
CVSS: CRITICAL (9.0) EPSS Score: 0.48%
April 30th, 2025 (about 1 month ago)
|
|
CVE-2025-32973 |
Description: XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contains an XWiki.ComponentClass, there is no warning that this will grant programming rights to this object. An attacker who created such a malicious object could use this to gain programming rights on the wiki. For this, the attacker needs to have edit rights on at least one page to place this object and then get an admin user to edit that document. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.
CVSS: CRITICAL (9.0) EPSS Score: 0.7%
April 30th, 2025 (about 1 month ago)
|
|
CVE-2025-32444 |
Description: vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration with mooncake, are vulnerable to remote code execution due to using pickle based serialization over unsecured ZeroMQ sockets. The vulnerable sockets were set to listen on all network interfaces, increasing the likelihood that an attacker is able to reach the vulnerable ZeroMQ sockets to carry out an attack. vLLM instances that do not make use of the mooncake integration are not vulnerable. This issue has been patched in version 0.8.5.
CVSS: CRITICAL (10.0) EPSS Score: 0.5% SSVC Exploitation: none
April 30th, 2025 (about 1 month ago)
|
|
CVE-2025-46348 |
Description: YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue has been patched in version 4.5.4.
CVSS: CRITICAL (10.0) EPSS Score: 0.09%
April 29th, 2025 (about 1 month ago)
|
|
CVE-2025-0520 |
Description: An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7.
CVSS: CRITICAL (9.4) EPSS Score: 0.3%
April 29th, 2025 (about 1 month ago)
|