Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-32969 |
Description: XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki.
CVSS: CRITICAL (9.3) EPSS Score: 3.9%
April 23rd, 2025 (about 2 months ago)
|
|
Description: ASUS has released security updates to address CVE-2024-54085, a maximum severity flaw that could allow attackers to hijack and potentially brick servers. [...]
CVSS: CRITICAL (10.0)
April 23rd, 2025 (about 2 months ago)
|
|
CVE-2025-42605 |
Description: This vulnerability exists in Meon Bidding Solutions due to improper authorization controls on certain API endpoints for the initiation, modification, or cancellation operations. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body to gain unauthorized access to other user accounts.
Successful exploitation of this vulnerability could allow remote attacker to perform authorized manipulation of data associated with other user accounts.
CVSS: CRITICAL (9.3) EPSS Score: 0.22%
April 23rd, 2025 (about 2 months ago)
|
|
CVE-2024-6235 |
Description: Sensitive information disclosure in NetScaler Console
CVSS: CRITICAL (9.4) EPSS Score: 86.09% SSVC Exploitation: poc
April 23rd, 2025 (about 2 months ago)
|
|
CVE-2025-32433 |
Description:
On April 16, 2025, a critical vulnerability in the Erlang/OTP SSH server was disclosed. This vulnerability could allow an unauthenticated, remote attacker to perform remote code execution (RCE) on an affected device.
The vulnerability is due to a flaw in the handling of SSH messages during the authentication phase.
For a description of this vulnerability, see the Erlang announcement.
This advisory will be updated as additional information becomes available.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy
Security Impact Rating: Critical
CVE: CVE-2025-32433
CVSS: CRITICAL (10.0) EPSS Score: 37.73%
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-32965 |
Description: xrpl.js is a JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser. Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. Version 2.14.2 is also malicious, though it is less likely to lead to exploitation as it is not compatible with other 2.x versions. Anyone who used one of these versions should stop immediately and rotate any private keys or secrets used with affected systems. Users of xrpl.js should pgrade to version 4.2.5 or 2.14.3 to receive a patch. To secure funds, think carefully about whether any keys may have been compromised by this supply chain attack, and mitigate by sending funds to secure wallets, and/or rotating keys. If any account's master key is potentially compromised, disable the key.
CVSS: CRITICAL (9.3) EPSS Score: 0.06%
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-28039 |
Description: TOTOLINK EX1200T V4.1.2cu.5232_B20210713 was found to contain a pre-auth remote command execution vulnerability in the setUpgradeFW function through the FileName parameter.
CVSS: CRITICAL (9.8) EPSS Score: 2.86%
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-34028 |
🚨 Marked as known exploited on May 2nd, 2025 (about 1 month ago).
Description: A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution.
A PoC exists for this vulnerability.
This issue affects Command Center Innovation Release: 11.38.
CVSS: CRITICAL (10.0) EPSS Score: 63.86%
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2024-26269 |
Description: Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL.
CVSS: CRITICAL (9.6) EPSS Score: 0.11% SSVC Exploitation: none
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2024-25897 |
Description: ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.
CVSS: CRITICAL (9.8) EPSS Score: 9.46% SSVC Exploitation: none
April 22nd, 2025 (about 2 months ago)
|