Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-26342 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (2 months ago)
|
|
CVE-2025-26341 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (2 months ago)
|
|
CVE-2025-26339 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (2 months ago)
|
|
CVE-2025-25200 |
Description: Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.
CVSS: CRITICAL (9.2) EPSS Score: 0.04%
February 13th, 2025 (2 months ago)
|
|
CVE-2025-25182 |
Description: Stroom is a data processing, storage and analysis platform. A vulnerability exists starting in version 7.2-beta.53 and prior to versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2 that allows authentication bypass to a Stroom system when configured with ALB and installed in a way that the application is accessible not through the ALB itself. This vulnerability may also allow for server-side request forgery which may lead to code execution or further privileges escalations when using the AWS metadata URL. This scenario assumes that Stroom must be configured to use ALB Authentication integration and the application is network accessible. The vulnerability has been fixed in versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2.
CVSS: CRITICAL (9.4) EPSS Score: 0.04%
February 13th, 2025 (2 months ago)
|
|
CVE-2025-1100 |
Description: A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (2 months ago)
|
|
CVE-2024-13421 |
Description: The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes it possible for unauthenticated attackers to register a new administrative user account.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
February 13th, 2025 (2 months ago)
|
|
CVE-2024-13365 |
Description: The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in all versions up to, and including, 2.149. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (2 months ago)
|
|
CVE-2024-12213 |
Description: The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.76. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on vulnerable sites.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
February 13th, 2025 (2 months ago)
|
|
CVE-2024-10960 |
Description: The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS: CRITICAL (9.9) EPSS Score: 0.05%
February 13th, 2025 (2 months ago)
|