Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-31002 |
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Using Malicious Files. This issue affects Squeeze: from n/a through 1.6.
CVSS: CRITICAL (9.1) EPSS Score: 0.05%
April 9th, 2025 (2 months ago)
|
|
CVE-2025-32375 |
Description: BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8.
CVSS: CRITICAL (9.8) EPSS Score: 36.96% SSVC Exploitation: poc
April 9th, 2025 (2 months ago)
|
|
Description: Impact
Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection.
You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter.
Versions 0.0.1, 0.0.2 and 0.0.3 are affected by this vulnerability.
Patches
This vulnerability has been fixed in version 0.1.0 and newer, which introduces TypeORM field validation (enabled by default).
Workarounds
Add an allowlist of fields
List all valid fields and use the filterProperties function to filter out invalid fields before passing the crudRequest to the TypeOrmQueryAdapter. Here's an example:
crudRequest = filterProperties(crudRequest, ['id', 'title', 'category.name']);
Disable ordering
Cleanup the order field just before passing it to the TypeOrmQueryAdapter. Here's an example:
crudRequest.order = [];
References
https://github.com/Guichaguri/crud-query-parser/security/advisories/GHSA-9r25-rp3p-h2w4
https://nvd.nist.gov/vuln/detail/CVE-2025-32020
https://github.com/advisories/GHSA-9r25-rp3p-h2w4
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
April 9th, 2025 (2 months ago)
|
|
CVE-2025-27797 |
Description: OS command injection vulnerability in the specific service exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, an arbitrary OS command may be executed by a remote attacker who can log in to the product.
CVSS: CRITICAL (9.8) EPSS Score: 0.38%
April 9th, 2025 (2 months ago)
|
|
Description: Adobe has released security updates to fix a fresh set of security flaws, including multiple critical-severity bugs in ColdFusion versions 2025, 2023 and 2021 that could result in arbitrary file read and code execution.
Of the 30 flaws in the product, 11 are rated Critical in severity -
CVE-2025-24446 (CVSS score: 9.1) - An improper input validation vulnerability that could result in an
CVSS: CRITICAL (9.1) EPSS Score: 1.25%
April 9th, 2025 (2 months ago)
|
|
CVE-2025-30282 |
Description: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could leverage this vulnerability to bypass authentication mechanisms and execute code with the privileges of the authenticated user. Exploitation of this issue requires user interaction in that a victim must be coerced into performing actions within the application.
CVSS: CRITICAL (9.1) EPSS Score: 0.34% SSVC Exploitation: none
April 8th, 2025 (2 months ago)
|
|
CVE-2025-30281 |
Description: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify sensitive data without proper authorization. Exploitation of this issue does not require user interaction.
CVSS: CRITICAL (9.1) EPSS Score: 0.21% SSVC Exploitation: none
April 8th, 2025 (2 months ago)
|
|
CVE-2025-24447 |
Description: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVSS: CRITICAL (9.1) EPSS Score: 4.41% SSVC Exploitation: none
April 8th, 2025 (2 months ago)
|
|
CVE-2025-24446 |
Description: ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVSS: CRITICAL (9.1) EPSS Score: 1.25% SSVC Exploitation: none
April 8th, 2025 (2 months ago)
|
|
CVE-2024-30224 |
Description: Deserialization of Untrusted Data vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.2.
CVSS: CRITICAL (10.0) EPSS Score: 0.77% SSVC Exploitation: none
April 8th, 2025 (2 months ago)
|