CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-46248 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in M A Vinoth Kumar Frontend Dashboard allows SQL Injection. This issue affects Frontend Dashboard: from n/a through 2.2.5.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
April 24th, 2025 (2 months ago)
|
|
CVE-2025-31324 |
🚨 Marked as known exploited on April 25th, 2025 (2 months ago).
Description: SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
CVSS: CRITICAL (10.0) EPSS Score: 78.65%
April 24th, 2025 (2 months ago)
|
|
CVE-2024-24026 |
Description: An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download.
CVSS: CRITICAL (9.8) EPSS Score: 0.08% SSVC Exploitation: none
April 24th, 2025 (2 months ago)
|
|
CVE-2024-23108 |
Description: An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.
CVSS: CRITICAL (10.0) EPSS Score: 89.79% SSVC Exploitation: poc
April 24th, 2025 (2 months ago)
|
|
CVE-2024-21762 |
🚨 Marked as known exploited on April 24th, 2025 (2 months ago).
Description: A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests
CVSS: CRITICAL (9.8) EPSS Score: 92.52% SSVC Exploitation: active
April 24th, 2025 (2 months ago)
|
|
CVE-2024-0610 |
Description: The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'MerchantReference' parameter in all versions up to, and including, 1.6.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS: CRITICAL (9.8) EPSS Score: 0.46% SSVC Exploitation: none
April 24th, 2025 (2 months ago)
|
|
CVE-2018-7846 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Modicon M580, Modicon M340, Modicon Premium, and Modicon Quantum
Vulnerabilities: Trust Boundary Violation, Uncaught Exception, Exposure of Sensitive Information to an Unauthorized Actor, Authentication Bypass by Spoofing, Improper Access Control, Reliance on Untrusted Inputs in a Security Decision, Out-of-bounds Read
2. RISK EVALUATION
Successful exploitation of these vulnerabilities may risk execution of unsolicited command on the PLC, which could result in a loss of availability of the controller.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
Modicon M580: All versions prior to 2.90 (CVE-2018-7846, CVE-2018-7849, CVE-2018-7848, CVE-2018-7842, CVE-2018-7847, CVE-2018-7850, CVE-2018-7853, CVE-2018-7854, CVE-2019-6808, CVE-2019-6828, CVE-2019-6829, CVE-2019-6809)
Modicon Momentum CPU (part numbers 171CBU*): All versions (CVE-2018-7857)
Modicon Quantum: All versions prior to 3.60 (CVE-2018-7843, CVE-2018-7845, CVE-2018-7852, CVE-2018-7856, CVE-2019-6807)
Modicon Quantum: All versions (CVE-2018-7846, CVE-2018-7849, CVE-2018-7848, CVE-2018-7842, CVE-2018-7847, CVE-2018-7850, CVE-2018-7855, CVE-2018-7857, CVE-2019-6806, CVE-2019-6808, CVE-2018-7844, CVE-2019-6828, CVE-2019-6809)
Modicon Premium: All versions (CVE-2018-7846, CVE-2018-7849, CVE-2018-7848, CVE-2018-7842, CVE-201...
CVSS: CRITICAL (9.8)
April 24th, 2025 (2 months ago)
|
|
Description: A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations.
The vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 9.0 out of a maximum of 10.0.
"A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without
CVSS: CRITICAL (10.0) EPSS Score: 63.86%
April 24th, 2025 (2 months ago)
|
|
Description: As we pack our bags and prepare for the adult-er version of BlackHat (that apparently doesn’t require us to print out stolen mailspoolz to hand to people at their talks), we want to tell you about a recent adventure - a heist, if you will.No heist story
CVSS: CRITICAL (10.0) EPSS Score: 63.86%
April 24th, 2025 (2 months ago)
|
|
CVE-2025-3604 |
Description: The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
CVSS: CRITICAL (9.8) EPSS Score: 0.1%
April 24th, 2025 (2 months ago)
|