CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE-2024-57783

Description: The desktop application in Dot through 0.9.3 allows XSS and resultant command execution because user input and LLM output are appended to the DOM with innerHTML (in render.js), and because the Electron window can access Node.js APIs.

CVSS: HIGH (8.1)

EPSS Score: 0.03%

Source: CVE
June 2nd, 2025 (about 1 month ago)

CVE-2024-20498

Description: Multiple vulnerabilities in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition to the AnyConnect VPN service on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco Meraki has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2 Security Impact Rating: High CVE: CVE-2024-20498,CVE-2024-20499,CVE-2024-20500,CVE-2024-20501,CVE-2024-20502,CVE-2024-20513

CVSS: HIGH (8.6)

EPSS Score: 0.05%

Source: Cisco Security Advisory
June 2nd, 2025 (about 1 month ago)

CVE-2024-12168

Description: Yandex Telemost for Desktop before 2.7.0 has a DLL Hijacking Vulnerability because an untrusted search path is used.

CVSS: HIGH (8.4)

EPSS Score: 0.02%

Source: CVE
June 2nd, 2025 (about 1 month ago)

CVE-2025-48990

Description: NeKernal is a free and open-source operating system stack. Version 0.0.2 has a 1-byte heap overflow in `rt_copy_memory`, which unconditionally wrote a null terminator at `dst[len]`. When `len` equals the size of the destination buffer (256 bytes), that extra `'\0'` write overruns the buffer by one byte. To avoid breaking existing callers or changing the public API, the patch in commit fb7b7f658327f659c6a6da1af151cb389c2ca4ee takes a minimal approach: it simply removes the overflow-causing line without adding bounds checks or altering the function signature.

CVSS: HIGH (8.6)

EPSS Score: 0.02%

Source: CVE
June 2nd, 2025 (about 1 month ago)

CVE-2025-48957

Description: AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in Pull Request #1676 and is included in version 3.5.13. As a workaround, users can edit the `cmd_config.json` file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later to fully resolve this issue.

CVSS: HIGH (7.5)

EPSS Score: 0.08%

Source: CVE
June 2nd, 2025 (about 1 month ago)

CVE-2025-46807

Description: A Allocation of Resources Without Limits or Throttling vulnerability in sslh allows attackers to easily exhaust the file descriptors in sslh and deny legitimate users service.This issue affects sslh before 2.2.4.

CVSS: HIGH (8.7)

EPSS Score: 0.06%

Source: CVE
June 2nd, 2025 (about 1 month ago)

CVE-2025-3260

Description: A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.

CVSS: HIGH (8.3)

EPSS Score: 0.01%

Source: CVE
June 2nd, 2025 (about 1 month ago)

CVE-2025-29785

Description: quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packets from different remote addresses (thereby triggering the newly added path validation logic: the server sends path probe packets), and then sending ACKs for packets received from the server specifically crafted to trigger the nil-pointer dereference. v0.50.1 contains a patch that fixes the vulnerability. This release contains a test that generates random sequences of sent packets (both regular and path probe packets), that was used to verify that the patch actually covers all corner cases. No known workarounds are available.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE
June 2nd, 2025 (about 1 month ago)

CVE-2025-5455

Description: An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

CVSS: HIGH (8.4)

EPSS Score: 0.08%

Source: CVE
June 2nd, 2025 (about 1 month ago)

CVE-2025-5113

Description: The Diviotec professional series exposes a web interface. One endpoint is vulnerable to arbitrary command injection and hardcoded passwords are used.

CVSS: HIGH (8.6)

EPSS Score: 0.67%

Source: CVE
June 2nd, 2025 (about 1 month ago)