Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-43715 |
Description: Nullsoft Scriptable Install System (NSIS) before 3.11 on Windows allows local users to escalate privileges to SYSTEM during an installation, because the temporary plugins directory is created under %WINDIR%\temp and unprivileged users can place a crafted executable file by winning a race condition. This occurs because EW_CREATEDIR does not always set the CreateRestrictedDirectory error flag.
CVSS: HIGH (8.1) EPSS Score: 0.01%
April 17th, 2025 (3 days ago)
|
|
CVE-2025-31478 |
Description: Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or invitations being required to join, but has disabled the EmailAuthBackend that is used for email/password authentication. A bug in the Zulip server means that it is possible to create an account in such organizations, without having an account with the configured SSO authentication backend. This issue is patched in version 10.2. A workaround includes requiring invitations to join the organization prevents the vulnerability from being accessed.
CVSS: HIGH (8.2) EPSS Score: 0.04%
April 16th, 2025 (3 days ago)
|
|
CVE-2025-25230 |
Description: Omnissa Horizon Client for Windows contains an LPE Vulnerability. A malicious actor with local access where Horizon Client for Windows is installed may be able to elevate privileges.
CVSS: HIGH (7.8) EPSS Score: 0.01%
April 16th, 2025 (3 days ago)
|
|
CVE-2024-27101 |
Description: SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Integer overflow in chunking helper causes dispatching to miss elements or panic. Any SpiceDB cluster with any schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected by this problem. The CheckPermission, BulkCheckPermission, and LookupSubjects API methods are affected. This vulnerability is fixed in 1.29.2.
CVSS: HIGH (7.3) EPSS Score: 0.04% SSVC Exploitation: none
April 16th, 2025 (3 days ago)
|
|
CVE-2024-0692 |
Description: The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.
CVSS: HIGH (8.8) EPSS Score: 76.78% SSVC Exploitation: none
April 16th, 2025 (3 days ago)
|
|
CVE-2025-31200 |
🚨 Marked as known exploited on April 17th, 2025 (3 days ago).
Description: A memory corruption issue was addressed with improved bounds checking. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.
CVSS: HIGH (7.5) EPSS Score: 0.45% SSVC Exploitation: none
April 16th, 2025 (3 days ago)
|
|
CVE-2024-43888 |
Description: In the Linux kernel, the following vulnerability has been resolved:
mm: list_lru: fix UAF for memory cgroup
The mem_cgroup_from_slab_obj() is supposed to be called under rcu lock or
cgroup_mutex or others which could prevent returned memcg from being
freed. Fix it by adding missing rcu read lock.
Found by code inspection.
[[email protected]: only grab rcu lock when necessary, per Vlastimil]
CVSS: HIGH (7.8) EPSS Score: 0.04% SSVC Exploitation: none
April 16th, 2025 (3 days ago)
|
|
CVE-2025-32872 |
Description: A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'GetOverview' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.
CVSS: HIGH (8.8) EPSS Score: 0.1%
April 16th, 2025 (3 days ago)
|
|
CVE-2025-32871 |
Description: A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'MigrateDatabase' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.
CVSS: HIGH (8.8) EPSS Score: 0.1%
April 16th, 2025 (3 days ago)
|
|
CVE-2025-32870 |
Description: A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'GetTraces' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.
CVSS: HIGH (8.8) EPSS Score: 0.1%
April 16th, 2025 (3 days ago)
|