CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-46627 |
Description: Use of weak credentials in the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated attacker to authenticate to the telnet service by calculating the root password based on easily-obtained device information. The password is based on the last two digits/octets of the MAC address.
CVSS: HIGH (8.2) EPSS Score: 0.05%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-46626 |
Description: Reuse of a static AES key and initialization vector for encrypted traffic to the 'ate' management service of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt, replay, and/or forge traffic to the service.
CVSS: HIGH (7.3) EPSS Score: 0.02%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-46569 |
Description: Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA’s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons.
CVSS: HIGH (7.4) EPSS Score: 0.02%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-4174 |
Description: A vulnerability, which was classified as critical, has been found in PHPGurukul COVID19 Testing Management System 1.0. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument Username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Eine kritische Schwachstelle wurde in PHPGurukul COVID19 Testing Management System 1.0 entdeckt. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei /login.php. Durch Manipulation des Arguments Username mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.3) EPSS Score: 0.04%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-36521 |
Description: MicroDicom DICOM Viewer is vulnerable to an out-of-bounds read which may allow an attacker to cause memory corruption within the application. The user must open a malicious DCM file for exploitation.
CVSS: HIGH (8.8) EPSS Score: 0.04% SSVC Exploitation: none
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-35975 |
Description: MicroDicom DICOM Viewer is vulnerable to an out-of-bounds write which may allow an attacker to execute arbitrary code. The user must open a malicious DCM file for exploitation.
CVSS: HIGH (8.8) EPSS Score: 0.07% SSVC Exploitation: none
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-46568 |
Description: Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Prior to version 0.45.0, Stirling-PDF is vulnerable to SSRF-induced arbitrary file read. WeasyPrint redefines a set of HTML tags, including img, embed, object, and others. The references to several files inside, allow the attachment of content from any webpage or local file to a PDF. This allows the attacker to read any file on the server, including sensitive files and configuration files. All users utilizing this feature will be affected. This issue has been patched in version 0.45.0.
CVSS: HIGH (7.7) EPSS Score: 0.05%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-32889 |
Description: An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The verification token used for sending SMS through a goTenna server is hardcoded in the app.
CVSS: HIGH (7.3) EPSS Score: 0.02%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-32888 |
Description: An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. The verification token used for sending SMS through a goTenna server is hardcoded in the app.
CVSS: HIGH (7.3) EPSS Score: 0.02%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-32887 |
Description: An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. A command channel includes the next hop. which can be intercepted and used to break frequency hopping.
CVSS: HIGH (7.1) EPSS Score: 0.01%
May 1st, 2025 (about 2 months ago)
|