CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-3761
My Tickets – Accessible Event Ticketing <= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation
Description: The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
April 24th, 2025 (2 months ago)

CVE-2025-1908
Business Logic Errors in GitLab
Description: An issue has been discovered in GitLab EE/CE that could allow an attacker to track users' browsing activities, potentially leading to full account take-over, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.

CVSS: HIGH (7.7)

EPSS Score: 0.01%

Source: CVE
April 24th, 2025 (2 months ago)

CVE-2024-2637
Insecure Loading of Code in B&R Products
Description: An Uncontrolled Search Path Element vulnerability in B&R Industrial Automation Scene Viewer, B&R Industrial Automation Automation Runtime, B&R Industrial Automation mapp Vision, B&R Industrial Automation mapp View, B&R Industrial Automation mapp Cockpit, B&R Industrial Automation mapp Safety, B&R Industrial Automation VC4, B&R Industrial Automation APROL, B&R Industrial Automation CAN Driver, B&R Industrial Automation CAN Driver CC770, B&R Industrial Automation CAN Driver SJA1000, B&R Industrial Automation Tou0ch Lock, B&R Industrial Automation B&R Single-Touch Driver, B&R Industrial Automation Serial User Mode Touch Driver, B&R Industrial Automation Windows Settings Changer (LTSC), B&R Industrial Automation Windows Settings Changer (2019 LTSC), B&R Industrial Automation Windows 10 Recovery Solution, B&R Industrial Automation ADI driver universal, B&R Industrial Automation ADI Development Kit, B&R Industrial Automation ADI .NET SDK, B&R Industrial Automation SRAM driver, B&R Industrial Automation HMI Service Center, B&R Industrial Automation HMI Service Center Maintenance, B&R Industrial Automation Windows 10 IoT Enterprise 2019 LTSC, B&R Industrial Automation KCF Editor could allow an authenticated local attacker to execute malicious code by placing specially crafted files in the loading search path..This issue affects Scene Viewer: before 4.4.0; Automation Runtime: before J4.93; mapp Vision: before 5.26.1; mapp View: before 5.24.2; mapp Cockpit: before 5.24.2; mapp Safet...

CVSS: HIGH (7.2)

EPSS Score: 0.02%

SSVC Exploitation: none

Source: CVE
April 24th, 2025 (2 months ago)

CVE-2025-1976
Code injection exposure in Fabric OS 9.1.0 through 9.1.1d6
🚨 Marked as known exploited on April 28th, 2025 (about 2 months ago).
Description: Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6.

CVSS: HIGH (8.6)

EPSS Score: 1.79%

Source: CVE
April 24th, 2025 (2 months ago)

CVE-2025-27580
NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 generates predictable tokens (that depend on username, time, and...
Description: NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 generates predictable tokens (that depend on username, time, and the fixed 7Dl9#dj- string) and thus allows unauthenticated users with a Common Access Card (CAC) to escalate privileges and compromise any account, including administrators.

CVSS: HIGH (7.5)

EPSS Score: 0.08%

Source: CVE
April 24th, 2025 (2 months ago)
[@posthog/plugin-server] PostHog Plugin Server SQL Injection Vulnerability
Description: PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the SQL parser. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the database account. Was ZDI-CAN-25350. References https://nvd.nist.gov/vuln/detail/CVE-2025-1520 https://github.com/PostHog/posthog/commit/6e8f035f9acd339c5ba87ba6ea40fc1ab3053d42 https://www.zerodayinitiative.com/advisories/ZDI-25-099 https://github.com/advisories/GHSA-v64v-fq96-c5wv

CVSS: HIGH (7.1)

EPSS Score: 0.56%

Source: Github Advisory Database (NPM)
April 23rd, 2025 (2 months ago)

CVE-2025-28028
TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found...
Description: TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a buffer overflow vulnerability in downloadFile.cgi through the v5 parameter.

CVSS: HIGH (7.3)

EPSS Score: 0.11%

Source: CVE
April 23rd, 2025 (2 months ago)

CVE-2025-28018
TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in downloadFile.cgi through the v14 parameter.
Description: TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in downloadFile.cgi through the v14 parameter.

CVSS: HIGH (7.3)

EPSS Score: 0.17%

Source: CVE
April 23rd, 2025 (2 months ago)

CVE-2025-2773
BEC Technologies Multiple Routers sys ping Command Injection Remote Code Execution Vulnerability
Description: BEC Technologies Multiple Routers sys ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of BEC Technologies Multiple Routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the management interface, which listens on TCP port 22 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-25903.

CVSS: HIGH (7.2)

EPSS Score: 0.33%

Source: CVE
April 23rd, 2025 (2 months ago)

CVE-2025-2769
Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
Description: Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Bdrive NetDrive. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-25295.

CVSS: HIGH (7.8)

EPSS Score: 0.02%

Source: CVE
April 23rd, 2025 (2 months ago)