CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-27152
SUSE SLED15 / SLES15 Security Update : pgadmin4 (SUSE-SU-2025:1326-1)
Description: Nessus Plugin ID 234538 with High Severity Synopsis The remote SUSE host is missing one or more security updates. Description The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:1326-1 advisory. - CVE-2025-27152: Fixed SSRF and creadential leakage due to requests sent to absolute URL even when baseURL is set (bsc#1239308) - CVE-2023-1907: Fixed an issue which could result in users being authenticated in another user's session if two users authenticate simultaneously via ldap (bsc#1234840) - CVE-2024-4068: Fixed a possible memory exhaustion (bsc#1224295)Tenable has extracted the preceding description block directly from the SUSE security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Update the affected pgadmin4, pgadmin4-doc and / or pgadmin4-web packages. Read more at https://www.tenable.com/plugins/nessus/234538

CVSS: HIGH (7.7)

Source: Tenable Plugins
April 17th, 2025 (2 months ago)

CVE-2025-31492
SUSE SLES15 Security Update : apache2-mod_auth_openidc (SUSE-SU-2025:1324-1)
Description: Nessus Plugin ID 234540 with High Severity Synopsis The remote SUSE host is missing a security update. Description The remote SUSE Linux SLES15 / SLES_SAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2025:1324-1 advisory. - CVE-2025-31492: Fixed a bug where OIDCProviderAuthRequestMethod POSTs can leak protected data. (bsc#1240893)Tenable has extracted the preceding description block directly from the SUSE security advisory.Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected apache2-mod_auth_openidc package. Read more at https://www.tenable.com/plugins/nessus/234540

CVSS: HIGH (8.2)

EPSS Score: 0.4%

Source: Tenable Plugins
April 17th, 2025 (2 months ago)

CVE-2025-30712
Oracle VM VirtualBox (April 2025 CPU)
Description: Nessus Plugin ID 234547 with High Severity Synopsis The remote host is affected by multiple vulnerabilities Description The 7.1.6 versions of VM VirtualBox installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2025 CPU advisory. - Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.1.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. (CVE-2025-30712) - Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.1.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox....

CVSS: HIGH (8.1)

EPSS Score: 0.02%

Source: Tenable Plugins
April 17th, 2025 (2 months ago)

CVE-2025-2188
Whitelist bypass Vulnerability in GameCenter
Description: There is a whitelist mechanism bypass in GameCenter ,successful exploitation of this vulnerability may affect service confidentiality and integrity.

CVSS: HIGH (8.1)

EPSS Score: 0.03%

Source: CVE
April 17th, 2025 (2 months ago)

CVE-2025-1532
Code Injection Vulnerability in Phoneservice
Description: Phoneservice module is affected by code injection vulnerability, successful exploitation of this vulnerability may affect service confidentiality and integrity.

CVSS: HIGH (8.1)

EPSS Score: 0.03%

Source: CVE
April 17th, 2025 (2 months ago)

CVE-2025-2903
Privilege Chaining in Delphix
Description: An attacker with knowledge of creating user accounts during VM deployment on Google Cloud Platform (GCP) using the OS Login feature, can login via SSH gaining command-line control of the operating system. This allows an attacker to gain access to sensitive data stored on the VM, install malicious software, and disrupt or disable the functionality of the VM.

CVSS: HIGH (8.5)

EPSS Score: 0.02%

Source: CVE
April 17th, 2025 (2 months ago)

CVE-2025-3294
WP Editor <= 1.2.9.1 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Update
Description: The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to overwrite arbitrary files on the affected site's server which may make remote code execution possible assuming the files can be written to by the web server.

CVSS: HIGH (7.2)

EPSS Score: 0.22%

Source: CVE
April 17th, 2025 (2 months ago)

CVE-2024-13925
Klarna Checkout for WooCommerce < 2.13.5 - DoS via Excessive Logging
Description: The Klarna Checkout for WooCommerce WordPress plugin before 2.13.5 exposes an unauthenticated WooCommerce Ajax endpoint that allows an attacker to flood the log files with data at the maximum size allowed for a POST parameter per request. This can result in rapid consumption of disk space, potentially filling the entire disk.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE
April 17th, 2025 (2 months ago)

CVE-2025-43715
Nullsoft Scriptable Install System (NSIS) before 3.11 on Windows allows local users to escalate privileges to SYSTEM during an installation,...
Description: Nullsoft Scriptable Install System (NSIS) before 3.11 on Windows allows local users to escalate privileges to SYSTEM during an installation, because the temporary plugins directory is created under %WINDIR%\temp and unprivileged users can place a crafted executable file by winning a race condition. This occurs because EW_CREATEDIR does not always set the CreateRestrictedDirectory error flag.

CVSS: HIGH (8.1)

EPSS Score: 0.02%

Source: CVE
April 17th, 2025 (2 months ago)

CVE-2025-31478
Zulip Authentication Backend Configuration Bypass
Description: Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or invitations being required to join, but has disabled the EmailAuthBackend that is used for email/password authentication. A bug in the Zulip server means that it is possible to create an account in such organizations, without having an account with the configured SSO authentication backend. This issue is patched in version 10.2. A workaround includes requiring invitations to join the organization prevents the vulnerability from being accessed.

CVSS: HIGH (8.2)

EPSS Score: 0.05%

Source: CVE
April 16th, 2025 (2 months ago)