Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-28671 |
Description: DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/stepselect_main.php.
CVSS: HIGH (8.8) EPSS Score: 0.23% SSVC Exploitation: poc
April 15th, 2025 (5 days ago)
|
|
CVE-2024-28195 |
Description: your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: HIGH (8.1) EPSS Score: 0.16% SSVC Exploitation: poc
April 15th, 2025 (5 days ago)
|
|
CVE-2024-1772 |
Description: The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of untrusted input from the play_podcast_data post meta. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS: HIGH (8.8) EPSS Score: 1.0% SSVC Exploitation: none
April 15th, 2025 (5 days ago)
|
|
CVE-2025-2631 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 7.1
ATTENTION: Low attack complexity
Vendor: National Instruments
Equipment: LabVIEW
Vulnerabilities: Out-of-bounds Write
2. RISK EVALUATION
Successful exploitation of these vulnerabilities lead to the execution of arbitrary code on affected installations of LabVIEW, which could result in invalid memory writes.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of LabVIEW are affected:
LabVIEW: 2025 Q1 and prior versions
3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
LabVIEW 2025 Q1 and prior versions are vulnerable to an out-of-bounds write when parsing user-supplied data, which may allow an attacker to remotely execute arbitrary code.
CVE-2025-2631 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-2631. A base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 OUT-OF-BOUNDS WRITE CWE-787
LabVIEW 2025 Q1 and prior versions are vulnerable to an out-of-bounds write when parsing user-supplied data, which may allow an attacker to remotely execute arbitrary code.
CVE-2025-2632 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for C...
CVSS: HIGH (7.8) EPSS Score: 0.02%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-32948 |
Description: The vulnerability allows any attacker to cause the PeerTube server to stop functioning, or in special cases send requests to arbitrary URLs (Blind SSRF). Attackers can send ActivityPub activities to PeerTube's "inbox" endpoint. By abusing the "Create Activity" functionality, it is possible to create crafted playlists which will cause either denial of service or an attacker-controlled blind SSRF.
CVSS: HIGH (7.5) EPSS Score: 0.04%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-32947 |
Description: This vulnerability allows any attacker to cause the PeerTube server to stop responding to requests due to an infinite loop in the "inbox" endpoint when receiving crafted ActivityPub activities.
CVSS: HIGH (7.5) EPSS Score: 0.04% SSVC Exploitation: poc
April 15th, 2025 (5 days ago)
|
|
CVE-2025-31011 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ReichertBrothers SimplyRETS Real Estate IDX allows Reflected XSS. This issue affects SimplyRETS Real Estate IDX: from n/a through 3.0.3.
CVSS: HIGH (7.1) EPSS Score: 0.03%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-30962 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound FS Poster allows Reflected XSS. This issue affects FS Poster: from n/a through 6.5.8.
CVSS: HIGH (7.1) EPSS Score: 0.03%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-26959 |
Description: Missing Authorization vulnerability in Quý Lê 91 Administrator Z allows Privilege Escalation. This issue affects Administrator Z: from n/a through 2025.03.24.
CVSS: HIGH (8.8) EPSS Score: 0.04%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-26958 |
Description: Missing Authorization vulnerability in NotFound JetBlog allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects JetBlog: from n/a through 2.4.3.
CVSS: HIGH (7.5) EPSS Score: 0.03%
April 15th, 2025 (5 days ago)
|