CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-26890 |
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PluginUs.Net HUSKY allows PHP Local File Inclusion.This issue affects HUSKY: from n/a through 1.3.6.4.
CVSS: HIGH (7.5) EPSS Score: 0.13%
March 27th, 2025 (3 months ago)
|
|
CVE-2025-26874 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MemberSpace allows Reflected XSS.This issue affects MemberSpace: from n/a through 2.1.13.
CVSS: HIGH (7.1) EPSS Score: 0.03%
March 27th, 2025 (3 months ago)
|
|
CVE-2024-21073 |
Description: Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: Claim LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Trade Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVSS: HIGH (7.5) EPSS Score: 0.19% SSVC Exploitation: none
March 27th, 2025 (3 months ago)
|
|
CVE-2024-22264 |
Description: VMware Avi Load Balancer contains a privilege escalation vulnerability. A malicious actor with admin privileges on VMware Avi Load Balancer can create, modify, execute and delete files as a root user on the host system.
CVSS: HIGH (7.2) EPSS Score: 0.49% SSVC Exploitation: none
March 27th, 2025 (3 months ago)
|
|
CVE-2024-21111 |
Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability applies to Windows hosts only. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
CVSS: HIGH (7.8) EPSS Score: 1.51% SSVC Exploitation: poc
March 27th, 2025 (3 months ago)
|
|
Description: PoC Code to Exploit the IngressNightmare Vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974)
CVSS: HIGH (8.8) EPSS Score: 4.82%
March 27th, 2025 (3 months ago)
|
|
🚨 Marked as known exploited on April 10th, 2025 (3 months ago).
Description: Impact
A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild.
Patches
Fixed in Synapse v1.127.1.
Workarounds
Closed federation environments of trusted servers or non-federating installations are not affected.
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.
References
https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6
https://nvd.nist.gov/vuln/detail/CVE-2025-30355
https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389
https://github.com/element-hq/synapse/releases/tag/v1.127.1
https://github.com/advisories/GHSA-v56r-hwv5-mxg6
CVSS: HIGH (7.1) EPSS Score: 0.94%
March 27th, 2025 (3 months ago)
|
|
|
Description: From @jackfromeast and @superboy-zjc:
We have identified a class pollution vulnerability in Mesop (<= 0.14.0) application that allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime. This vulnerability could directly lead to a denial of service (DoS) attack against the server. Additionally, it could also result in other severe consequences given the application's implementation, such as identity confusion, where an attacker could impersonate an assistant or system role within conversations. This impersonation could potentially enable jailbreak attacks when interacting with large language models (LLMs).
Just like the Javascript's prototype pollution, this vulnerability could leave a way for attackers to manipulate the intended data-flow or control-flow of the application at runtime and lead to severe consequnces like RCE when gadgets are available.
References
https://github.com/mesop-dev/mesop/security/advisories/GHSA-f3mf-hm6v-jfhh
https://nvd.nist.gov/vuln/detail/CVE-2025-30358
https://github.com/mesop-dev/mesop/commit/748e20d4a363d89b841d62213f5b0c6b4bed788f
https://github.com/advisories/GHSA-f3mf-hm6v-jfhh
CVSS: HIGH (8.1) EPSS Score: 0.32%
March 27th, 2025 (3 months ago)
|
|
CVE-2024-22397 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in the SonicOS SSLVPN portal allows a remote authenticated attacker as a firewall 'admin' user to store and execute arbitrary JavaScript code.
CVSS: HIGH (8.3) EPSS Score: 0.12% SSVC Exploitation: none
March 27th, 2025 (3 months ago)
|
|
CVE-2024-4622 |
Description: If misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface
protected by authentication. If the default credentials are not changed,
an attacker can use public knowledge to access the device as an
administrator.
CVSS: HIGH (8.3) EPSS Score: 0.17% SSVC Exploitation: none
March 27th, 2025 (3 months ago)
|