CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
[open-webui] Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability
Description: A Denial of Service (DoS) vulnerability exists in open-webui/open-webui version 0.3.21. This vulnerability affects multiple endpoints, including /ollama/models/upload, /audio/api/v1/transcriptions, and /rag/api/v1/doc. The application processes multipart boundaries without authentication, leading to resource exhaustion. By appending additional characters to the multipart boundary, an attacker can cause the server to parse each byte of the boundary, ultimately leading to service unavailability. This vulnerability can be exploited remotely, resulting in high CPU and memory usage, and rendering the service inaccessible to legitimate users. References https://nvd.nist.gov/vuln/detail/CVE-2024-9840 https://huntr.com/bounties/9178f09e-4d4f-4a5b-bc32-cada7445b03c https://github.com/advisories/GHSA-5ccf-884p-4jjq

CVSS: HIGH (7.5)

EPSS Score: 0.09%

Source: Github Advisory Database (NPM)
March 21st, 2025 (3 months ago)

CVE-2025-26336
Dell Chassis Management Controller Firmware for Dell PowerEdge FX2, version(s) prior to 2.40.200.202101130302, and Dell Chassis Management...
Description: Dell Chassis Management Controller Firmware for Dell PowerEdge FX2, version(s) prior to 2.40.200.202101130302, and Dell Chassis Management Controller Firmware for Dell PowerEdge VRTX version(s) prior to 3.41.200.202209300499, contain(s) a Stack-based Buffer Overflow vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Remote execution.

CVSS: HIGH (8.3)

EPSS Score: 0.06%

Source: CVE
March 21st, 2025 (3 months ago)

CVE-2025-2585
EBM Technologies EBM Maintenance Center - SQL injection
Description: EBM Maintenance Center From EBM Technologies has a SQL Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary SQL commands to read, modify, and delete database contents.

CVSS: HIGH (8.8)

EPSS Score: 0.07%

Source: CVE
March 21st, 2025 (3 months ago)

CVE-2024-21149
Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Work Definition Issues). Supported versions...
Description: Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Work Definition Issues). Supported versions that are affected are 12.2.11-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Asset Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVSS: HIGH (8.1)

EPSS Score: 0.25%

SSVC Exploitation: none

Source: CVE
March 20th, 2025 (4 months ago)

CVE-2024-42052
The MSI installer for Splashtop Streamer for Windows before 3.5.8.0 uses a temporary folder with weak permissions during installation. A local user...
Description: The MSI installer for Splashtop Streamer for Windows before 3.5.8.0 uses a temporary folder with weak permissions during installation. A local user can exploit this to escalate privileges to SYSTEM by placing a wevtutil.exe file in the folder.

CVSS: HIGH (7.8)

EPSS Score: 0.02%

SSVC Exploitation: none

Source: CVE
March 20th, 2025 (4 months ago)

CVE-2025-30160
Redlib allows a Denial of Service via DEFLATE Decompression Bomb in restore_preferences Form
Description: Redlib is an alternative private front-end to Reddit. A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability is fixed in 0.36.0.

CVSS: HIGH (8.7)

EPSS Score: 0.06%

Source: CVE
March 20th, 2025 (4 months ago)

CVE-2024-4941
Local File Inclusion in JSON component in gradio-app/gradio
Description: A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a `path` key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the `/file=..` endpoint. This issue is due to the `processing_utils.move_files_to_cache()` function traversing any object passed to it, looking for a dictionary with a `path` key, and then copying the specified file to a temporary directory. The vulnerability can be exploited by an attacker to read files on the remote system, posing a significant security risk.

CVSS: HIGH (7.5)

EPSS Score: 0.14%

SSVC Exploitation: poc

Source: CVE
March 20th, 2025 (4 months ago)
[litellm] LiteLLM Vulnerable to Denial of Service (DoS)
Description: A vulnerability in BerriAI/litellm, as of commit 26c03c9, allows unauthenticated users to cause a Denial of Service (DoS) by exploiting the use of ast.literal_eval to parse user input. This function is not safe and is prone to DoS attacks, which can crash the litellm Python server. References https://nvd.nist.gov/vuln/detail/CVE-2024-10188 https://github.com/berriai/litellm/commit/21156ff5d0d84a7dd93f951ca033275c77e4f73c https://huntr.com/bounties/96a32812-213c-4819-ba4e-36143d35e95b https://github.com/advisories/GHSA-gw2q-qw9j-rgv7

CVSS: HIGH (7.5)

EPSS Score: 0.04%

Source: Github Advisory Database (PIP)
March 20th, 2025 (4 months ago)
[aim] Aim Vulnerable to Denial of Service (DoS)
Description: In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server, leading to the main thread being blocked indefinitely. This results in a denial of service as the tracking server becomes unable to respond to other requests. References https://nvd.nist.gov/vuln/detail/CVE-2024-10110 https://huntr.com/bounties/5ea6cf56-7b4c-4dce-9b6c-3e910fbb1ae4 https://github.com/aimhubio/aim/blob/a566d4a2501c96a545a3c89d92af6ad7e7e0da99/aim/sdk/reporter/__init__.py#L789 https://github.com/advisories/GHSA-fx47-jpv9-7hxr

CVSS: HIGH (7.5)

EPSS Score: 0.06%

Source: Github Advisory Database (PIP)
March 20th, 2025 (4 months ago)
[org.springframework.security:spring-security-crypto] Spring Security Does Not Enforce Password Length
Description: BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same. References https://nvd.nist.gov/vuln/detail/CVE-2025-22228 https://spring.io/security/cve-2025-22228 https://github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3 https://github.com/advisories/GHSA-mg83-c7gq-rv5c

CVSS: HIGH (7.4)

EPSS Score: 0.04%

Source: Github Advisory Database (Maven)
March 20th, 2025 (4 months ago)