CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-30153 |
Description: kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0.
CVSS: HIGH (7.5) EPSS Score: 0.07%
March 19th, 2025 (4 months ago)
|
|
CVE-2025-30154 |
🚨 Marked as known exploited on March 24th, 2025 (3 months ago).
Description: reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
CVSS: HIGH (8.6) EPSS Score: 42.39%
March 19th, 2025 (4 months ago)
|
|
CVE-2024-33535 |
Description: An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary local files without authentication, potentially leading to unauthorized access to sensitive information. The vulnerability is limited to files within a specific directory.
CVSS: HIGH (7.5) EPSS Score: 0.16% SSVC Exploitation: none
March 19th, 2025 (4 months ago)
|
|
CVE-2024-35518 |
Description: Netgear EX6120 v1.0.0.68 is vulnerable to Command Injection in genie_fix2.cgi via the wan_dns1_pri parameter.
CVSS: HIGH (8.4) EPSS Score: 1.24% SSVC Exploitation: none
March 19th, 2025 (4 months ago)
|
|
CVE-2024-10444 |
Description: Improper certificate validation vulnerability in the LDAP utilities in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows man-in-the-middle attackers to hijack the authentication of administrators via unspecified vectors.
CVSS: HIGH (7.5) EPSS Score: 0.02% SSVC Exploitation: none
March 19th, 2025 (4 months ago)
|
|
CVE-2024-13933 |
Description: The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. This is due to missing or incorrect nonce validation on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions. This makes it possible for unauthenticated attackers to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS: HIGH (8.8) EPSS Score: 0.03%
March 19th, 2025 (4 months ago)
|
|
CVE-2024-12920 |
Description: The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions in all versions up to, and including, 4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options.
CVSS: HIGH (8.8) EPSS Score: 0.05%
March 19th, 2025 (4 months ago)
|
|
CVE-2024-12137 |
Description: Authentication Bypass by Capture-replay vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Session Hijacking.This issue affects ANKA JPD-00028: through 19.03.2025.
NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.
CVSS: HIGH (7.6) EPSS Score: 0.03%
March 19th, 2025 (4 months ago)
|
|
CVE-2024-13412 |
Description: The CozyStay theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handler function in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to execute arbitrary actions.
CVSS: HIGH (7.5) EPSS Score: 0.04%
March 19th, 2025 (4 months ago)
|
|
CVE-2024-50631 |
Description: Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to inject SQL commands, limited to write operations, via unspecified vectors.
CVSS: HIGH (7.5) EPSS Score: 0.05%
March 19th, 2025 (4 months ago)
|