CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-12009
A post-authentication command injection vulnerability in the "ZyEE" function of the Zyxel EX5601-T1 firmware version V5.70(ACDZ.3.6)C0 and earlier...
Description: A post-authentication command injection vulnerability in the "ZyEE" function of the Zyxel EX5601-T1 firmware version V5.70(ACDZ.3.6)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

CVSS: HIGH (7.2)

EPSS Score: 0.24%

Source: CVE
March 11th, 2025 (4 months ago)

CVE-2024-11253
A post-authentication command injection vulnerability in the "DNSServer” parameter of the diagnostic function in the Zyxel VMG8825-T50K firmware...
Description: A post-authentication command injection vulnerability in the "DNSServer” parameter of the diagnostic function in the Zyxel VMG8825-T50K firmware version V5.50(ABOM.8.5)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

CVSS: HIGH (7.2)

EPSS Score: 0.24%

Source: CVE
March 11th, 2025 (4 months ago)

CVE-2025-27434
Cross-Site Scripting (XSS) vulnerability in SAP Commerce (Swagger UI)
Description: Due to insufficient input validation, SAP Commerce (Swagger UI) allows an unauthenticated attacker to inject the malicious code from remote sources, which can be leveraged by an attacker to execute a cross-site scripting (XSS) attack. This could lead to a high impact on the confidentiality, integrity, and availability of data in SAP Commerce.

CVSS: HIGH (8.8)

EPSS Score: 0.03%

Source: CVE
March 11th, 2025 (4 months ago)

CVE-2025-26661
Missing Authorization check in SAP NetWeaver (ABAP Class Builder)
Description: Due to missing authorization check, SAP NetWeaver (ABAP Class Builder) allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. On successful exploitation, this could result in disclosure of highly sensitive information. It could also have a high impact on the integrity and availability of the application.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
March 11th, 2025 (4 months ago)

CVE-2025-27925
Nintex Automation 5.6 and 5.7 before 5.8 has insecure deserialization of user input.
Description: Nintex Automation 5.6 and 5.7 before 5.8 has insecure deserialization of user input.

CVSS: HIGH (8.5)

EPSS Score: 0.06%

Source: CVE
March 10th, 2025 (4 months ago)

CVE-2025-27610
Local File Inclusion in Rack::Static
Description: Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. The vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory. By exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file. Versions 2.2.13, 3.0.14, and 3.1.12 contain a patch for the issue. Other mitigations include removing usage of `Rack::Static`, or ensuring that `root:` points at a directory path which only contains files which should be accessed publicly. It is likely that a CDN or similar static file server would also mitigate the issue.

CVSS: HIGH (7.5)

EPSS Score: 0.07%

Source: CVE
March 10th, 2025 (4 months ago)
[github.com/go-vela/server] Vela Server Has Insufficient Webhook Payload Data Verification
Description: Impact Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit. Any user with access to the CI instance and the linked source control manager can perform the exploit. Method By spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Patches v0.26.3 — Image: target/vela-server:v0.26.3 v0.25.3 — Image: target/vela-server:v0.25.3 Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? There are no workarounds to the issue. References Are there any links users can visit to find out more? Please see linked CWEs (common weakness enumerators) for more information. References https://github.com/go-vela/server/security/advisories/GHSA-9m63-33q3-xq5x https://nvd.nist.gov/vuln/detail/CVE-2025-27616 https://github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5 https://github.com/go-vela/server/commit/67c1892e2464dc54b8d2588815dfb7819222500b https://github.com/go-vela/server/releases/tag/v0.25.3 https://github.com/go-vela/server/releases/tag/v0.26.3 https://github.com/advisories/GHSA-9m63-33q3-xq5x

CVSS: HIGH (8.6)

EPSS Score: 0.03%

Source: Github Advisory Database (Go)
March 10th, 2025 (4 months ago)
[laravel/framework] Laravel framework susceptible to reflected cross-site scripting
Description: The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page. References https://nvd.nist.gov/vuln/detail/CVE-2024-13918 https://github.com/laravel/framework/pull/53869 https://github.com/laravel/framework/releases/tag/v11.36.0 https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page http://www.openwall.com/lists/oss-security/2025/03/10/3 https://github.com/laravel/framework/commit/45287fb2a91c69bb1c110539b9b7341faf5aee33 https://github.com/advisories/GHSA-546h-56qp-8jmw

CVSS: HIGH (8.0)

EPSS Score: 0.01%

Source: Github Advisory Database (Composer)
March 10th, 2025 (4 months ago)
[laravel/framework] Laravel framework susceptible to reflected cross-site scripting
Description: The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page. References https://nvd.nist.gov/vuln/detail/CVE-2024-13919 https://github.com/laravel/framework/pull/53869 https://github.com/laravel/framework/releases/tag/v11.36.0 https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-02_Laravel_Reflected_XSS_via_Route_Parameter_in_Debug-Mode_Error_Page http://www.openwall.com/lists/oss-security/2025/03/10/4 https://github.com/laravel/framework/commit/45287fb2a91c69bb1c110539b9b7341faf5aee33 https://github.com/advisories/GHSA-83wp-f5c3-hqqr

CVSS: HIGH (8.0)

EPSS Score: 0.01%

Source: Github Advisory Database (Composer)
March 10th, 2025 (4 months ago)

CVE-2025-27616
Vela Server has Insufficient Webhook Payload Data Verification
Description: Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.

CVSS: HIGH (8.6)

EPSS Score: 0.03%

Source: CVE
March 10th, 2025 (4 months ago)