CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE-2025-27135

Description: RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available.

CVSS: HIGH (8.9)

EPSS Score: 0.05%

SSVC Exploitation: poc

Source: CVE
February 25th, 2025 (5 months ago)

CVE-2024-12368

Description: Improper access control in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0 allows an internal user to export the OAuth tokens of other users.

CVSS: HIGH (8.1)

EPSS Score: 0.03%

Source: CVE
February 25th, 2025 (5 months ago)

CVE-2025-1204

Description: The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.

CVSS: HIGH (7.7)

EPSS Score: 0.06%

SSVC Exploitation: poc

Source: CVE
February 25th, 2025 (5 months ago)

CVE-2025-27109

Description: Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. For instance, ?text= would trigger XSS here. const [text] = createResource(() => { return new URL(getRequestEvent().request.url).searchParams.get("text"); }); return ( <> Text: {text()} > ); References https://github.com/solidjs/solid/security/advisories/GHSA-3qxh-p7jc-5xh6 https://nvd.nist.gov/vuln/detail/CVE-2025-27109 https://github.com/solidjs/solid/commit/b93956f28ed75469af6976a98728e313d0edd236 https://github.com/advisories/GHSA-3qxh-p7jc-5xh6

CVSS: HIGH (7.3)

EPSS Score: 0.06%

Source: Github Advisory Database (NPM)
February 25th, 2025 (5 months ago)

CVE-2025-27108

Description: [!NOTE]This advisory was originally emailed to [email protected] by @nsysean. To sum it up, the use of javascript's .replace() opens up to potential XSS vulnerabilities with the special replacement patterns beginning with $. Particularly, when the attributes of Meta tag from solid-meta are user-defined, attackers can utilise the special replacement patterns, either $' or `$`` to achieve XSS. The solid-meta package has this issue since it uses useAffect and context providers, which injects the used assets in the html header. "dom-expressions" uses .replace() to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing .replace(), then they could execute arbitrary javascript in the victim's web browser. Moreover, it could be stored and cause more problems. References https://github.com/ryansolid/dom-expressions/security/advisories/GHSA-hw62-58pr-7wc5 https://nvd.nist.gov/vuln/detail/CVE-2025-27108 https://github.com/ryansolid/dom-expressions/commit/521f75dfa89ed24161646e7007d9d7d21da07767 https://github.com/advisories/GHSA-hw62-58pr-7wc5

CVSS: HIGH (7.3)

EPSS Score: 0.03%

Source: Github Advisory Database (NPM)
February 25th, 2025 (5 months ago)

CVE-2025-1068

Description: There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim.

CVSS: HIGH (7.3)

EPSS Score: 0.01%

SSVC Exploitation: none

Source: CVE
February 25th, 2025 (5 months ago)

CVE-2025-1067

Description: There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS ArcGIS Pro , the file could execute and run malicious commands under the context of the victim.

CVSS: HIGH (7.3)

EPSS Score: 0.01%

SSVC Exploitation: none

Source: CVE
February 25th, 2025 (5 months ago)

CVE-2024-49035

Description: CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability CVE-2023-34192 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability Users and administrators are also encouraged to review the Palo Alto Threat Brief: Operation Lunar Peek related to CVE-2024-0012, the Palo Alto Security Bulletin for CVE-2024-0012, and the Palo Alto Security Bulletin for CVE-2024-9474 for additional information.  These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vuln...

CVSS: HIGH (8.7)

Source: All CISA Advisories
February 25th, 2025 (5 months ago)

CVE-2024-49035

Description: Microsoft Partner Center contains an improper access control vulnerability that allows an attacker to escalate privileges.

CVSS: HIGH (8.7)

Source: CISA KEV
February 25th, 2025 (5 months ago)

CVE-2025-26993

Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vito Peleg Atarim allows Reflected XSS. This issue affects Atarim: from n/a through 4.1.0.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 25th, 2025 (5 months ago)