CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-26156 |
Description: A SQL Injection vulnerability was found in /shopping/track-orders.php in PHPGurukul Online Shopping Portal v2.1, which allows remote attackers to execute arbitrary code via orderid POST request parameter.
CVSS: HIGH (8.8) EPSS Score: 0.04%
February 15th, 2025 (5 months ago)
|
|
CVE-2025-25997 |
Description: Directory Traversal vulnerability in FeMiner wms v.1.0 allows a remote attacker to obtain sensitive information via the databak.php component.
CVSS: HIGH (7.3) EPSS Score: 0.04%
February 15th, 2025 (5 months ago)
|
|
CVE-2025-25745 |
Description: D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the Password parameter in the SetQuickVPNSettings module.
CVSS: HIGH (8.8) EPSS Score: 0.04%
February 15th, 2025 (5 months ago)
|
|
CVE-2025-25297 |
Description: Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's S3 storage integration feature contains a Server-Side Request Forgery (SSRF) vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a custom S3 endpoint URL via the s3_endpoint parameter. This endpoint URL is passed directly to the boto3 AWS SDK without proper validation or restrictions on the protocol or destination. The vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal services by specifying them as the S3 endpoint. When the storage sync operation is triggered, the application attempts to make S3 API calls to the specified endpoint, effectively making HTTP requests to the target service and returning the response in error messages. This SSRF vulnerability enables attackers to bypass network segmentation and access internal services that should not be accessible from the external network. The vulnerability is particularly severe because error messages from failed requests contain the full response body, allowing data exfiltration from internal services. Version 1.16.0 contains a patch for the issue.
CVSS: HIGH (8.6) EPSS Score: 0.04%
February 15th, 2025 (5 months ago)
|
|
CVE-2025-25295 |
Description: Label Studio is an open source data labeling tool. A path traversal vulnerability in Label Studio SDK versions prior to 1.0.10 allows unauthorized file access outside the intended directory structure. The flaw exists in the VOC, COCO and YOLO export functionalities. These functions invoke a `download` function on the `label-studio-sdk` python package, which fails to validate file paths when processing image references during task exports. By creating tasks with path traversal sequences in the image field, an attacker can force the application to read files from arbitrary server filesystem locations when exporting projects in any of the mentioned formats. This is authentication-required vulnerability allowing arbitrary file reads from the server filesystem. It may lead to potential exposure of sensitive information like configuration files, credentials, and confidential data. Label Studio versions before 1.16.0 specified SDK versions prior to 1.0.10 as dependencies, and the issue was confirmed in Label Studio version 1.13.2.dev0; therefore, Label Studio users should upgrade to 1.16.0 or newer to mitigate it.
CVSS: HIGH (8.7) EPSS Score: 0.04%
February 15th, 2025 (5 months ago)
|
|
CVE-2025-25206 |
Description: eLabFTW is an open source electronic lab notebook for research labs. Prior to version 5.1.15, an incorrect input validation could allow an authenticated user to read sensitive information, including login token or other content stored in the database. This could lead to privilege escalation if cookies are enabled (default setting). Users must upgrade to eLabFTW version 5.1.15 to receive a fix. No known workarounds are available.
CVSS: HIGH (8.3) EPSS Score: 0.04%
February 15th, 2025 (5 months ago)
|
|
CVE-2025-24700 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xylus Themes WP Event Aggregator allows Reflected XSS. This issue affects WP Event Aggregator: from n/a through 1.8.2.
CVSS: HIGH (7.1) EPSS Score: 0.04%
February 15th, 2025 (5 months ago)
|
|
CVE-2025-24699 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company WP Coder allows Cross-Site Scripting (XSS). This issue affects WP Coder: from n/a through 3.6.
CVSS: HIGH (7.1) EPSS Score: 0.04%
February 15th, 2025 (5 months ago)
|
|
CVE-2025-24692 |
Description: Missing Authorization vulnerability in Michael Revellin-Clerc Bulk Menu Edit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bulk Menu Edit: from n/a through 1.3.
CVSS: HIGH (7.1) EPSS Score: 0.04%
February 15th, 2025 (5 months ago)
|
|
CVE-2025-24688 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster allows Reflected XSS. This issue affects WP Mailster: from n/a through 1.8.20.0.
CVSS: HIGH (7.1) EPSS Score: 0.04%
February 15th, 2025 (5 months ago)
|