Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-48708 |
Description: gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript through 10.05.0 lacks argument sanitization for the # case.
CVSS: LOW (2.9) EPSS Score: 0.02%
May 23rd, 2025 (15 days ago)
|
|
CVE-2025-1110 |
Description: An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.
CVSS: LOW (2.7) EPSS Score: 0.01% SSVC Exploitation: none
May 22nd, 2025 (16 days ago)
|
|
CVE-2025-5011 |
Description: A vulnerability classified as problematic was found in moonlightL hexo-boot 4.3.0. This vulnerability affects unknown code of the file /admin/home/index.html of the component Dynamic List Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. In moonlightL hexo-boot 4.3.0 wurde eine Schwachstelle entdeckt. Sie wurde als problematisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Datei /admin/home/index.html der Komponente Dynamic List Page. Durch die Manipulation mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
CVSS: LOW (2.4) EPSS Score: 0.03% SSVC Exploitation: poc
May 21st, 2025 (17 days ago)
|
|
CVE-2025-48070 |
Description: Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue.
CVSS: LOW (3.5) EPSS Score: 0.02%
May 21st, 2025 (17 days ago)
|
|
CVE-2025-5031 |
Description: A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been rated as problematic. This issue affects some unknown processing of the component wxapkg File Decompression Handler. The manipulation leads to resource consumption. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Eine Schwachstelle wurde in Ackites KillWxapkg bis 2.4.1 ausgemacht. Sie wurde als problematisch eingestuft. Es geht hierbei um eine nicht näher spezifizierte Funktion der Komponente wxapkg File Decompression Handler. Durch die Manipulation mit unbekannten Daten kann eine resource consumption-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Die Komplexität eines Angriffs ist eher hoch. Die Ausnutzbarkeit gilt als schwierig. Der Exploit steht zur öffentlichen Verfügung.
CVSS: LOW (3.1) EPSS Score: 0.04%
May 21st, 2025 (17 days ago)
|
|
CVE-2025-48064 |
Description: GitHub Desktop is an open-source, Electron-based GitHub app designed for git development. Prior to version 3.4.20-beta3, an attacker convincing a user to view a file in a commit of their making in the history view can cause information disclosure by means of Git attempting to access a network share. This affects GitHub Desktop users on Windows that view malicious commits in the history view. macOS users are not affected. When viewing a file diff in the history view GitHub Desktop will call `git log` or `git diff` with the object id (SHA) of the commit, the name of the file, and the old name of the file if the file has been renamed. As a security precaution Git will attempt to fully resolve the old and new path via `realpath`, traversing symlinks, to ensure that the resolved paths reside within the repository working directory. This can lead to Git attempting to access a path that resides on a network share (UNC path) and in doing so Windows will attempt to perform NTLM authentication which passes information such as the computer name, the currently signed in (Windows) user name, and an NTLM hash. GitHub Desktop 3.4.20 and later fix this vulnerability. The beta channel includes the fix in 3.4.20-beta3. As a workaround to use until upgrading is possible, only browse commits in the history view that comes from trusted sources.
CVSS: LOW (3.3) EPSS Score: 0.02%
May 21st, 2025 (17 days ago)
|
|
Description: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-31239.
CVSS: LOW (3.3) EPSS Score: 0.01%
May 21st, 2025 (17 days ago)
|
|
CVE-2025-5030 |
Description: A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been declared as critical. This vulnerability affects the function processFile of the file internal/unpack/unpack.go of the component wxapkg File Parser. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. In Ackites KillWxapkg bis 2.4.1 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Es geht um die Funktion processFile der Datei internal/unpack/unpack.go der Komponente wxapkg File Parser. Mit der Manipulation mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Die Komplexität eines Angriffs ist eher hoch. Das Ausnutzen gilt als schwierig. Der Exploit steht zur öffentlichen Verfügung.
CVSS: LOW (2.3) EPSS Score: 0.77%
May 21st, 2025 (17 days ago)
|
|
CVE-2025-48009 |
Description: Missing Authorization vulnerability in Drupal Single Content Sync allows Functionality Misuse.This issue affects Single Content Sync: from 0.0.0 before 1.4.12.
CVSS: LOW (3.1) EPSS Score: 0.03% SSVC Exploitation: none
May 21st, 2025 (17 days ago)
|
|
CVE-2025-1421 |
Description: Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.
This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).
CVSS: LOW (2.4) EPSS Score: 0.04%
May 21st, 2025 (17 days ago)
|