Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-43708
VisiCut 2.1 allows stack consumption via an XML document with nested set elements, as demonstrated by a java.util.HashMap StackOverflowError when...
Description: VisiCut 2.1 allows stack consumption via an XML document with nested set elements, as demonstrated by a java.util.HashMap StackOverflowError when reference='../../../set/set[2]' is used, aka an "insecure deserialization" issue.

CVSS: LOW (3.3)

Source: CVE
April 17th, 2025 (about 16 hours ago)

CVE-2025-32789
EspoCRM Allows Potential Disclosure of Sensitive Information in the User Sorting Function
Description: EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based on the results of the sorted list of users. Although unlikely, if an attacker knows the hash value of their password, they can change the password and repeat the sorting until the other user's password hash is fully revealed. This issue is patched in version 9.0.7.

CVSS: LOW (3.1)

Source: CVE
April 16th, 2025 (about 21 hours ago)

CVE-2025-32787
SoftEtherVPN Affected by NULL dereference in DeleteIPv6DefaultRouterInRA
Description: SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. Versions 5.02.5184 to 5.02.5187 are vulnerable to NULL dereference in `DeleteIPv6DefaultRouterInRA` called by `StorePacket`. Before dereferencing, `DeleteIPv6DefaultRouterInRA` does not account for `ParsePacket` returning NULL, resulting in the program crashing. A patched version does not exist at this time.

CVSS: LOW (3.1)

Source: CVE
April 16th, 2025 (about 21 hours ago)

CVE-2024-58249
In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL.
Description: In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL.

CVSS: LOW (3.7)

Source: CVE
April 16th, 2025 (1 day ago)

CVE-2024-2133
Bdtask Isshue Multi Store eCommerce Shopping Cart Solution Manage Sale Page manage_invoice cross site scripting
Description: A vulnerability, which was classified as problematic, was found in Bdtask Isshue Multi Store eCommerce Shopping Cart Solution 4.0. This affects an unknown part of the file /dashboard/Cinvoice/manage_invoice of the component Manage Sale Page. The manipulation of the argument Title leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-255495. Es wurde eine problematische Schwachstelle in Bdtask Isshue Multi Store eCommerce Shopping Cart Solution 4.0 gefunden. Es betrifft eine unbekannte Funktion der Datei /dashboard/Cinvoice/manage_invoice der Komponente Manage Sale Page. Durch das Beeinflussen des Arguments Title mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: LOW (2.4)

EPSS Score: 0.05%

SSVC Exploitation: poc

Source: CVE
April 16th, 2025 (1 day ago)

CVE-2024-25114
Sensitive Information Disclosure (JailID) to users in Collabora Online
Description: Collabora Online is a collaborative online office suite based on LibreOffice technology. Each document in Collabora Online is opened by a separate "Kit" instance in a different "jail" with a unique directory "jailID" name. For security reasons, this directory name is randomly generated and should not be given out to the client. In affected versions of Collabora Online it is possible to use the CELL() function, with the "filename" argument, in the spreadsheet component to get a path which includes this JailID. The impact of this vulnerability in its own is low because it requires to be chained with another vulnerability. Users should upgrade to Collabora Online 23.05.9; Collabora Online 22.05.22; Collabora Online 21.11.10 or higher. There are no known workarounds for this vulnerability.

CVSS: LOW (2.6)

EPSS Score: 0.11%

SSVC Exploitation: none

Source: CVE
April 16th, 2025 (1 day ago)

CVE-2024-2364
Musicshelf Backup androidmanifest.xml backup
Description: A vulnerability classified as problematic has been found in Musicshelf 1.0/1.1 on Android. Affected is an unknown function of the file androidmanifest.xml of the component Backup Handler. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256320. Es wurde eine problematische Schwachstelle in Musicshelf 1.0/1.1 für Android entdeckt. Es betrifft eine unbekannte Funktion der Datei androidmanifest.xml der Komponente Backup Handler. Durch das Beeinflussen mit unbekannten Daten kann eine exposure of backup file to an unauthorized control sphere-Schwachstelle ausgenutzt werden. Ein Angriff setzt physischen Zugriff auf dem Zielobjekt voraus. Der Exploit steht zur öffentlichen Verfügung.

CVSS: LOW (1.8)

EPSS Score: 0.03%

SSVC Exploitation: poc

Source: CVE
April 16th, 2025 (1 day ago)
[github.com/mattermost/mattermost/server/v8] Mattermost Incorrect Authorization vulnerability
Description: Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled. References https://nvd.nist.gov/vuln/detail/CVE-2025-24839 https://mattermost.com/security-updates https://github.com/advisories/GHSA-j639-m367-75cf

CVSS: LOW (3.1)

EPSS Score: 0.03%

Source: Github Advisory Database (Go)
April 16th, 2025 (1 day ago)
[github.com/mattermost/mattermost/server/v8] Mattermost Missing Authentication for Critical Function
Description: Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA. References https://nvd.nist.gov/vuln/detail/CVE-2025-27538 https://mattermost.com/security-updates https://github.com/advisories/GHSA-j5jw-m2ph-3jjf

CVSS: LOW (2.2)

EPSS Score: 0.02%

Source: Github Advisory Database (Go)
April 16th, 2025 (1 day ago)

CVE-2024-58248
nopCommerce before 4.80.0 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards.
Description: nopCommerce before 4.80.0 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards.

CVSS: LOW (3.5)

SSVC Exploitation: none

Source: CVE
April 16th, 2025 (1 day ago)