Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-46656 |
Description: python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as in addition to through . This causes memory consumption.
CVSS: LOW (2.9) EPSS Score: 0.02%
April 26th, 2025 (about 1 month ago)
|
|
CVE-2025-46653 |
Description: Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.
CVSS: LOW (3.1) EPSS Score: 0.03%
April 26th, 2025 (about 1 month ago)
|
|
CVE-2025-2850 |
Description: A vulnerability was found in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango, GL-MT1300 Beryl, GL-MT2500 Brume 2, GL-MT3000 Beryl AX, GL-MT6000 Flint 2, GL-SFT1200 Opal, GL-X300B Collie, GL-X750 Spitz, GL-X3000 Spitz AX, GL-XE300 Puli and GL-XE3000 Puli AX 4.x. It has been rated as problematic. This issue affects some unknown processing of the component Download Interface. The manipulation leads to improper authorization. It is recommended to upgrade the affected component. Eine Schwachstelle wurde in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango, GL-MT1300 Beryl, GL-MT2500 Brume 2, GL-MT3000 Beryl AX, GL-MT6000 Flint 2, GL-SFT1200 Opal, GL-X300B Collie, GL-X750 Spitz, GL-X3000 Spitz AX, GL-XE300 Puli and GL-XE3000 Puli AX 4.x ausgemacht. Sie wurde als problematisch eingestuft. Dies betrifft einen unbekannten Teil der Komponente Download Interface. Durch die Manipulation mit unbekannten Daten kann eine improper authorization-Schwachstelle ausgenutzt werden. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
CVSS: LOW (3.5) EPSS Score: 0.03%
April 26th, 2025 (about 1 month ago)
|
|
CVE-2025-46618 |
Description: In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab
CVSS: LOW (3.5) EPSS Score: 0.02%
April 25th, 2025 (about 1 month ago)
|
|
CVE-2024-57375 |
Description: Andamiro Pump It Up 20th Anniversary (aka Double X or XX/2019) 1.00.0-2.08.3 allows a physically proximate attacker to cause a denial of service (application crash) via certain deselect actions.
CVSS: LOW (2.4) EPSS Score: 0.02% SSVC Exploitation: none
April 25th, 2025 (about 1 month ago)
|
|
CVE-2025-46546 |
Description: In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/export/xlsx, /api/gui/process/listAll, /api/gui/processVersion/export/csv/, /api/gui/processVersion/export/xlsx/, /api/gui/processVersion/list/, /api/gui/robot/list/, /api/gui/task/export/csv/, /api/gui/task/export/xlsx/, and /api/gui/task/list/.
CVSS: LOW (3.5) EPSS Score: 0.03%
April 25th, 2025 (about 1 month ago)
|
|
CVE-2024-30127 |
Description: Missing "no cache" headers in HCL Leap permits sensitive data to be cached.
CVSS: LOW (3.2) EPSS Score: 0.01%
April 24th, 2025 (about 1 month ago)
|
|
CVE-2024-30114 |
Description: Insufficient sanitization in HCL Leap allows
client-side script injection in the authoring environment.
CVSS: LOW (3.7) EPSS Score: 0.03%
April 24th, 2025 (about 1 month ago)
|
|
Description: Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-41423
https://mattermost.com/security-updates
https://github.com/mattermost/mattermost-plugin-playbooks/commit/f9f7064e4d9f3918d66bac1f5f9eb28f0723464b
https://github.com/mattermost/mattermost/commit/2b5275d87136f07e016c8eca09a2f004b31afc8a
https://github.com/advisories/GHSA-fr22-5377-f3p7
CVSS: LOW (3.1) EPSS Score: 0.02%
April 24th, 2025 (about 1 month ago)
|
|
|
Description: Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-41423
https://mattermost.com/security-updates
https://github.com/mattermost/mattermost-plugin-playbooks/commit/f9f7064e4d9f3918d66bac1f5f9eb28f0723464b
https://github.com/mattermost/mattermost/commit/2b5275d87136f07e016c8eca09a2f004b31afc8a
https://github.com/advisories/GHSA-fr22-5377-f3p7
CVSS: LOW (3.1) EPSS Score: 0.02%
April 24th, 2025 (about 1 month ago)
|