CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: All versions of the package mcp-markdownify-server are vulnerable to Files or Directories Accessible to External Parties via the get-markdown-file tool. An attacker can craft a prompt that, once accessed by the MCP host, will allow it to read arbitrary files from the host running the server.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-5273
https://github.com/zcaceres/markdownify-mcp/commit/3a6b202d088ef7acb8be84bc09515f41a2b1a9df
https://security.snyk.io/vuln/SNYK-JS-MCPMARKDOWNIFYSERVER-10249193
https://github.com/zcaceres/markdownify-mcp/blob/3667bd4765c0e49684ce22df268d02dd478a7f3b/src/Markdownify.ts#L94
https://github.com/advisories/GHSA-22v8-p7h2-rj7p
CVSS: MEDIUM (6.5) EPSS Score: 0.03%
May 29th, 2025 (20 days ago)
|
CVE-2025-48475 |
Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the System does not provide a check on which "clients" of the System an authorized user can view and edit, and which ones they cannot. As a result, an authorized user who does not have access to any of the existing mailboxes, as well as to any of the existing conversations, has the ability to view and edit the System's clients. The limitation of client visibility can be implemented by the limit_user_customer_visibility setting, however, in the specified scenarios, there is no check for the presence of this setting. This issue has been patched in version 1.8.180.
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
May 29th, 2025 (20 days ago)
|
|
CVE-2025-46722 |
Description: vLLM is an inference and serving engine for large language models (LLMs). In versions starting from 0.7.0 to before 0.9.0, in the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. This issue has been patched in version 0.9.0.
CVSS: MEDIUM (4.2) EPSS Score: 0.06%
May 29th, 2025 (20 days ago)
|
|
CVE-2025-5321 |
Description: A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Query leads to sandbox issue. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. In aimhubio aim bis 3.29.1 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Betroffen ist die Funktion RestrictedPythonQuery der Datei /aim/storage/query.py der Komponente run_view Object Handler. Mittels Manipulieren des Arguments Query mit unbekannten Daten kann eine sandbox issue-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (6.3) EPSS Score: 0.04% SSVC Exploitation: poc
May 29th, 2025 (20 days ago)
|
|
CVE-2025-48474 |
Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application incorrectly checks user access rights for conversations. Users with show_only_assigned_conversations enabled can assign themselves to an arbitrary conversation from the mailbox to which they have access, thereby bypassing the restriction on viewing conversations. This issue has been patched in version 1.8.180.
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
May 29th, 2025 (20 days ago)
|
|
CVE-2025-48473 |
Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other mailboxes or from other conversations to which they do not have access (access restriction to conversations is implemented by the show_only_assigned_conversations setting, which is also not checked). This issue has been patched in version 1.8.179.
CVSS: MEDIUM (5.3) EPSS Score: 0.04% SSVC Exploitation: poc
May 29th, 2025 (20 days ago)
|
|
CVE-2025-48472 |
Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, there is no check to ensure that the user is disabling notifications for the mailbox to which they already have access. Moreover, the code explicitly implements functionality that if the user does not have access to the mailbox, then after disabling (enabling) notifications for this mailbox, the user will gain access to it. This issue has been patched in version 1.8.179.
CVSS: MEDIUM (6.9) EPSS Score: 0.03% SSVC Exploitation: poc
May 29th, 2025 (20 days ago)
|
|
CVE-2025-3913 |
Description: Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.
CVSS: MEDIUM (5.3) EPSS Score: 0.04% SSVC Exploitation: none
May 29th, 2025 (20 days ago)
|
|
CVE-2024-24571 |
Description: facileManager is a modular suite of web apps built with the sysadmin in mind. For the facileManager web application versions 4.5.0 and earlier, we have found that XSS was present in almost all of the input fields as there is insufficient input validation.
CVSS: MEDIUM (5.4) EPSS Score: 0.27% SSVC Exploitation: poc
May 29th, 2025 (20 days ago)
|
|
CVE-2024-24134 |
Description: Sourcecodester Online Food Menu 1.0 is vulnerable to Cross Site Scripting (XSS) via the 'Menu Name' and 'Description' fields in the Update Menu section.
CVSS: MEDIUM (4.8) EPSS Score: 0.73% SSVC Exploitation: poc
May 29th, 2025 (20 days ago)
|