CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-3223
WorkstationST EGD Configuration Server Path Traversal Vulnerability
Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in GE Vernova WorkstationST on Windows (EGD Configuration Server modules) allows Path Traversal.This issue affects WorkstationST: WorkstationST V07.10.10C and earlier.

CVSS: MEDIUM (5.9)

EPSS Score: 0.03%

Source: CVE
May 19th, 2025 (about 1 month ago)

CVE-2025-47946
symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes
Description: Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` Those who use `symfony/ux-live-component` must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. As a workaround, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values. Instead, use `{{ attributes.render('name') }}` for safe output of individual attributes.

CVSS: MEDIUM (6.1)

EPSS Score: 0.03%

Source: CVE
May 19th, 2025 (about 1 month ago)

CVE-2025-46441
WordPress Section Widget plugin <= 3.3.1 - Path Traversal vulnerability
Description: Path Traversal: '.../...//' vulnerability in ctltwp Section Widget allows Path Traversal.This issue affects Section Widget: from n/a through 3.3.1.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
May 19th, 2025 (about 1 month ago)

CVE-2025-43838
WordPress Custom PC Builder Lite for WooCommerce <= 1.0.1 - Settings Change Vulnerability
Description: Missing Authorization vulnerability in ChoPlugins Custom PC Builder Lite for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom PC Builder Lite for WooCommerce: from n/a through 1.0.1.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE
May 19th, 2025 (about 1 month ago)

CVE-2024-6534
Directus 10.13.0 - Insecure object reference via PATH presets
Description: Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

SSVC Exploitation: poc

Source: CVE
May 19th, 2025 (about 1 month ago)

CVE-2024-11182
Stored XSS vulnerability in MDaemon Email Server
🚨 Marked as known exploited on May 19th, 2025 (about 1 month ago).
Description: An XSS issue was discovered in MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window.

CVSS: MEDIUM (6.1)

EPSS Score: 26.79%

SSVC Exploitation: active

Source: CVE
May 19th, 2025 (about 1 month ago)

CVE-2025-46543
WordPress Enhanced Paypal Shortcodes plugin <= 0.5a - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charly Leetham Enhanced Paypal Shortcodes allows Stored XSS.This issue affects Enhanced Paypal Shortcodes: from n/a through 0.5a.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 19th, 2025 (about 1 month ago)

CVE-2025-46263
WordPress Author Box After Posts plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lloyd Saunders Author Box After Posts allows Stored XSS.This issue affects Author Box After Posts: from n/a through 1.6.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 19th, 2025 (about 1 month ago)

CVE-2025-46262
WordPress Mad Mimi for WordPress plugin <= 1.5.1 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zack Katz Mad Mimi for WordPress allows Stored XSS.This issue affects Mad Mimi for WordPress: from n/a through 1.5.1.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 19th, 2025 (about 1 month ago)

CVE-2025-43841
WordPress WP Vegas plugin <= 2.2 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jamesdbruner WP Vegas allows Stored XSS.This issue affects WP Vegas: from n/a through 2.2.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 19th, 2025 (about 1 month ago)