CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-4427 |
🚨 Marked as known exploited on May 19th, 2025 (about 1 month ago).
Description: CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
CVE-2025-4428 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
CVE-2024-11182 MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
CVE-2025-27920 Srimax Output Messenger Directory Traversal Vulnerability
CVE-2024-27443 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2023-38950 ZKTeco BioTime Path Traversal Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management p...
CVSS: MEDIUM (5.3) EPSS Score: 82.26%
May 19th, 2025 (about 1 month ago)
|
|
CVE-2025-4427 |
Description: Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework open-source library.
CVSS: MEDIUM (5.3) EPSS Score: 82.26%
May 19th, 2025 (about 1 month ago)
|
|
CVE-2024-11182 |
Description: MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message.
CVSS: MEDIUM (6.1) EPSS Score: 26.79%
May 19th, 2025 (about 1 month ago)
|
|
CVE-2025-4939 |
Description: A vulnerability classified as problematic was found in PHPGurukul Credit Card Application Management System 1.0. This vulnerability affects unknown code of the file /admin/new-ccapplication.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. In PHPGurukul Credit Card Application Management System 1.0 wurde eine Schwachstelle entdeckt. Sie wurde als problematisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei /admin/new-ccapplication.php. Mittels Manipulieren mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (5.3) EPSS Score: 0.03% SSVC Exploitation: poc
May 19th, 2025 (about 1 month ago)
|
|
CVE-2025-4876 |
Description: ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input files used for authenticated network scanning.
CVSS: MEDIUM (6.0) EPSS Score: 0.01% SSVC Exploitation: none
May 19th, 2025 (about 1 month ago)
|
|
CVE-2025-47583 |
Description: Unauthenticated Cross Site Request Forgery (CSRF) in Salon booking system <= 10.16 versions.
CVSS: MEDIUM (5.4) EPSS Score: 0.02% SSVC Exploitation: none
May 19th, 2025 (about 1 month ago)
|
|
CVE-2025-39394 |
Description: Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Solid Plugins AnalyticsWP allows Retrieve Embedded Sensitive Data.This issue affects AnalyticsWP: from n/a through 2.1.2.
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
May 19th, 2025 (about 1 month ago)
|
|
CVE-2025-39388 |
Description: Missing Authorization vulnerability in Solid Plugins AnalyticsWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AnalyticsWP: from n/a through 2.0.0.
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
May 19th, 2025 (about 1 month ago)
|
|
CVE-2025-39376 |
Description: Missing Authorization vulnerability in QuanticaLabs Car Park Booking System for WordPress.This issue affects Car Park Booking System for WordPress: from n/a through 2.6.
CVSS: MEDIUM (4.3) EPSS Score: 0.03%
May 19th, 2025 (about 1 month ago)
|
|
CVE-2025-39375 |
WordPress Easy Child Theme Creator plugin <= 1.3.1 - Cross Site Request Forgery (CSRF) vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in Ashok G Easy Child Theme Creator allows Cross Site Request Forgery.This issue affects Easy Child Theme Creator: from n/a through 1.3.1.
CVSS: MEDIUM (4.3) EPSS Score: 0.02%
May 19th, 2025 (about 1 month ago)
|