CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
[flask-appbuilder] Flask-AppBuilder open redirect vulnerability using HTTP host injection
Description: Impact Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Patches Flask-AppBuilder 4.6.2 introduced the FAB_SAFE_REDIRECT_HOSTS configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection. Examples: FAB_SAFE_REDIRECT_HOSTS = ["yourdomain.com", "sub.yourdomain.com", "*.yourcompany.com"] Workarounds Use a Reverse Proxy to Enforce Trusted Host Headers References Are there any links users can visit to find out more? References https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-99pm-ch96-ccp2 https://nvd.nist.gov/vuln/detail/CVE-2025-32962 https://github.com/dpgaspar/Flask-AppBuilder/commit/32eedbbb5cb483a3e782c5f2732de4a6a650d9b6 https://github.com/advisories/GHSA-99pm-ch96-ccp2

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: Github Advisory Database (PIP)
May 16th, 2025 (about 1 month ago)

CVE-2025-4787
SourceCodester/oretnom23 Stock Management System view_sale sql injection
Description: A vulnerability classified as critical has been found in SourceCodester/oretnom23 Stock Management System 1.0. Affected is an unknown function of the file /admin/?page=sales/view_sale. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine kritische Schwachstelle in SourceCodester/oretnom23 Stock Management System 1.0 entdeckt. Hiervon betroffen ist ein unbekannter Codeblock der Datei /admin/?page=sales/view_sale. Durch das Manipulieren des Arguments ID mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.3)

EPSS Score: 0.03%

SSVC Exploitation: poc

Source: CVE
May 16th, 2025 (about 1 month ago)

CVE-2025-48138
WordPress BERTHA AI <= 1.12.11 - Broken Access Control Vulnerability
Description: Missing Authorization vulnerability in berthaai BERTHA AI allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BERTHA AI: from n/a through 1.12.11.

CVSS: MEDIUM (4.3)

EPSS Score: 0.04%

Source: CVE
May 16th, 2025 (about 1 month ago)

CVE-2025-48135
WordPress Aptivada for WP <= 2.0.0 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aptivadadev Aptivada for WP allows DOM-Based XSS. This issue affects Aptivada for WP: from n/a through 2.0.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 16th, 2025 (about 1 month ago)

CVE-2025-48132
WordPress X Addons for Elementor <= 1.0.14 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor allows Stored XSS. This issue affects X Addons for Elementor: from n/a through 1.0.14.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 16th, 2025 (about 1 month ago)

CVE-2025-48131
WordPress UltraAddons Elementor Lite <= 2.0.0 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiful Islam UltraAddons Elementor Lite allows Stored XSS. This issue affects UltraAddons Elementor Lite: from n/a through 2.0.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 16th, 2025 (about 1 month ago)

CVE-2025-48128
WordPress Sharespine Woocommerce Connector <= 4.7.55 - Broken Access Control Vulnerability
Description: Missing Authorization vulnerability in Sharespine Sharespine Woocommerce Connector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sharespine Woocommerce Connector: from n/a through 4.7.55.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: CVE
May 16th, 2025 (about 1 month ago)

CVE-2025-48127
WordPress Push notification for Mobile and Web app <= 2.0.3 - Broken Access Control Vulnerability
Description: Missing Authorization vulnerability in App Cheap Push notification for Mobile and Web app allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Push notification for Mobile and Web app: from n/a through 2.0.3.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 16th, 2025 (about 1 month ago)

CVE-2025-48121
WordPress WP Notes Widget <= 1.0.6 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Puddick WP Notes Widget allows DOM-Based XSS. This issue affects WP Notes Widget: from n/a through 1.0.6.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 16th, 2025 (about 1 month ago)

CVE-2025-48120
WordPress MapSVG Lite plugin <= 8.6.4 - Arbitrary Shortcode Execution vulnerability
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG Lite allows Code Injection. This issue affects MapSVG Lite: from n/a through 8.6.4.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
May 16th, 2025 (about 1 month ago)