Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-3678
PCMan FTP Server HELP Command buffer overflow
Description: A vulnerability, which was classified as critical, has been found in PCMan FTP Server 2.0.7. This issue affects some unknown processing of the component HELP Command Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Eine Schwachstelle wurde in PCMan FTP Server 2.0.7 entdeckt. Sie wurde als kritisch eingestuft. Dies betrifft einen unbekannten Teil der Komponente HELP Command Handler. Durch die Manipulation mit unbekannten Daten kann eine buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.9)

EPSS Score: 0.04%

Source: CVE
April 16th, 2025 (4 days ago)

CVE-2025-3677
lm-sys fastchat apply_delta.py apply_delta_low_cpu_mem deserialization
Description: A vulnerability classified as critical was found in lm-sys fastchat up to 0.2.36. This vulnerability affects the function split_files/apply_delta_low_cpu_mem of the file fastchat/model/apply_delta.py. The manipulation leads to deserialization. An attack has to be approached locally. In lm-sys fastchat bis 0.2.36 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Das betrifft die Funktion split_files/apply_delta_low_cpu_mem der Datei fastchat/model/apply_delta.py. Mit der Manipulation mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs hat dabei lokal zu erfolgen.

CVSS: MEDIUM (4.8)

EPSS Score: 0.02%

Source: CVE
April 16th, 2025 (4 days ago)

CVE-2025-3104
WP Staging Pro <= 6.1.2 - Unauthenticated Information Exposure via getOutdatedPluginsRequest Function
Description: The WP STAGING Pro WordPress Backup Plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 6.1.2 due to missing capability checks on the getOutdatedPluginsRequest() function. This makes it possible for unauthenticated attackers to reveal outdated installed active or inactive plugins.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
April 16th, 2025 (4 days ago)

CVE-2025-3676
xxyopen Novel-Plus books sql injection
Description: A vulnerability classified as critical has been found in xxyopen Novel-Plus 3.5.0. This affects an unknown part of the file /api/front/search/books. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Es wurde eine Schwachstelle in xxyopen Novel-Plus 3.5.0 entdeckt. Sie wurde als kritisch eingestuft. Es betrifft eine unbekannte Funktion der Datei /api/front/search/books. Dank Manipulation des Arguments sort mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.3)

EPSS Score: 0.03%

Source: CVE
April 16th, 2025 (4 days ago)

CVE-2025-3077
Betheme <= 28.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button shortcode and Custom CSS field in all versions up to, and including, 28.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 16th, 2025 (4 days ago)

CVE-2025-27571
Channel metadata visible in archived channels despite configuration setting
Description: Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: CVE
April 16th, 2025 (4 days ago)

CVE-2025-0101
WAGO: Year 2038 problem
Description: A low privileged user can set the date of the devices to the 19th of January 2038 an therefore exceed the 32-Bit time limit. This causes some functions to work unexpected or stop working at all. Both during runtime and after a restart.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
April 16th, 2025 (4 days ago)

CVE-2025-3675
TOTOLINK A3700R cstecgi.cgi setL2tpServerCfg access control
Description: A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been rated as critical. Affected by this issue is the function setL2tpServerCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Eine kritische Schwachstelle wurde in TOTOLINK A3700R 9.1.2u.5822_B20200513 ausgemacht. Hierbei geht es um die Funktion setL2tpServerCfg der Datei /cgi-bin/cstecgi.cgi. Dank der Manipulation mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.9)

EPSS Score: 0.09%

Source: CVE
April 16th, 2025 (4 days ago)

CVE-2025-3674
TOTOLINK A3700R cstecgi.cgi setUrlFilterRules access control
Description: A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been declared as critical. Affected by this vulnerability is the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In TOTOLINK A3700R 9.1.2u.5822_B20200513 wurde eine kritische Schwachstelle ausgemacht. Dabei geht es um die Funktion setUrlFilterRules der Datei /cgi-bin/cstecgi.cgi. Durch Beeinflussen mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.9)

EPSS Score: 0.1%

Source: CVE
April 16th, 2025 (4 days ago)

CVE-2025-3247
Contact Form 7 <= 6.0.5 - Order Replay Vulnerability
Description: The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.

CVSS: MEDIUM (5.3)

EPSS Score: 0.01%

Source: CVE
April 16th, 2025 (4 days ago)