CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-57273
Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic...
Description: Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service, allowing remote attackers to execute arbitrary JavaScript, delete backups, or leak sensitive information via an unsanitized "reason" field and a derivable device key generated from the public SSH key.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2024-54779
Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross Site Scripting (XSS) in widgets/log.widget.php.
Description: Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross Site Scripting (XSS) in widgets/log.widget.php.

CVSS: MEDIUM (5.4)

EPSS Score: 0.03%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2025-3769
Latepoint <= 5.1.92 - Unauthenticated Insecure Direct Object Reference
Description: The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'view_booking_summary_in_lightbox' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to retrieve appointment details such as customer names and email addresses.

CVSS: MEDIUM (5.3)

EPSS Score: 0.03%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2024-8988
PeepSo Core: File Uploads <= 6.4.6.0 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via file_download
Description: The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download files uploaded by others users and expose potentially sensitive information.

CVSS: MEDIUM (5.3)

EPSS Score: 0.03%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2024-13940
Ninja Forms Webhooks <= 3.0.7 - Authenticated (Admin+) Server-Side Request Forgery via Form Webhook
Description: The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CVSS: MEDIUM (5.5)

EPSS Score: 0.03%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2024-52290
Stored XSS in Configuration Key Functionality
Description: LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue.

CVSS: MEDIUM (6.3)

EPSS Score: 0.03%

Source: CVE
May 14th, 2025 (about 1 month ago)
Ivanti Patches EPMM Vulnerabilities Exploited for Remote Code Execution in Limited Attacks
Description: Ivanti has released security updates to address two security flaws in Endpoint Manager Mobile (EPMM) software that have been chained in attacks to gain remote code execution. The vulnerabilities in question are listed below - CVE-2025-4427 (CVSS score: 5.3) - An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials

CVSS: MEDIUM (5.3)

EPSS Score: 82.26%

Source: TheHackerNews
May 14th, 2025 (about 1 month ago)

CVE-2024-0340
Kernel: information disclosure in vhost/vhost.c:vhost_new_msg()
Description: A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.

CVSS: MEDIUM (4.4)

EPSS Score: 0.01%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2025-47905
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the...
Description: Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE
May 13th, 2025 (about 1 month ago)

CVE-2025-24495
Incorrect initialization of resource in the branch prediction unit for some Intel(R) Core™ Ultra Processors may allow an authenticated user to...
Description: Incorrect initialization of resource in the branch prediction unit for some Intel(R) Core™ Ultra Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS: MEDIUM (6.8)

EPSS Score: 0.02%

Source: CVE
May 13th, 2025 (about 1 month ago)