CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-47226
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
Description: Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.

CVSS: MEDIUM (5.0)

EPSS Score: 0.24%

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2025-4218
handrew browserpilot gpt_selenium_agent.py GPTSeleniumAgent code injection
Description: A vulnerability was found in handrew browserpilot up to 0.2.51. It has been declared as critical. Affected by this vulnerability is the function GPTSeleniumAgent of the file browserpilot/browserpilot/agents/gpt_selenium_agent.py. The manipulation of the argument instructions leads to code injection. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. In handrew browserpilot bis 0.2.51 wurde eine kritische Schwachstelle ausgemacht. Es geht um die Funktion GPTSeleniumAgent der Datei browserpilot/browserpilot/agents/gpt_selenium_agent.py. Durch das Beeinflussen des Arguments instructions mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Der Angriff muss lokal angegangen werden. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.3)

EPSS Score: 0.03%

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2025-4214
PHPGuruku Online DJ Booking Management System booking-bwdates-reports-details.php sql injection
Description: A vulnerability was found in PHPGuruku Online DJ Booking Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/booking-bwdates-reports-details.php. The manipulation of the argument fromdate leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. Eine kritische Schwachstelle wurde in PHPGuruku Online DJ Booking Management System 1.0 gefunden. Betroffen davon ist ein unbekannter Prozess der Datei /admin/booking-bwdates-reports-details.php. Durch das Manipulieren des Arguments fromdate mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.9)

EPSS Score: 0.03%

Source: CVE
May 2nd, 2025 (about 2 months ago)
[flags] Information Disclosure via Flags override link
Description: Summary An information disclosure vulnerability affecting Flags SDK has been addressed. It impacted flags ≤3.2.0 and @vercel/flags ≤3.1.1 and in certain circumstances, allowed a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (.well-known/vercel/flags). Impact This vulnerability allowed for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, including the: Flag names Flag descriptions Available options and their labels (e.g. true, false) Default flag values Not impacted: Flags providers were not accessible No write access nor additional customer data was exposed, this is limited to just the values noted above. Vercel has automatically mitigated this incident on behalf of our customers for the default flags discovery endpoint at .well-known/vercel/flags. Flags Explorer will be disabled and show a warning notice until upgraded to [email protected]. Resolution The verifyAccess function was patched within [email protected]. Users of @vercel/flags should also migrate to [email protected]. For further guidance on upgrading your version, please see our upgrade guide. Mitigations Vercel implemented a network-level mitigation to prevent the default flags discovery endpoint at /.well-known/vercel/flags being reachable, which automatically protects Vercel deployments against exploitation of this issue. Users need to upgrade to [email protected] to re-ena...

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: Github Advisory Database (NPM)
May 2nd, 2025 (about 2 months ago)
[@vercel/flags] Information Disclosure via Flags override link
Description: Summary An information disclosure vulnerability affecting Flags SDK has been addressed. It impacted flags ≤3.2.0 and @vercel/flags ≤3.1.1 and in certain circumstances, allowed a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (.well-known/vercel/flags). Impact This vulnerability allowed for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, including the: Flag names Flag descriptions Available options and their labels (e.g. true, false) Default flag values Not impacted: Flags providers were not accessible No write access nor additional customer data was exposed, this is limited to just the values noted above. Vercel has automatically mitigated this incident on behalf of our customers for the default flags discovery endpoint at .well-known/vercel/flags. Flags Explorer will be disabled and show a warning notice until upgraded to [email protected]. Resolution The verifyAccess function was patched within [email protected]. Users of @vercel/flags should also migrate to [email protected]. For further guidance on upgrading your version, please see our upgrade guide. Mitigations Vercel implemented a network-level mitigation to prevent the default flags discovery endpoint at /.well-known/vercel/flags being reachable, which automatically protects Vercel deployments against exploitation of this issue. Users need to upgrade to [email protected] to re-ena...

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: Github Advisory Database (NPM)
May 2nd, 2025 (about 2 months ago)
[github.com/hashicorp/vault] Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information
Description: Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20. References https://nvd.nist.gov/vuln/detail/CVE-2025-4166 https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin https://github.com/advisories/GHSA-gcqf-f89c-68hv

CVSS: MEDIUM (4.5)

EPSS Score: 0.03%

Source: Github Advisory Database (Go)
May 2nd, 2025 (about 2 months ago)
[github.com/hashicorp/vault] Hashicorp Vault Community vulnerable to Incorrect Authorization
Description: Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18. References https://nvd.nist.gov/vuln/detail/CVE-2025-3879 https://discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716 https://github.com/advisories/GHSA-f9ch-h8j7-8jwg

CVSS: MEDIUM (6.6)

EPSS Score: 0.05%

Source: Github Advisory Database (Go)
May 2nd, 2025 (about 2 months ago)

CVE-2025-46332
Information Disclosure via Flags override link
Description: Flags SDK is an open-source feature flags toolkit for Next.js and SvelteKit. Impacted versions include flags from 3.2.0 and prior and @vercel/flags from 3.1.1 and prior as certain circumstances allows a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (.well-known/vercel/flags). This vulnerability allows for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, including the flag names, flag descriptions, available options and their labels (e.g. true, false), and default flag values. This issue has been patched in [email protected], users of flags and @vercel/flags should also migrate to [email protected].

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2025-3879
Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login
Description: Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.

CVSS: MEDIUM (6.6)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2024-47121
Weak Passwords Requirements in goTenna Pro
Description: The goTenna Pro App uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This only applies when the key is broadcasted over RF. This is an optional feature, so it is recommended to use local QR encryption key sharing for additional security on this and previous versions.

CVSS: MEDIUM (6.0)

EPSS Score: 0.02%

SSVC Exploitation: none

Source: CVE
May 2nd, 2025 (about 2 months ago)