CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-46629 |
Description: Lack of access controls in the 'ate' management binary of the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated remote attacker to perform unauthorized configuration changes for any router where 'ate' has been enabled by sending a crafted UDP packet
CVSS: MEDIUM (6.5) EPSS Score: 0.05%
May 1st, 2025 (about 2 months ago)
|
|
Description: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology BeeStation BST150-4T devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.3. The following CVEs are assigned: CVE-2024-10445.
CVSS: MEDIUM (4.3)
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-36558 |
Description: KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory URL containing an HTML script as an sso_token, that script will reply to the user and be executed.
CVSS: MEDIUM (6.1) EPSS Score: 0.06%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-3517 |
Description: Privilege context switching error in PAM JIT feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM JIT account password to be improperly reset after usage via specific actions such as editing the username.
CVSS: MEDIUM (6.3) EPSS Score: 0.04% SSVC Exploitation: none
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-46567 |
Description: LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0.
CVSS: MEDIUM (6.1) EPSS Score: 0.02%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-46566 |
Description: DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.9, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.9.
CVSS: MEDIUM (6.8) EPSS Score: 0.05%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-46565 |
Description: Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
CVSS: MEDIUM (6.0) EPSS Score: 0.07%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-46345 |
Description: Auth0 Account Link Extension is an extension aimed to help link accounts easily. Versions 2.3.4 to 2.6.6 do not verify the signature of the provided JWT. This allows the user the ability to supply a forged token and the potential to access user information without proper authorization. This issue has been patched in versions 2.6.7, 2.7.0, and 3.0.0. It is recommended to upgrade to version 3.0.0 or greater.
CVSS: MEDIUM (6.9) EPSS Score: 0.05%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-44867 |
Description: Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetNetCheckTools function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
CVSS: MEDIUM (6.3) EPSS Score: 10.57%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-44866 |
Description: Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the level parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
CVSS: MEDIUM (6.3) EPSS Score: 10.57%
May 1st, 2025 (about 2 months ago)
|