CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-46338 |
Description: Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling vulnerability in the `/api/upload` endpoint allows an attacker to perform a reflected cross-site scripting (XSS) attack by submitting malicious payloads in the `libraryId` field. The unsanitized input is reflected in the server’s error message, enabling arbitrary JavaScript execution in a victim's browser. This issue has been patched in version 2.21.0.
CVSS: MEDIUM (6.9) EPSS Score: 0.04%
April 29th, 2025 (2 months ago)
|
|
CVE-2025-4038 |
Description: A vulnerability was found in code-projects Train Ticket Reservation System 1.0. It has been declared as critical. Affected by this vulnerability is the function Reservation of the component Ticket Reservation. The manipulation of the argument Name leads to stack-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. In code-projects Train Ticket Reservation System 1.0 wurde eine kritische Schwachstelle ausgemacht. Dabei geht es um die Funktion Reservation der Komponente Ticket Reservation. Durch das Beeinflussen des Arguments Name mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff muss lokal angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (4.8) EPSS Score: 0.02%
April 28th, 2025 (2 months ago)
|
|
CVE-2024-11922 |
Description: Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email.
CVSS: MEDIUM (6.3) EPSS Score: 0.03%
April 28th, 2025 (2 months ago)
|
|
CVE-2025-4037 |
Description: A vulnerability was found in code-projects ATM Banking 1.0. It has been classified as critical. Affected is the function moneyDeposit/moneyWithdraw. The manipulation leads to business logic errors. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Es wurde eine kritische Schwachstelle in code-projects ATM Banking 1.0 ausgemacht. Es geht dabei um die Funktion moneyDeposit/moneyWithdraw. Durch Manipulieren mit unbekannten Daten kann eine business logic errors-Schwachstelle ausgenutzt werden. Der Angriff hat dabei lokal zu erfolgen. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (4.8) EPSS Score: 0.02%
April 28th, 2025 (2 months ago)
|
|
CVE-2024-10635 |
Description: Enterprise Protection contains an improper input validation vulnerability in attachment defense that allows an unauthenticated remote attacker to bypass attachment scanning security policy by sending a malicious S/MIME attachment with an opaque signature. When opened by a recipient in a downstream email client, the malicious attachment could cause partial loss of integrity and confidentiality to their system.
CVSS: MEDIUM (6.1) EPSS Score: 0.04%
April 28th, 2025 (2 months ago)
|
|
Description: A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-3984
https://vuldb.com/?ctiid.306320
https://vuldb.com/?id.306320
https://vuldb.com/?submit.557100
https://wx.mail.qq.com/s?k=ilW4ixcMaVgGU49Dij
https://github.com/advisories/GHSA-37pq-893f-g7q5
CVSS: MEDIUM (5.0) EPSS Score: 0.05%
April 28th, 2025 (2 months ago)
|
|
|
Description: A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-3986
https://vuldb.com/?ctiid.306322
https://vuldb.com/?id.306322
https://vuldb.com/?submit.557473
https://wx.mail.qq.com/s?k=rk-m8GwRMVMcOjBY1a
https://github.com/advisories/GHSA-mvwq-hcrj-f5x9
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
April 28th, 2025 (2 months ago)
|
|
CVE-2025-4036 |
Description: A vulnerability was found in 201206030 Novel 3.5.0 and classified as critical. This issue affects the function updateBookChapter of the file src/main/java/io/github/xxyopen/novel/controller/author/AuthorController.java of the component Chapter Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Eine kritische Schwachstelle wurde in 201206030 Novel 3.5.0 gefunden. Es geht hierbei um die Funktion updateBookChapter der Datei src/main/java/io/github/xxyopen/novel/controller/author/AuthorController.java der Komponente Chapter Handler. Durch das Manipulieren mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
April 28th, 2025 (2 months ago)
|
|
CVE-2025-4034 |
Description: A vulnerability classified as critical was found in projectworlds Online Examination System 1.0. Affected by this vulnerability is an unknown functionality of the file /inser_doc_process.php. The manipulation of the argument Doc_ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In projectworlds Online Examination System 1.0 wurde eine kritische Schwachstelle entdeckt. Betroffen ist eine unbekannte Verarbeitung der Datei /inser_doc_process.php. Durch die Manipulation des Arguments Doc_ID mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (6.9) EPSS Score: 0.03%
April 28th, 2025 (2 months ago)
|
|
CVE-2025-34490 |
Description: GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.
CVSS: MEDIUM (6.5) EPSS Score: 0.05% SSVC Exploitation: none
April 28th, 2025 (2 months ago)
|