Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-32949 |
Description: This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb.
If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. The yauzl library does not contain any mechanism to detect or prevent extraction of a Zip Bomb https://en.wikipedia.org/wiki/Zip_bomb . Therefore, when using the User Import functionality with a Zip Bomb, PeerTube will try extracting the archive which will cause a disk space resource exhaustion.
CVSS: MEDIUM (6.5) EPSS Score: 0.04%
April 15th, 2025 (5 days ago)
|
|
Description: Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-3573
https://github.com/jquery-validation/jquery-validation/pull/2462
https://github.com/jquery-validation/jquery-validation/commit/7a490d8f39bd988027568ddcf51755e1f4688902
https://security.snyk.io/vuln/SNYK-JS-JQUERYVALIDATION-5952285
https://github.com/advisories/GHSA-rrj2-ph5q-jxw2
CVSS: MEDIUM (5.3) EPSS Score: 0.03%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-32946 |
Description: This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.
CVSS: MEDIUM (5.3) EPSS Score: 0.03%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-32945 |
Description: The vulnerability allows an existing user to add playlists to a different user’s channel using the PeerTube REST API. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.
CVSS: MEDIUM (4.3) EPSS Score: 0.03%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-32944 |
Description: The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner. If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup.
CVSS: MEDIUM (6.5) EPSS Score: 0.04%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-30965 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard allows Cross Site Request Forgery. This issue affects WPJobBoard: from n/a through n/a.
CVSS: MEDIUM (4.3) EPSS Score: 0.01%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-30964 |
Description: Server-Side Request Forgery (SSRF) vulnerability in EPC Photography. This issue affects Photography: from n/a through 7.5.2.
CVSS: MEDIUM (5.4) EPSS Score: 0.03%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-26990 |
Description: Server-Side Request Forgery (SSRF) vulnerability in WP Royal Royal Elementor Addons allows Server Side Request Forgery. This issue affects Royal Elementor Addons: from n/a through 1.7.1006.
CVSS: MEDIUM (4.4) EPSS Score: 0.02%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-26982 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric-Oliver Mächler DSGVO Youtube allows DOM-Based XSS. This issue affects DSGVO Youtube: from n/a through 1.5.1.
CVSS: MEDIUM (6.5) EPSS Score: 0.03%
April 15th, 2025 (5 days ago)
|
|
CVE-2025-26955 |
Description: Missing Authorization vulnerability in VW Themes Industrial Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Industrial Lite: from n/a through 1.0.8.
CVSS: MEDIUM (4.3) EPSS Score: 0.04%
April 15th, 2025 (5 days ago)
|