Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-22625	Complete Supplier Management System v1.0 is vulnerable to SQL Injection via /Supply_Management_System/admin/edit_category.php?id=. Description: Complete Supplier Management System v1.0 is vulnerable to SQL Injection via /Supply_Management_System/admin/edit_category.php?id=. EPSS Score: 0.03% SSVC Exploitation: none Source: CVE June 4th, 2025 (about 8 hours ago)
CVE-2024-22529	TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa. Description: TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa. EPSS Score: 2.64% SSVC Exploitation: none Source: CVE June 4th, 2025 (about 8 hours ago)
CVE-2024-22048	govuk_tech_docs XSS Vulnerability Description: govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user's browser if a malicious search result is displayed on the search page. EPSS Score: 1.18% SSVC Exploitation: none Source: CVE June 4th, 2025 (about 8 hours ago)
	🏴‍☠️ Datacarry has just published a new victim : V² Development Description: [AI generated] "V² Development" is a comprehensive real estate development company that specializes in various aspects of real estate sectors, including residential, commercial, and industrial development. The company prides itself on creating sustainable and innovative solutions to meet the evolving needs of their clients. V² Development focuses on successful property development projects through insightful investment strategies, implying extensive market research and reliable partnership formations. Source: Ransomware.live June 4th, 2025 (about 9 hours ago)
	🏴‍☠️ Metaencryptor has just published a new victim : Groupe Devimco Description: As a leader in real estate development in Quebec, Groupe Devimco has been designing and creating unique and mixed-use living environments for 30 years. Revenue 2024 : $ 44 M Source: Ransomware.live June 4th, 2025 (about 9 hours ago)
	[@auth0/nextjs-auth0] NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies Description: Overview In Auth0 Next.js SDK versions 4.0.1 to 4.6.0, __session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, Applications using CDN or edge caching that caches responses with the Set-Cookie header. If the Cache-Control header is not properly set for sensitive responses. Fix Upgrade auth0/nextjs-auth0 to v4.6.1. References https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-f3fg-mf2q-fj3f https://github.com/auth0/nextjs-auth0/commit/12a62ca596db3b0827b39a4b865b882423e7cb1e https://github.com/advisories/GHSA-f3fg-mf2q-fj3f Source: Github Advisory Database (NPM) June 4th, 2025 (about 9 hours ago)
	[deno] Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables Description: Summary The Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false impression that variables listed in the option are impossible to read. PoC export AWS_SECRET_ACCESS_KEY=my-secret-aws-key # Works as expected. The program stops with a "NotCapable" error message echo 'console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY"));' \| deno run \ --allow-env \ --deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY - # All enviroment variables are printed and the --deny-env list is completely disregarded echo 'console.log(Deno.env.toObject());' \| deno run \ --allow-env \ --deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY - The first example using get exits with the following error: error: Uncaught (in promise) NotCapable: Requires env access to "AWS_SECRET_ACCESS_KEY", run again with the --allow-env flag console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY")); ^ at Object.getEnv [as get] (ext:deno_os/30_os.js:124:10) at file:///$deno$stdin.mts:1:22 The second example using toObject prints all environment variables: [Object: null prototype] { ... AWS_SECRET_ACCESS_KEY: "my-secret-aws-key", ... } Impact Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the Deno.env.toObject() meth... Source: Github Advisory Database (Rust) June 4th, 2025 (about 9 hours ago)
	[deno_runtime] Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables Description: Summary The Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false impression that variables listed in the option are impossible to read. PoC export AWS_SECRET_ACCESS_KEY=my-secret-aws-key # Works as expected. The program stops with a "NotCapable" error message echo 'console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY"));' \| deno run \ --allow-env \ --deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY - # All enviroment variables are printed and the --deny-env list is completely disregarded echo 'console.log(Deno.env.toObject());' \| deno run \ --allow-env \ --deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY - The first example using get exits with the following error: error: Uncaught (in promise) NotCapable: Requires env access to "AWS_SECRET_ACCESS_KEY", run again with the --allow-env flag console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY")); ^ at Object.getEnv [as get] (ext:deno_os/30_os.js:124:10) at file:///$deno$stdin.mts:1:22 The second example using toObject prints all environment variables: [Object: null prototype] { ... AWS_SECRET_ACCESS_KEY: "my-secret-aws-key", ... } Impact Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the Deno.env.toObject() meth... Source: Github Advisory Database (Rust) June 4th, 2025 (about 9 hours ago)
	[deno] Deno has --allow-read / --allow-write permission bypass in `node:sqlite` Description: Summary It is possible to bypass Deno's read/write permission checks by using ATTACH DATABASE statement. PoC // poc.js import { DatabaseSync } from "node:sqlite" const db = new DatabaseSync(":memory:"); db.exec("ATTACH DATABASE 'test.db' as test;"); db.exec("CREATE TABLE test.test (id INTEGER PRIMARY KEY, name TEXT);"); $ deno poc.js References https://github.com/denoland/deno/security/advisories/GHSA-8vxj-4cph-c596 https://github.com/denoland/deno/commit/31a97803995bd94629528ba841b2418d3ca01860 https://github.com/advisories/GHSA-8vxj-4cph-c596 Source: Github Advisory Database (Rust) June 4th, 2025 (about 9 hours ago)
	[deno_node] Deno has --allow-read / --allow-write permission bypass in `node:sqlite` Description: Summary It is possible to bypass Deno's read/write permission checks by using ATTACH DATABASE statement. PoC // poc.js import { DatabaseSync } from "node:sqlite" const db = new DatabaseSync(":memory:"); db.exec("ATTACH DATABASE 'test.db' as test;"); db.exec("CREATE TABLE test.test (id INTEGER PRIMARY KEY, name TEXT);"); $ deno poc.js References https://github.com/denoland/deno/security/advisories/GHSA-8vxj-4cph-c596 https://github.com/denoland/deno/commit/31a97803995bd94629528ba841b2418d3ca01860 https://github.com/advisories/GHSA-8vxj-4cph-c596 Source: Github Advisory Database (Rust) June 4th, 2025 (about 9 hours ago)