CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-21835 |
Description: In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_midi: fix MIDI Streaming descriptor lengths
While the MIDI jacks are configured correctly, and the MIDIStreaming
endpoint descriptors are filled with the correct information,
bNumEmbMIDIJack and bLength are set incorrectly in these descriptors.
This does not matter when the numbers of in and out ports are equal, but
when they differ the host will receive broken descriptors with
uninitialized stack memory leaking into the descriptor for whichever
value is smaller.
The precise meaning of "in" and "out" in the port counts is not clearly
defined and can be confusing. But elsewhere the driver consistently
uses this to match the USB meaning of IN and OUT viewed from the host,
so that "in" ports send data to the host and "out" ports receive data
from it.
EPSS Score: 0.05%
March 7th, 2025 (4 months ago)
|
|
CVE-2024-9458 |
Description: The Reservit Hotel WordPress plugin before 3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
EPSS Score: 0.03%
March 7th, 2025 (4 months ago)
|
|
CVE-2024-13857 |
Description: The WPGet API – Connect to any external REST API plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
CVSS: MEDIUM (5.5) EPSS Score: 0.04%
March 7th, 2025 (4 months ago)
|
|
CVE-2024-13805 |
Description: The Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.2.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
March 7th, 2025 (4 months ago)
|
|
CVE-2024-13668 |
Description: The WordPress Activity O Meter WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admins.
EPSS Score: 0.04%
March 7th, 2025 (4 months ago)
|
|
CVE-2024-13635 |
Description: The VK Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.94.2.2 via the page content block. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the content of private posts and pages.
CVSS: MEDIUM (4.3) EPSS Score: 0.03%
March 7th, 2025 (4 months ago)
|
|
CVE-2024-13552 |
SupportCandy – Helpdesk & Customer Support Ticket System <= 3.3.0 - Insecure Direct Object Reference
Description: The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.0 via file upload due to missing validation on a user controlled key. This makes it possible for authenticated attackers to download attachments for support tickets that don't belong to them. If an admin enables tickets for guests, this can be exploited by unauthenticated attackers.
CVSS: MEDIUM (4.3) EPSS Score: 0.02%
March 7th, 2025 (4 months ago)
|
|
Description: A coalition of international law enforcement agencies has seized the website associated with the cryptocurrency exchange Garantex ("garantex[.]org"), nearly three years after the service was sanctioned by the U.S. Treasury Department in April 2022.
"The domain for Garantex has been seized by the United States Secret Service pursuant to a seizure warrant obtained by the United States Attorney's
March 7th, 2025 (4 months ago)
|
|
|
Description: Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that's equipped to steal a victim's Ethereum private keys by impersonating popular libraries.
The package in question is set-utils, which has received 1,077 downloads to date. It's no longer available for download from the official registry.
"Disguised as a simple utility for Python
March 7th, 2025 (4 months ago)
|
|
CVE-2025-26331 |
Description: Dell ThinOS 2411 and prior, contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary code execution.
CVSS: HIGH (7.8) EPSS Score: 0.06%
March 7th, 2025 (4 months ago)
|