CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
Ex-NSA grandee says Trump's staff cuts will 'devastate' America's national security
Source: TheRegister
March 5th, 2025 (4 months ago)
China's Silk Typhoon APT Shifts to IT Supply Chain Attacks
Description: The nation-state threat group has been breaching providers of remote management tools, identity management providers, and other IT companies to access networks of targeted entities, according to Microsoft.
Source: Dark Reading
March 5th, 2025 (4 months ago)

CVE-2025-27508
Emissary Use of a Broken or Risky Cryptographic Algorithm
Description: Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required. This issue is fixed in 8.24.0.

CVSS: HIGH (7.5)

EPSS Score: 0.02%

Source: CVE
March 5th, 2025 (4 months ago)

CVE-2025-27516
Jinja sandbox breakout through attr filter selecting format method
Description: Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.

CVSS: MEDIUM (5.4)

EPSS Score: 0.07%

SSVC Exploitation: none

Source: CVE
March 5th, 2025 (4 months ago)

CVE-2025-25634
A vulnerability has been found in Tenda AC15 15.03.05.19 in the function GetParentControlInfo of the file /goform/GetParentControlInfo. The...
Description: A vulnerability has been found in Tenda AC15 15.03.05.19 in the function GetParentControlInfo of the file /goform/GetParentControlInfo. The manipulation of the argument src leads to stack-based buffer overflow.

EPSS Score: 0.04%

Source: CVE
March 5th, 2025 (4 months ago)

CVE-2025-25632
Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet.
Description: Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet.

EPSS Score: 0.42%

Source: CVE
March 5th, 2025 (4 months ago)

CVE-2025-25362
A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted...
Description: A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field.

EPSS Score: 0.11%

Source: CVE
March 5th, 2025 (4 months ago)

CVE-2024-57174
A misconfiguration in Alphion ASEE-1443 Firmware v0.4.H.00.02.15 defines a previously unregistered domain name as the default DNS suffix. This...
Description: A misconfiguration in Alphion ASEE-1443 Firmware v0.4.H.00.02.15 defines a previously unregistered domain name as the default DNS suffix. This allows attackers to register the unclaimed domain and point its wildcard DNS entry to an attacker-controlled IP address, making it possible to access sensitive information.

EPSS Score: 0.03%

Source: CVE
March 5th, 2025 (4 months ago)

CVE-2024-51144
Cross Site Request Forgery (CSRF) vulnerability exists in the 'pvmsg.php?action=add_message', pvmsg.php?action=confirm_delete , and...
Description: Cross Site Request Forgery (CSRF) vulnerability exists in the 'pvmsg.php?action=add_message', pvmsg.php?action=confirm_delete , and ajax.server.php?page=user&action=flip_follow endpoints in Ampache <= 6.6.0.

EPSS Score: 0.19%

Source: CVE
March 5th, 2025 (4 months ago)
[Jinja2] Jinja2 vulnerable to sandbox breakout through attr filter selecting format method
Description: An oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. References https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7 https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403 https://github.com/advisories/GHSA-cpwx-vrp4-4pq7
Source: Github Advisory Database (PIP)
March 5th, 2025 (4 months ago)