CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
Trump Fires National Archives Director Colleen Shogan
Description: “This evening, President Trump fired me. No cause or reason was cited."
Source: 404 Media
February 8th, 2025 (5 months ago)

CVE-2025-25187
Cross-site Scripting in Goto Anything allows arbitrary code execution in Joplin
Description: Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin's main window is created with `nodeIntegration` set to `true`, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses ctrl-p to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS: HIGH (7.8)

EPSS Score: 0.05%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25183
vLLM using built-in hash() from Python 3.12 leads to predictable hash collisions in vLLM prefix cache
Description: vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Maliciously constructed statements can lead to hash collisions, resulting in cache reuse, which can interfere with subsequent responses and cause unintended behavior. Prefix caching makes use of Python's built-in hash() function. As of Python 3.12, the behavior of hash(None) has changed to be a predictable constant value. This makes it more feasible that someone could try exploit hash collisions. The impact of a collision would be using cache that was generated using different content. Given knowledge of prompts in use and predictable hashing behavior, someone could intentionally populate the cache using a prompt known to collide with another prompt in use. This issue has been addressed in version 0.7.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS: LOW (2.6)

EPSS Score: 0.05%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25168
WordPress BookPress – For Book Authors Plugin <= 1.2.7 - CSRF to Stored XSS vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in blackandwhitedigital BookPress – For Book Authors allows Cross-Site Scripting (XSS). This issue affects BookPress – For Book Authors: from n/a through 1.2.7.

CVSS: HIGH (7.1)

EPSS Score: 0.05%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25167
WordPress BookPress – For Book Authors Plugin <= 1.2.7 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in blackandwhitedigital BookPress – For Book Authors allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BookPress – For Book Authors: from n/a through 1.2.7.

CVSS: HIGH (8.2)

EPSS Score: 0.09%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25166
WordPress InLocation plugin <= 1.8 - Cross Site Scripting (XSS) vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in gabrieldarezzo InLocation allows Stored XSS. This issue affects InLocation: from n/a through 1.8.

CVSS: HIGH (7.1)

EPSS Score: 0.05%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25163
WordPress Plugin A/B Image Optimizer Plugin <= 3.3 - Arbitrary File Download vulnerability
Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Zach Swetz Plugin A/B Image Optimizer allows Path Traversal. This issue affects Plugin A/B Image Optimizer: from n/a through 3.3.

CVSS: HIGH (7.5)

EPSS Score: 0.09%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25160
WordPress Style Tweaker plugin <= 0.11 - CSRF to Stored XSS vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in Mark Barnes Style Tweaker allows Stored XSS. This issue affects Style Tweaker: from n/a through 0.11.

CVSS: HIGH (7.1)

EPSS Score: 0.05%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25159
WordPress WP doodlez plugin <= 1.0.10 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robert_kolatzek WP doodlez allows Stored XSS. This issue affects WP doodlez: from n/a through 1.0.10.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25156
WordPress Quote Comments plugin <= 2.2.1 - CSRF to Stored XSS vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in Stanko Metodiev Quote Comments allows Stored XSS. This issue affects Quote Comments: from n/a through 2.2.1.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 8th, 2025 (5 months ago)