CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: In June 2022, the Japanese record chain store Disk Union suffered a data breach. The incident exposed 690k unique email addresses along with names, post codes, phone numbers and plain text passwords.
June 7th, 2025 (21 days ago)
|
CVE-2025-5814 |
Description: The Profiler – What Slowing Down Your WP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpsd_plugin_control() function in all versions up to, and including, 1.0.0. This makes it possible for unauthenticated attackers to reactivate previously deactivated plugins after accessing the "Profiler" page.
CVSS: MEDIUM (5.3) EPSS Score: 0.07%
June 7th, 2025 (21 days ago)
|
|
CVE-2025-47601 |
WordPress MaxiBlocks plugin <= 2.1.0 - Arbitrary Option Update to Privilege Escalation vulnerability
Description: Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through 2.1.0.
CVSS: HIGH (8.8) EPSS Score: 0.04%
June 7th, 2025 (21 days ago)
|
|
Description: Overview
A flaw in Jackson-core's JsonLocation._appendSourceDesc method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x.
Details
The vulnerability affects the creation of exception messages like:
JsonParseException: Unexpected character ... at [Source: (byte[])...]
When JsonFactory.createParser(byte[] data, int offset, int len) is used, and an error occurs while parsing, the exception message should include a snippet from the specified logical payload. However, the method _appendSourceDesc ignores the offset, and always starts reading from index 0.
If the buffer contains residual sensitive data from a previous request, such as credentials or document contents, that data may be exposed if the exception is propagated to the client.
The issue particularly impacts server applications using:
Pooled byte buffers (e.g., Netty)
Frameworks that surface parse errors in HTTP responses
Default Jackson settings (i.e., INCLUDE_SOURCE_IN_LOCATION is enabled)
A documented real-world example is CVE-2021-22145 in Elasticsearch, which stemmed from the same root cause.
Attack Scenario
An attacker sends malformed JSON to a service using Jackson and pooled byte buffers (...
CVSS: MEDIUM (6.5)
June 7th, 2025 (21 days ago)
|
|
|
Description: Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-m65q-v92h-cm7q. This link is maintained to preserve external references.
Original Description
A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-5791
https://github.com/ogham/rust-users/issues/44
https://access.redhat.com/security/cve/CVE-2025-5791
https://bugzilla.redhat.com/show_bug.cgi?id=2370001
https://crates.io/crates/users
https://rustsec.org/advisories/RUSTSEC-2025-0040.html
https://github.com/advisories/GHSA-jq8x-v7jw-v675
EPSS Score: 0.01%
June 7th, 2025 (21 days ago)
|
|
Description: [AI generated] Ticketmaster Entertainment, Inc. is an American ticket sales and distribution company headquartered in Beverly Hills, California. It operates in more than 20 countries, delivering over 100 million tickets annually. They provide services for worldwide events including concerts, sports events, theatre performances, and family shows. Apart from ticket distribution, Ticketmaster offers marketing and support for event organizers.
June 7th, 2025 (21 days ago)
|
|
|
Description: InTech Industries, Inc. specializes in full-service manufacturing, offering services such as 3D printing, design, tooling, injection molding, and precision CNC machining. They serve a wide range of industries, including life sciences, medical devices, dental, and personal safety. Their clients include businesses in a variety of sectors, such as pharmaceuticals, home care devices, and the optical industry.
June 7th, 2025 (21 days ago)
|
|
|
Description: Data of 1,000 registered distributors and sellers – employee and customer information – admin login passwords – email addresses, phone numbers, full names – and more...
June 6th, 2025 (21 days ago)
|
|
CVE-2025-49128 |
Description: Jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x. This issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via PR #652. All users should upgrade to version 2.13.0 or later. If upgrading is not immediately possible, applications can mitigate the issue by disabling exception message exposure to clients to avoid returning parsing exception messages in HTTP responses and/or disabling source inclusion in exceptions to prevent Jackson from embedding any source content in exception messages, avoiding leakage.
CVSS: MEDIUM (4.0) EPSS Score: 0.01%
June 6th, 2025 (22 days ago)
|
|
|
Description: Summary
A Denial of Service (DoS) vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments.
Impact
Component: server_quic.go
Attack Vector: Remote, network-based
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Impact: High availability loss (OOM kill or unresponsiveness)
This issue affects deployments with quic:// enabled in the Corefile. A single attacker can cause the CoreDNS instance to become unresponsive using minimal bandwidth and CPU.
Patches
The patch introduces two key mitigation mechanisms:
max_streams: Caps the number of concurrent QUIC streams per connection. Default: 256.
worker_pool_size: Introduces a server-wide, bounded worker pool to process incoming streams. Default: 1024.
This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. The new configuration options are exposed through the quic Corefile block:
quic {
max_streams 256
worker_pool_size 1024
}
These defaults are generous and aligned with typical DNS-over-QUIC client behavior.
Workarounds
If you...
CVSS: HIGH (7.5) EPSS Score: 0.08%
June 6th, 2025 (22 days ago)
|