- Latest
- Trending
98 CVEs created, 611 CVEs updated since yesterday
1214 CVEs created, 2990 CVEs updated in the last 7 days
4757 CVEs created, 91622 CVEs updated in the last 30 days
| Since yesterday | Last 7 days | Last 30 days |
|---|---|---|
| 0 | 4 | 16 |
| >5% | >10% | >50% |
|---|---|---|
| 0 | 0 | 0 |
CVE ID : CVE-2025-3793 Published : April 24, 2025, 9:15 a.m. | 16 minutes ago Description : The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts. Severity: 4.2 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3832 Published : April 24, 2025, 9:15 a.m. | 16 minutes ago Description : The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘successredirect’ parameter in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3280 Published : April 24, 2025, 9:15 a.m. | 16 minutes ago Description : The ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value_filter' parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3300 Published : April 24, 2025, 9:15 a.m. | 16 minutes ago Description : The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to read and modify the contents of arbitrary files on the server, which can contain sensitive information. Severity: 7.2 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3603 Published : April 24, 2025, 9:15 a.m. | 16 minutes ago Description : The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3604 Published : April 24, 2025, 9:15 a.m. | 16 minutes ago Description : The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3607 Published : April 24, 2025, 9:15 a.m. | 16 minutes ago Description : The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7. This is due to the plugin not properly validating a user's identity prior to updating a password. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3776 Published : April 24, 2025, 9:15 a.m. | 16 minutes ago Description : The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the 'targetvr_ajax_handler' function. This is due to a lack of validation on the type of function that can be called. This makes it possible for unauthenticated attackers to execute any callable function on the site, such as phpinfo(). Severity: 8.3 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2579 Published : April 24, 2025, 9:15 a.m. | 16 minutes ago Description : The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3058 Published : April 24, 2025, 9:15 a.m. | 16 minutes ago Description : The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwc_save_settings() function in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
1000+ Unique IPs Attacking Ivanti Connect Secure Systems to Exploit Vulnerabilities A significant increase in suspicious scanning activity targeting Ivanti Connect Secure (ICS) and Ivanti Pulse Secure (IPS) VPN systems, signaling a potential coordinated reconnaissance effort by threa ... Read more Published Date: Apr 24, 2025 (3 hours, 15 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-22457
April 2025 Patch Tuesday: One Zero-Day and 11 Critical Vulnerabilities Among 121 CVEs Microsoft has addressed 121 vulnerabilities in its April 2025 security update release. This month's patches include fixes for one actively exploited zero-day vulnerability and 11 Critical vulnerabilit ... Read more Published Date: Apr 24, 2025 (3 hours, 37 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-29824 CVE-2025-29791 CVE-2025-27752 CVE-2025-27749 CVE-2025-27748 CVE-2025-27745 CVE-2025-27738 CVE-2025-27491 CVE-2025-27482 CVE-2025-27480 CVE-2025-26686 CVE-2025-26670 CVE-2025-26663 CVE-2025-26647 CVE-2025-21197
A new era of cyber threats is approaching for the energy sector Cyber threats targeting the energy sector come in many forms, including state-sponsored actors seeking to disrupt national infrastructure, cybercriminals motivated by profit, and insiders intentionall ... Read more Published Date: Apr 24, 2025 (4 hours, 31 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2021-44228
CVE-2025-1021 impacts Synology DiskStation Manager CVE-2025-1021 is a critical vulnerability affecting Synology DiskStation Manager (DSM), specifically its Network File System (NFS) service. This flaw allows unauthenticated remote attackers to read ar ... Read more Published Date: Apr 24, 2025 (6 hours, 16 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-1021 CVE-2025-1732 CVE-2025-1731 CVE-2025-32433 CVE-2025-24054
HNS-2025-10 - HN Security Advisory - Local privilege escalation in Zyxel uOS Full Disclosure mailing list archives HNS-2025-10 - HN Security Advisory - Local privilege escalation in Zyxel uOS From: Marco Ivaldi Date: Wed, 23 Apr 2025 08:44:55 +0200 ... Read more Published Date: Apr 24, 2025 (6 hours, 17 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-1731
APPLE-SA-04-16-2025-4 visionOS 2.4.1 Full Disclosure mailing list archives From: Apple Product Security via Fulldisclosure Date: Wed, 16 Apr 2025 13:54:14 -0700 -----BEGIN PGP SIGNED MESSAGE----- Hash: SH ... Read more Published Date: Apr 24, 2025 (6 hours, 17 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-31201 CVE-2025-31200
APPLE-SA-04-16-2025-3 tvOS 18.4.1 Full Disclosure mailing list archives From: Apple Product Security via Fulldisclosure Date: Wed, 16 Apr 2025 13:53:47 -0700 -----BEGIN PGP SIGNED MESSAGE----- Hash: SH ... Read more Published Date: Apr 24, 2025 (6 hours, 17 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-31201 CVE-2025-31200
APPLE-SA-04-16-2025-2 macOS Sequoia 15.4.1 Full Disclosure mailing list archives From: Apple Product Security via Fulldisclosure Date: Wed, 16 Apr 2025 13:53:17 -0700 -----BEGIN PGP SIGNED MESSAGE----- Hash: SH ... Read more Published Date: Apr 24, 2025 (6 hours, 17 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-31201 CVE-2025-31200
APPLE-SA-04-16-2025-1 iOS 18.4.1 and iPadOS 18.4.1 Full Disclosure mailing list archives From: Apple Product Security via Fulldisclosure Date: Wed, 16 Apr 2025 13:52:47 -0700 -----BEGIN PGP SIGNED MESSAGE----- Hash: SH ... Read more Published Date: Apr 24, 2025 (6 hours, 17 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-31201 CVE-2025-31200
Critical Commvault RCE Vulnerability Lets Remote Attackers Execute Arbitrary Code A significant security vulnerability (CVE-2025-34028) has been discovered in Commvault Command Center Innovation Release, enabling unauthenticated attackers to execute arbitrary code remotely. The vul ... Read more Published Date: Apr 24, 2025 (7 hours, 13 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-34028
Redis Vulnerability Exposes Servers to Denial-of-Service Attacks A high-severity vulnerability has been discovered in Redis, the popular open-source in-memory data structure store, which could allow unauthenticated users to exhaust server memory and cause a Denial- ... Read more Published Date: Apr 24, 2025 (7 hours, 33 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-21605 CVE-2024-31449 CVE-2023-41056 CVE-2022-35951
April 2025 Patch Tuesday: One Zero-Day and 11 Critical Vulnerabilities Among 121 CVEs Microsoft has addressed 121 vulnerabilities in its April 2025 security update release. This month's patches include fixes for one actively exploited zero-day vulnerability and 11 Critical vulnerabilit ... Read more Published Date: Apr 24, 2025 (7 hours, 37 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-29824 CVE-2025-29791 CVE-2025-27752 CVE-2025-27749 CVE-2025-27748 CVE-2025-27745 CVE-2025-27738 CVE-2025-27491 CVE-2025-27482 CVE-2025-27480 CVE-2025-26686 CVE-2025-26670 CVE-2025-26663 CVE-2025-26647 CVE-2025-21197
GitLab Releases Security Update to Patch XSS and Account Takeover Flaws GitLab has issued a security advisory urging users to upgrade their self-managed GitLab installations immediately. The advisory highlights the release of versions 17.11.1, 17.10.5, and 17.9.7 for both ... Read more Published Date: Apr 24, 2025 (7 hours, 46 minutes ago) Vulnerabilities has been mentioned in this article.
High-Severity SonicWall SSLVPN Vulnerability Allows Firewall Crashing SonicWall has disclosed a vulnerability affecting its SonicOS SSLVPN Virtual Office interface, which, if exploited, could allow remote attackers to crash firewall appliances. Tracked as CVE-2025-32818 ... Read more Published Date: Apr 24, 2025 (7 hours, 57 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-32818 CVE-2025-32965 CVE-2024-53704 CVE-2024-40766 CVE-2023-0656
CVE-2025-32965: Backdoor in xrpl.js SDK Puts Crypto Wallets at Risk Aikido Intel has issued an urgent alert after detecting a backdoor in multiple versions of xrpl.js, the official SDK for the XRP Ledger, marking one of the most severe supply chain attacks to hit the ... Read more Published Date: Apr 24, 2025 (8 hours, 38 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-32965 CVE-2025-34028
CVE-2025-34028: Critical RCE Flaw in Commvault Command Center Scores CVSS 10 Commvault has disclosed a critical vulnerability affecting its Command Center, identified as CVE-2025-34028, with the maximum CVSS score of 10.0. The flaw allows unauthenticated remote attackers to ex ... Read more Published Date: Apr 24, 2025 (8 hours, 51 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-32965 CVE-2025-34028
CVE-2024-6235: NetScaler Console Flaw Enables Admin Access, PoC Publishes A critical vulnerability—CVE-2024-6235—in Citrix NetScaler Console has been dissected by security researcher chutton-r7, revealing a severe unauthenticated session hijack that enables attackers to cre ... Read more Published Date: Apr 24, 2025 (9 hours, 1 minute ago) Vulnerabilities has been mentioned in this article. CVE-2024-12284 CVE-2024-6236 CVE-2024-6235
NVIDIA NeMo Framework: High-Risk Vulnerabilities Allow Remote Code Execution NVIDIA has issued a security bulletin disclosing three high-severity vulnerabilities in its NeMo Framework, a scalable, cloud-native generative AI platform designed for developers working with Large L ... Read more Published Date: Apr 24, 2025 (9 hours, 10 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-23251 CVE-2025-23250 CVE-2025-23249
Grafana Patches CVE-2025-3260 and More in Critical Security Update Grafana Labs has issued security updates for multiple product versions, addressing one high and two medium-severity vulnerabilities affecting Grafana OSS and Enterprise editions. The most serious—CVE- ... Read more Published Date: Apr 24, 2025 (9 hours, 24 minutes ago) Vulnerabilities has been mentioned in this article.
FormBook Malware Spreads via Sophisticated Phishing Attack Workflow diagram of this FormBook campaign | Image: FortiGuard Labs A new phishing campaign distributing the FormBook infostealer malware has been uncovered by Fortinet’s FortiGuard Labs, targeting Wi ... Read more Published Date: Apr 24, 2025 (9 hours, 26 minutes ago) Vulnerabilities has been mentioned in this article.
April 2025 Patch Tuesday: One Zero-Day and 11 Critical Vulnerabilities Among 121 CVEs Microsoft has addressed 121 vulnerabilities in its April 2025 security update release. This month's patches include fixes for one actively exploited zero-day vulnerability and 11 Critical vulnerabilit ... Read more Published Date: Apr 23, 2025 (9 hours, 37 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-29824 CVE-2025-29791 CVE-2025-27752 CVE-2025-27749 CVE-2025-27748 CVE-2025-27745 CVE-2025-27738 CVE-2025-27491 CVE-2025-27482 CVE-2025-27480 CVE-2025-26686 CVE-2025-26670 CVE-2025-26663 CVE-2025-26647 CVE-2025-21197
Ripple NPM supply chain attack hunts for private keys Many versions of the Ripple ledger (XRPL) official NPM package are compromised with malware injected to steal cryptocurrency. The NPM package, xrpl, is a JavaScript/TypeScript library that devs use to ... Read more Published Date: Apr 23, 2025 (15 hours, 4 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-32965
April 2025 Patch Tuesday: One Zero-Day and 11 Critical Vulnerabilities Among 121 CVEs Microsoft has addressed 121 vulnerabilities in its April 2025 security update release. This month's patches include fixes for one actively exploited zero-day vulnerability and 11 Critical vulnerabilit ... Read more Published Date: Apr 23, 2025 (15 hours, 37 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-29824 CVE-2025-29791 CVE-2025-27752 CVE-2025-27749 CVE-2025-27748 CVE-2025-27745 CVE-2025-27738 CVE-2025-27491 CVE-2025-27482 CVE-2025-27480 CVE-2025-26686 CVE-2025-26670 CVE-2025-26663 CVE-2025-26647 CVE-2025-21197
Kubernetes IngressNightmare Vulnerabilities: What You Need to Know We would like to recognize Amit Serper, Travis Lowe, Tony Gore, Adrian Godoy, Mihai Vasilescu, Suraj Sahu, Pablo Ramos, Raj Jammalamadaka, Lacie Griffin, and Josh Grunzweig for their contributions in ... Read more Published Date: Apr 23, 2025 (15 hours, 37 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-24514 CVE-2025-1974 CVE-2025-1098 CVE-2025-1097
April 2025 Patch Tuesday: One Zero-Day and 11 Critical Vulnerabilities Among 121 CVEs Microsoft has addressed 121 vulnerabilities in its April 2025 security update release. This month's patches include fixes for one actively exploited zero-day vulnerability and 11 Critical vulnerabilit ... Read more Published Date: Apr 23, 2025 (17 hours, 37 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2025-29824 CVE-2025-29791 CVE-2025-27752 CVE-2025-27749 CVE-2025-27748 CVE-2025-27745 CVE-2025-27738 CVE-2025-27491 CVE-2025-27482 CVE-2025-27480 CVE-2025-26686 CVE-2025-26670 CVE-2025-26663 CVE-2025-26647 CVE-2025-21197
CVE ID : CVE-2025-3761 Published : April 24, 2025, 7:15 a.m. | 1 hour, 34 minutes ago Description : The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2767 Published : April 23, 2025, 5:16 p.m. | 15 hours, 33 minutes ago Description : Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Minimal user interaction is required to exploit this vulnerability. The specific flaw exists within the processing of the User-Agent HTTP header. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24407. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2764 Published : April 23, 2025, 5:16 p.m. | 15 hours, 33 minutes ago Description : CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of CarlinKit CPC200-CCPA devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of update packages provided to update.cgi. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24355. Severity: 8.0 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1050 Published : April 23, 2025, 5:16 p.m. | 15 hours, 33 minutes ago Description : Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of HLS playlist data. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the anacapa user. Was ZDI-CAN-25606. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1048 Published : April 23, 2025, 5:16 p.m. | 15 hours, 33 minutes ago Description : Sonos Era 300 Speaker libsmb2 Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SMB data. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the anacapa user. Was ZDI-CAN-25535. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1049 Published : April 23, 2025, 5:16 p.m. | 15 hours, 33 minutes ago Description : Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of ID3 data. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the anacapa user. Was ZDI-CAN-25601. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-45429 Published : April 23, 2025, 4:15 p.m. | 16 hours, 34 minutes ago Description : In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWpsStart, which may lead to remote arbitrary code execution. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-45427 Published : April 23, 2025, 3:16 p.m. | 17 hours, 34 minutes ago Description : In Tenda AC9 v1.0 with firmware V15.03.05.14_multi, the security parameter of /goform/WifiBasicSet has a stack overflow vulnerability, which can lead to remote arbitrary code execution. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-45428 Published : April 23, 2025, 3:16 p.m. | 17 hours, 34 minutes ago Description : In Tenda ac9 v1.0 with firmware V15.03.05.14_multi, the rebootTime parameter of /goform/SetSysAutoRebbotCfg has a stack overflow vulnerability, which can lead to remote arbitrary code execution. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3529 Published : April 23, 2025, 8:15 a.m. | 1 day ago Description : The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.2 via the 'file_url' parameter. This makes it possible for unauthenticated attackers to view potentially sensitive information and download a digital product without paying for it. Severity: 8.2 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38. (CVSS:10.0) (EPSS:0.20%) (Last Update:2025-04-23 14:08:13)
Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager allows Upload a Web Shell to a Web Server. This issue affects JS Job Manager: from n/a through 2.0.2. (CVSS:10.0) (EPSS:0.06%) (Last Update:2025-04-17 20:21:05)
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules. (CVSS:10.0) (EPSS:3.62%) (Last Update:2025-04-21 17:15:24)
Unrestricted Upload of File with Dangerous Type vulnerability in EPC AI Hub allows Upload a Web Shell to a Web Server. This issue affects AI Hub: from n/a through 1.3.3. (CVSS:10.0) (EPSS:0.06%) (Last Update:2025-04-16 13:25:37)
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments allows HTTP DoS.This issue affects Mediawiki - GrowthExperiments: from 1.39 through 1.43. (CVSS:10.0) (EPSS:0.10%) (Last Update:2025-04-15 18:39:44)
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - AJAX Poll Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - AJAX Poll Extension: from 1.39 through 1.43. (CVSS:10.0) (EPSS:0.10%) (Last Update:2025-04-15 18:39:44)
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikidata Extension allows Cross-Site Scripting (XSS) from widthheight message via ImageHandler::getDimensionsString()This issue affects Mediawiki - Wikidata Extension: from 1.39 through 1.43. (CVSS:10.0) (EPSS:0.10%) (Last Update:2025-04-15 18:39:44)
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - HTML Tags allows Cross-Site Scripting (XSS).This issue affects Mediawiki - HTML Tags: from 1.39 through 1.43. (CVSS:10.0) (EPSS:0.10%) (Last Update:2025-04-15 18:39:44)
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43. (CVSS:10.0) (EPSS:0.06%) (Last Update:2025-04-15 18:39:44)
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Growth Experiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Growth Experiments Extension: from 1.39 through 1.43. (CVSS:10.0) (EPSS:0.10%) (Last Update:2025-04-15 18:39:44)
In a physics first, a team including scientists from the National Institute of Standards and Technology (NIST) has created a way to make beams of neutrons travel in curves. These Airy beams (named for English scientist George Airy), which the team
Targeted changes to content and structure respond to stakeholder needs and make the document easier to use.
This outreach will help ensure that the team’s findings and recommendations lead to improvements to codes, standards and practices that can prevent similar tragedies from occurring in the future.
NIST researchers have found special atomic patterns called quasicrystals in 3D-printed aluminum alloys.
Researchers hope this material will help usher in a new era of diagnostics and treatments involving the gut microbiome.
NIST’s new standard reference material will help ensure that geoduck clams and other shellfish are safe to eat.
The new algorithm will serve as a backup for the general encryption needed to protect data from quantum computers developed in the future.
Using differential privacy can help organizations glean useful insights from databases while protecting individuals’ data.
The report notes that the team has completed all experimental work on the physical evidence from the building’s structural elements.
This atomic thermometer provides accurate measurements “out of the box” because it relies on the basic principles of quantum physics.
Copyright © 2025 Sumtrix.
