Security

CVE ID : CVE-2025-3868

Published : April 25, 2025, 7:15 a.m. | 14 minutes ago

Description : The Custom Admin-Bar Favorites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘menuObject’ parameter in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46616

Published : April 25, 2025, 7:15 a.m. | 14 minutes ago

Description : Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage.

Severity: 9.9 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46617

Published : April 25, 2025, 7:15 a.m. | 14 minutes ago

Description : Quantum StorNext Web GUI API before 7.2.4 grants access to internal StorNext configuration and unauthorized modification of some software configuration parameters via undocumented user credentials. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage.

Severity: 7.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Critical Commvault Command Center Flaw Enables Attackers to Execute Code Remotely

Data Breach / Vulnerability
A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations.
The vulnerability, tracked …
Read more

Published Date:
Apr 24, 2025 (16 hours ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-34028

Max-Severity Commvault Bug Alarms Researchers

Source: T. Schneider via ShutterstockSecurity researchers have raised concerns about a maximum severity bug in certain versions of Commvault’s Command Center that enables an unauthenticated remote att …
Read more

Published Date:
Apr 24, 2025 (4 hours, 53 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-34028

ToyMaker’s Playbook: Cisco Talos Exposes IAB Tactics Leading to Cactus Ransomware

Image: Cisco Talos
Cisco Talos’ 2023 incident response report unveils the operations of “ToyMaker,” a financially motivated Initial Access Broker (IAB) whose behind-the-scenes activity opened the floo …
Read more

Published Date:
Apr 25, 2025 (1 hour, 55 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-22604

CVE-2022-46169

CVE-2024-2787: Apple Archive Flaw Enables Arbitrary File Write and Gatekeeper Bypass, PoC Releases

A newly disclosed vulnerability in Apple’s proprietary libAppleArchive library, tracked as CVE-2024-27876, enables attackers to achieve arbitrary file writes on macOS and iOS systems, with the added p …
Read more

Published Date:
Apr 25, 2025 (1 hour, 27 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-31334

CVE-2024-44258

CVE-2024-27876

CVE-2024-42472

CVE-2024-2787

CVE ID : CVE-2025-46544

Published : April 25, 2025, 3:15 a.m. | 36 minutes ago

Description : In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46545

Published : April 25, 2025, 3:15 a.m. | 36 minutes ago

Description : In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires.

Severity: 4.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46547

Published : April 25, 2025, 3:15 a.m. | 36 minutes ago

Description : In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS attacks, adding a new user or role, or exploiting a SQL injection issue.

Severity: 5.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46546

Published : April 25, 2025, 3:15 a.m. | 36 minutes ago

Description : In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/export/xlsx, /api/gui/process/listAll, /api/gui/processVersion/export/csv/, /api/gui/processVersion/export/xlsx/, /api/gui/processVersion/list/, /api/gui/robot/list/, /api/gui/task/export/csv/, /api/gui/task/export/xlsx/, and /api/gui/task/list/.

Severity: 3.5 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46595

Published : April 25, 2025, 3:15 a.m. | 36 minutes ago

Description : An XSS issue was discovered in the Flag module before 1.x-3.6.2 for Backdrop CMS. Flag is a module that allows flags to be added to nodes, comments, users, and any other type of entity. It doesn’t verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow crafted HTML to result in Cross Site Scripting. This is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-1294

Published : April 24, 2025, 11:15 p.m. | 3 hours, 45 minutes ago

Description : The eForm – WordPress Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.18.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 7.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46274

Published : April 24, 2025, 11:15 p.m. | 4 hours, 14 minutes ago

Description : UNI-NMS-Lite uses hard-coded credentials that could allow an
unauthenticated attacker to read, manipulate and create entries in the
managed database.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3749

Published : April 24, 2025, 11:15 p.m. | 3 hours, 45 minutes ago

Description : The Breeze Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cal_size’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46275

Published : April 24, 2025, 11:15 p.m. | 4 hours, 14 minutes ago

Description : WGS-80HPT-V2 and WGS-4215-8T2S are missing authentication that could
allow an attacker to create an administrator account without knowing any
existing credentials.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46273

Published : April 24, 2025, 11:15 p.m. | 4 hours, 14 minutes ago

Description : UNI-NMS-Lite uses hard-coded credentials that could allow an
unauthenticated attacker to gain administrative privileges to all
UNI-NMS managed devices.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46272

Published : April 24, 2025, 11:15 p.m. | 4 hours, 14 minutes ago

Description : WGS-80HPT-V2 and WGS-4215-8T2S are vulnerable to a command injection
attack that could allow an unauthenticated attacker to execute OS
commands on the host system.

Severity: 9.1 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46271

Published : April 24, 2025, 11:15 p.m. | 3 hours, 45 minutes ago

Description : UNI-NMS-Lite is vulnerable to a command injection attack that could
allow an unauthenticated attacker to read or manipulate device data.

Severity: 9.1 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-2185

Published : April 25, 2025, 12:15 a.m. | 2 hours, 45 minutes ago

Description : ALBEDO Telecom Net.Time – PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which
could permit an attacker to transmit passwords over unencrypted
connections, resulting in the product becoming vulnerable to
interception.

Severity: 8.0 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…