77 new CVEs published on 2025-04-24 (CVSS: 7.1 - 9.8)
CybersecurityVulnerabilitiesExploitsSoftwareBugs
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
| CVE ID | CVSS | Description |
|---|---|---|
| CVE-2025-45427 | 9.8 | In Tenda AC9 v1.0 with firmware V15.03.05.14_multi, the security parameter of /goform/WifiBasicSet has a stack overflow vulnerability, which can lead to remote code execution. |
| CVE-2025-45428 | 9.8 | In Tenda ac9 v1.0 with firmware V15.03.05.14_multi,
the rebootTime parameter of /goform/SetSysAutoRebbotCfg has a stack overflow vulnerability, which can lead to remote code execution. |
| CVE-2025-45429 | 9.8 | In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWpsStart, which may lead to remote code execution. |
| CVE-2025-3065 | 9.1 | The Database Toolset plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, the latest version. |
| CVE-2025-1048 | 8.8 | Sonos Era 300 Speaker libsmb2 Use-After-Free Remote Code Execution Vulnerability.
This vulnerability allows network-adjacent attackers to execute arbitrary code. |
| CVE-2025-3603 | 9.8 | The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. |
| CVE-2025-3604 | 9.8 | The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. |
| CVE-2025-2767 | 8.8 | Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability.
This vulnerability allows remote attackers to execute arbitrary code. |
| CVE-2025-3761 | 8.8 | The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. |
| CVE-2025-3058 | 8.8 | The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check. |
| CVE-2025-1521 | 7.1 | PostHog slack_incoming_webhook Server-Side Request Forgery Information Disclosure Vulnerability.
This vulnerability allows remote attackers to disclose sensitive information. |
| CVE-2025-1522 | 7.1 | PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information. |
| CVE-2025-1049 | 8.8 | Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability.
This vulnerability allows network-adjacent attackers to execute arbitrary code. |
| CVE-2025-32818 | 7.5 | A Null Pointer Dereference vulnerability in the SonicOS SSLVPN Virtual office interface allows a remote, unauthenticated attacker to crash the firewall. |
| CVE-2021-47662 | 7.5 | Due to missing authorization an unauthenticated remote attacker can cause a DoS attack by connecting via HTTPS and triggering the shutdown button. |
| CVE-2025-46399 | 7.1 | Segmentation fault in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via genge_itp_spline function. |
| CVE-2025-46400 | 7.1 | Segmentation fault in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via read_arcobject function. |
| CVE-2025-2773 | 7.2 | BEC Technologies Multiple Routers sys ping Command Injection Remote Code Execution Vulnerability.
This vulnerability allows remote attackers to execute arbitrary code. |
| CVE-2025-3872 | 7.2 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon centreon-web (User configuration form module) allows remote attackers to execute arbitrary SQL commands. |
| CVE-2025-1520 | 7.1 | PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability.
This vulnerability allows network-adjacent attackers to execute arbitrary SQL commands. |
| CVE-2025-28169 | 8.1 | BYD QIN PLUS DM-i Dilink OS v3.0_13.1.7.2204050.1 to v3.0_13.1.7.2312290.1_0 was discovered to send broadcasts to the manufacturer's cloud server unencrypted. |
| CVE-2025-1908 | 7.7 | An issue has been discovered in GitLab EE/CE that could allow an attacker to track users' browsing activities, potentially leading to full account takeover. |
| CVE-2025-3903 | 7.3 | Vulnerability in Drupal UEditor - 百度编辑器.
This issue affects UEditor - 百度编辑器: .. |
| CVE-2025-3904 | 7.3 | Vulnerability in Drupal Sportsleague. This issue affects Sportsleague: *.*. |
| CVE-2025-46397 | 7.1 | Stack-overflow in fig2dev in version 3.2.9a allows an attacker possible code execution via local input manipulation via bezier_spline function. |