Vulnerability intelligence

Updated 21 minutes ago

Feeds

Trending now

CVEs trending on social media within the last 24 hours

Hypemeter

110100

Current score

Not much chatter

  1. 1

    CVE-2024-50629 Published Mar 19, 2025

    Hype score

    11

    medium 5.3

    Synology DiskStation Manager (DSM)Synology BeeStation OS (BSM)

    CVE-2024-50629 is an improper encoding or escaping of output vulnerability found in the webapi component of Synology products. The vulnerability affects Synology BeeStation Manager (BSM) before version 1.1-65374, Synology DiskStation Manager (DSM) before versions 6.2.4-25556-8, 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6, and 7.2.2-72806-1, and Synology Unified Controller (DSMUC) before 3.1.4-23079. This vulnerability allows remote attackers to read limited files through unspecified vectors. The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly, which results in the intended structure of the message not being preserved.

  2. 2

    CVE-2024-23225 Published Mar 5, 2024

    Hype score

    10

    high 7.8

    Exploit known

    Mobile device

    CVE-2024-23225 is a memory corruption vulnerability found within the kernel of multiple Apple operating systems, including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. This flaw, stemming from insufficient validation, could allow an attacker with arbitrary kernel read and write capabilities to bypass existing kernel memory protections. Apple has acknowledged reports indicating that this issue may have been actively exploited in the wild, leading to its inclusion in CISA's Known Exploited Vulnerabilities Catalog. The vulnerability has been addressed through improved validation in updates such as iOS 16.7.6, iPadOS 16.7.6, iOS 17.4, and iPadOS 17.4, among others.

  3. 3

    CVE-2024-23296 Published Mar 5, 2024

    Hype score

    10

    high 7.8

    Exploit known

    Mobile device

    CVE-2024-23296 is a memory corruption vulnerability found within Apple's RTKit real-time operating system component. This flaw, categorized as an Out-of-Bounds Write (CWE-787), arises from inadequate validation during memory operations. An attacker who has already achieved arbitrary kernel read and write capabilities could exploit this vulnerability to bypass existing kernel memory protections. Apple has acknowledged that this issue has been actively exploited in the wild, and it has been addressed in updates such as iOS 17.4 and iPadOS 17.4.

See more

Known exploited

Sourced from CISA's Known Exploited Vulnerability (KEV) catalog.

  1. CVE-2023-43000 Published Nov 5, 2025

    high 8.8

    Exploit known

    A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6. Processing maliciously crafted web content may lead to memory corruption.

  2. CVE-2023-41974 Published Jan 10, 2024

    high 7.8

    Exploit known

    CVE-2023-41974 is a use-after-free vulnerability that impacts Apple's iOS and iPadOS. This flaw, addressed through improved memory management, could allow an application to execute arbitrary code with kernel privileges. Apple resolved this issue in iOS 17 and iPadOS 17. The vulnerability was discovered by Félix Poulin-Bélanger, who also generated proof-of-concept code demonstrating its exploitability, which involves winning a race condition to achieve kernel read and write operations. Due to evidence of active exploitation, CVE-2023-41974 has been added to CISA's Known Exploited Vulnerabilities Catalog.

  3. CVE-2021-30952 Published Aug 24, 2021

    high 7.8

    Exploit known

    An integer overflow was addressed with improved input validation. This issue is fixed in tvOS 15.2, macOS Monterey 12.1, Safari 15.2, iOS 15.2 and iPadOS 15.2, watchOS 8.3. Processing maliciously crafted web content may lead to arbitrary code execution.

See more

Insights

See more

Our Security Team's most recent CVE analysis

  1. CVE-2026-1340

    critical 9.8

    Link to CVE page

    Intruder Insights

    Updated Jan 30, 2026

    This and the similar vulnerability CVE-2026-1281 allow an unauthenticated attacker to execute code remotely on unpatched Ivanti EPMM instances.

    A patch is available from Ivanti here and should be installed immediately. There is a page for defenders who need to check if their instance has been compromised here, though this is a work in progress.

    Note that this is a temporary patch which will be removed with further version updates. If you update the version of your EPMM instance after patching, you must apply the patch again. A fully patched version of EPMM will be available in future which will permanently fix the vulnerability.

    This vulnerability was known to be used in the wild before being disclosed by the vendor. Proof of concept code is now available publicly, so increased attack activity is expected.

    A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

  2. CVE-2026-1281

    critical 9.8

    Exploit known

    Link to CVE page

    Intruder Insights

    Updated Jan 30, 2026

    This and the similar vulnerability CVE-2026-1340 allow an unauthenticated attacker to execute code remotely on unpatched Ivanti EPMM instances.

    A patch is available from Ivanti here and should be installed immediately. There is a page for defenders who need to check if their instance has been compromised here, though this is a work in progress.

    Note that this is a temporary patch which will be removed with further version updates. If you update the version of your EPMM instance after patching, you must apply the patch again. A fully patched version of EPMM will be available in future which will permanently fix the vulnerability.

    This vulnerability was known to be used in the wild before being disclosed by the vendor. Proof of concept code is now available publicly, so increased attack activity is expected.

    A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

  3. CVE-2025-14847

    high 8.7

    Exploit known

    Link to CVE page

    Intruder Insights

    Updated Dec 29, 2025

    This is a serious vulnerability which allows an unauthenticated remote attacker to retrieve information from MongoDB's memory. A proof-of-concept is available to the public.

    Similar to other heap disclosure vulnerabilities such as Heartbleed, the impact of exploitation will vary depending on the information an attacker is able to obtain from the heap. However, it is quite likely that the leaked memory will contain credentials or other sensitive information, especially as attackers learn more about the vulnerability and use it more effectively.

    Regardless of patch status, MongoDB should not be exposed to the internet and access should be restricted by a firewall or similar controls. You should also apply the patch as soon as possible, to avoid the vulnerability being exploited internally.

    Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.