Apr 24, 2023 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • 10 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical exposure

CVE-2023-1020 Wp Live Chat Shoutbox Project Wp Live Chat Shoutbox SQL Injection

  • CVSS 9.8
  • Internet-facing CMS deployments affected

New critical Wp Live Chat Shoutbox Project Wp Live Chat Shoutbox SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2023-24823 Riot-os Riot memory safety

  • CVSS 9.8

New critical Riot-os Riot memory safety (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2023-26865 Brandsdistribution Bdroppy SQL Injection

  • CVSS 9.8

New critical Brandsdistribution Bdroppy SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2023-1020 CVSS 9.8

The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statem...

CVE-2023-24823 CVSS 9.8

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames.

CVE-2023-26865 CVSS 9.8

SQL injection vulnerability found in PrestaShop bdroppy v.2.2.12 and before allowing a remote attacker to gain privileges via the Bdroppy...

CVE-2023-27848 CVSS 9.8

broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

CVE-2023-27849 CVSS 9.8

rails-routes-to-json v1.0.0 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

CVE-2023-28771 CVSS 9.8

Zyxel Multiple Firewalls OS Command Injection

CVE-2023-29566 CVSS 9.8

huedawn-tesseract 0.3.3 and dawnsparks-node-tesseract 0.4.0 to 0.4.1 was discovered to contain a remote code execution (RCE) vulnerabilit...

CVE-2023-30376 CVSS 9.8

In Tenda AC15 V15.03.05.19, the function "henan_pppoe_user" contains a stack-based buffer overflow vulnerability.

CVE-2023-30378 CVSS 9.8

In Tenda AC15 V15.03.05.19, the function "sub_8EE8" contains a stack-based buffer overflow vulnerability.

jellyfin-web is the web client for Jellyfin, a free-software media system.

View critical disclosures

cvelogic Threat Intelligence