CWE-918 Server-Side Request Forgery (SSRF)

CVE Database V5

Detailed information about CVE-2025-46385: CWE-918 Server-Side Request Forgery (SSRF) in Emby Windows affecting Emby Windows. Get real-time updates, technical d

CVE-2025-46385: CWE-918 Server-Side Request Forgery (SSRF) in Emby Windows - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-46385: CWE-918 Server-Side Request Forgery (SSRF) in Emby Windows

CWE-434 Unrestricted Upload of File with Dangerous Type

Detailed information about CVE-2025-46384: CWE-434 Unrestricted Upload of File with Dangerous Type in Emby Windows affecting Emby Windows. Get real-time updates

CVE-2025-46384: CWE-434 Unrestricted Upload of File with Dangerous Type in Emby Windows - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-46384: CWE-434 Unrestricted Upload of File with Dangerous Type in Emby Windows

A vulnerability, which was classified as critical, was found in harry0703 MoneyPrinterTurbo up to 1.2.6. Affected is the function upload_bgm_file of the file app/controllers/v1/video.py of the component File Extension Handler. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely.

CVE-2025-7895 is a medium-severity vulnerability affecting versions 1.2.0 through 1.2.6 of the MoneyPrinterTurbo software developed by harry0703. The vulnerability resides in the upload_bgm_file function within the app/controllers/v1/video.py file, specifically in the File Extension Handler component. The flaw allows an attacker to manipulate the 'File' argument to perform an unrestricted file upload. This means that the application does not properly validate or restrict the types or contents of files being uploaded, enabling an attacker to upload potentially malicious files such as web shells, scripts, or executables. The vulnerability can be exploited remotely without requiring user interaction or authentication, increasing the risk of unauthorized access or code execution on the affected system. Although the CVSS v4.0 score is 5.3, indicating medium severity, the unrestricted upload capability can be leveraged as a foothold for further attacks, including privilege escalation, data exfiltration, or service disruption. The absence of known exploits in the wild suggests that active exploitation has not yet been observed, but the vulnerability's nature warrants prompt attention. The vulnerability does not require special conditions such as user interaction or elevated privileges, making it accessible to remote attackers. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for interim mitigation measures.

Detailed information about CVE-2025-7895: Unrestricted Upload in harry0703 MoneyPrinterTurbo affecting harry0703 MoneyPrinterTurbo. Get real-time updates, techn

CVE-2025-7895: Unrestricted Upload in harry0703 MoneyPrinterTurbo - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7895: Unrestricted Upload in harry0703 MoneyPrinterTurbo

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

CVE-2025-46383 is a medium-severity vulnerability classified under CWE-79, which pertains to improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects Emby Media Server running on Windows, specifically version 4.8. The flaw allows an attacker to inject malicious scripts into web pages generated by the Emby server. When a user interacts with the compromised web interface, the injected script executes in the context of the victim's browser. The CVSS 3.1 base score is 6.1, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reveals that the attack can be performed remotely over the network without privileges, requires low attack complexity, no privileges, but does require user interaction (such as clicking a crafted link). The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component. The impact affects confidentiality and integrity to a limited extent, with no impact on availability. No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability arises because the Emby Windows server fails to properly sanitize or encode user-supplied input before embedding it into dynamically generated web pages, allowing malicious JavaScript code to execute in the browsers of users accessing the server's web interface. This could lead to session hijacking, unauthorized actions on behalf of the user, or theft of sensitive information accessible via the browser session.

Detailed information about CVE-2025-46383: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Emby Windows af

CVE-2025-46383: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Emby Windows - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-46383: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Emby Windows

A vulnerability has been found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this vulnerability is the function download_video/delete_video of the file app/controllers/v1/video.py. The manipulation leads to path traversal. The attack can be launched remotely.

Detailed information about CVE-2025-7896: Path Traversal in harry0703 MoneyPrinterTurbo affecting harry0703 MoneyPrinterTurbo. Get real-time updates, technical 

CVE-2025-7896: Path Traversal in harry0703 MoneyPrinterTurbo

CVE-2025-7896: Path Traversal in harry0703 MoneyPrinterTurbo

Description

Technical Details

Related Threats

CVE-2025-46385: CWE-918 Server-Side Request Forgery (SSRF) in Emby Windows

CVE-2025-46384: CWE-434 Unrestricted Upload of File with Dangerous Type in Emby Windows

CVE-2025-7895: Unrestricted Upload in harry0703 MoneyPrinterTurbo

CVE-2025-46383: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Emby Windows

CVE-2025-46382: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in CyberArk IDP

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility