PT-2025-19345 · Totolink · Totolink A720R

Name of the Vulnerable Software and Affected Versions: TOTOLINK A720R version 4.1.5cu.374 Description: A critical vulnerability has been found in the TOTOLINK A720R, affecting unknown code of the file /cgi-bin/cstecgi.cgi. The manipulation of the topicurl argument with the input RebootSystem lead...

PT-2025-19771 · Misskey · Misskey

Name of the Vulnerable Software and Affected Versions: Misskey versions 12.31.0 through 2025.4.0 Description: The issue is related to missing validation in Mk:api, which allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. This is achieved by...

CVE-2025-46342

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selectors in their match statements are mistakenly not applied during admission review request processing due to a missing error...

PT-2025-18795 · Hashicorp +1 · Vault Community +3

Name of the Vulnerable Software and Affected Versions: Vault Community versions prior to 1.19.3 Vault Enterprise versions prior to 1.19.3, 1.18.9, 1.17.16, 1.16.20 Description: The Key/Value kv Version 2 plugin in Vault Community and Vault Enterprise may unintentionally expose sensitive informati...

PT-2025-18381

Name of the Vulnerable Software and Affected Versions Brainstorm Force SureTriggers versions 1.0.0 through 1.0.82 Description The issue is related to an incorrect privilege assignment vulnerability in Brainstorm Force SureTriggers, allowing privilege escalation. This vulnerability can be exploite...

CVE-2025-46342

Kyverno CVE-2025-46342 affects policy rules using namespace selectors in match statements. Prior to versions 1.13.5 and 1.14.0, a missing error propagation in GetNamespaceSelectorsFromNamespaceLister (pkg/utils/engine/labels.go) may cause those rules to be ignored during admission review, bypassi...

PT-2025-18296 · Kyverno · Kyverno

Name of the Vulnerable Software and Affected Versions: Kyverno versions prior to 1.13.5 and 1.14.0 Description: The issue concerns a policy engine where policy rules using namespace selectors in their match statements may not be applied correctly due to a missing error propagation in the...

CVE-2025-42604 Detailed Error Response Vulnerability in Meon KYC solutions

This vulnerability exists in Meon KYC solutions due to debug mode is enabled in certain API endpoints. A remote attacker could exploit this vulnerability by accessing certain unauthorized API endpoints leading to detailed error messages as response leading to disclosure of system related...

Wazuh server vulnerable to remote code execution

Summary An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. The vulnerability can be triggered by anybody with API access compromised dashboard or Wazuh servers in the cluster or, in certain configurations, even by a compromised agent. Details DistributedAPI...

GHSA-HCRC-79HJ-M3QH Wazuh server vulnerable to remote code execution

Summary An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. The vulnerability can be triggered by anybody with API access compromised dashboard or Wazuh servers in the cluster or, in certain configurations, even by a compromised agent. Details DistributedAPI...

CVE-2025-28367

mojoPortal =2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey...

CVE-2025-29513

Cross-Site Scripting XSS vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin API Access token generator...

CVE-2025-32796

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabled and normal users are not permitted to make such changes...

CVE-2025-29513

NodeBB has a stored XSS vulnerability in the admin API Access token generator affecting NodeBB v4.0.4 and earlier. The issue allows remote attackers to store arbitrary code. A fix is available in NodeBB 4.0.5 and later (update to 4.0.5+), per PT-2025-17334. Other sources corroborate NodeBB

PT-2025-17314 · Unknown · Namelessmc

Name of the Vulnerable Software and Affected Versions: NamelessMC versions prior to 2.1.4 Description: The issue is related to SQL injection by providing an unexpected square bracket GET parameter syntax. This syntax refers to the structure ?param0=a&param1=b&param2=c utilized by PHP, which is...

CVE-2025-43703

An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API even though the attacker has no knowledge of an API key through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists...

CVE-2025-43703

An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API even though the attacker has no knowledge of an API key through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists...

CVE-2025-43703

An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API even though the attacker has no knowledge of an API key through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists...

CVE-2025-43703

Anki (Ankitects) up to version 25.02 is affected by CVE-2025-43703, which allows attacker-controlled access to the internal API via a crafted shared deck, even without knowledge of an API key. The issue stems from an incomplete fix for CVE-2024-32484 and can be triggered through methods such as s...

PT-2025-16910

Name of the Vulnerable Software and Affected Versions Ankitects Anki versions prior to 25.02 Description The issue allows for attacker-controlled access to the internal API through a crafted shared deck, even without knowledge of an API key. This can be achieved through various methods, including...