Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager EPNM and Cisco Prime Infrastructure could allow an authenticated, remote attacker to obtain sensitive information from an affected system. This vulnerability is due to improper validation of reques...

simple-admin-core SQL Injection vulnerability

An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited SQL injection vulnerability, which may lead to partial data leakage or disruption of normal system operations...

CVE-2025-53363

dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in...

CVE-2025-53363

dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in...

SUSE CVE-2025-44001

Mattermost Confluence Plugin version 1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint...

SUSE CVE-2025-53857

Mattermost Confluence Plugin version 1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint...

Tenda AC6 安全漏洞

Tenda AC6 is a dual-band wireless router from Tenda that supports IPv4 and IPv6 protocols and utilizes the 802.11ac/n wireless standard to provide a wireless transmission rate of 1167Mbps. The Tenda AC6 suffers from an information disclosure vulnerability that originates from the...

Command Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Command Injection via the CustomMCP class. An attacker can gain unauthorized remote access and execute arbitrary operating system commands by sending crafted requests over the network. This i...

CVE-2025-54478

Mattermost Confluence Plugin version 1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint...

CVE-2025-8749

Path Traversal vulnerability in API Endpoint in Mobile Industrial Robots MiR Software Versions prior to 3.0.0 on MiR Robots allows authenticated users to extract files from the robot file system via a crafted API request...

CVE-2025-8749

CVE-2025-8749 describes a path-traversal vulnerability in the API endpoint of Mobile Industrial Robots (MiR) software, affecting MiR software versions prior to 3.0.0. An authenticated user can trigger the flaw via a crafted API request to extract files from the robot file system. The CVSS vector ...

CVE-2025-44779

An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull...

SUSE CVE-2025-30086

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter...

PT-2025-32222 · Bottinelli Informatical · Vedo Suite

Name of the Vulnerable Software and Affected Versions: Bottinelli Informatical Vedo Suite version 2024.17 Description: Bottinelli Informatical Vedo Suite 2024.17 is vulnerable to Server-side Request Forgery SSRF in the /api vedo/video/preview endpoint. This allows remote authenticated attackers t...

CVE-2025-51054

Vedo Suite 2024.17 is vulnerable to Incorrect Access Control, which allows remote attackers to obtain a valid high privilege JWT token without prior authentication via sending an empty HTTP POST request to the /autologin/ API endpoint...

PT-2025-32220 · Unknown · Vedo Suite

Name of the Vulnerable Software and Affected Versions: Vedo Suite version 2024.17 Description: An unrestricted file upload issue exists in Vedo Suite version 2024.17. Remote authenticated attackers can write to arbitrary filesystem paths by exploiting the insecure uploadPreviews custom function i...

CVE-2025-51308

CVE-2025-51308 affects Gatling Enterprise, versions below 1.25.0. A low-privileged user without the admin role can issue REST API calls to read-only endpoints and collect information due to missing authorization checks. The issue is described as unauthorized access to information via read-only en...

CVE-2025-51501

CVE-2025-51501 : Microweber CMS 2.0 is affected by a Reflected XSS in the id parameter of the live_edit.module_settings API endpoint. The vulnerability allows an authenticated attacker to inject and execute arbitrary JavaScript in a victim’s browser via the id parameter, with impact described as ...

PT-2025-31526 · Exagrid · Exagrid Ex10

Name of the Vulnerable Software and Affected Versions: ExaGrid EX10 versions 6.3 through 7.0.1.P08 Description: The software is susceptible to incorrect access control. Users with operator-level privileges can retrieve SMTP credentials, including plaintext passwords, by issuing an HTTP request to...

CVE-2025-54766

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information...