PT-2025-30682 · Tenda · Tenda Ac8V4

Name of the Vulnerable Software and Affected Versions: Tenda AC8V4 version V16.03.34.06 Description: The device contains a heap overflow at the /goform/GetParentControlInfo API endpoint. Manipulation of the mac parameter leads to a heap-based buffer overflow. Recommendations: Apply a newer versio...

PT-2025-30702 · Unknown · Deerwms Deer-Wms-2

Name of the Vulnerable Software and Affected Versions: deerwms deer-wms-2 versions 2.0 through 3.3 Description: A critical issue exists in deerwms deer-wms-2. The vulnerability is due to a SQL injection flaw within an unknown function of the /system/dept/edit API endpoint. The ancestors parameter...

PT-2025-30453 · Alertenterprise · Alertenterprise Guardian

Name of the Vulnerable Software and Affected Versions: AlertEnterprise Guardian version 4.1.14.2.2.1 Description: An issue allows for privilege escalation to administrator privileges via manipulation of the IsAdminApprover parameter within a Request Building Access request submitted through the...

PT-2025-30448 · Db-Gpt · Db-Gpt

Name of the Vulnerable Software and Affected Versions: DB-GPT version 0.7.0 Description: A file upload issue exists in the agent.hub.controller.refresh plugins component of DB-GPT. This allows remote attackers to execute arbitrary code by uploading a malicious plugin ZIP file to the...

PT-2025-30335 · Liner · Liner

Name of the Vulnerable Software and Affected Versions: Liner versions through 2025-06-03 Description: An Insecure Direct Object Reference IDOR vulnerability exists that allows attackers to gain sensitive information. The vulnerability is exploitable through crafted space id, thread id, and messag...

CVE-2025-7897

CVE-2025-7897 (MoneyPrinterTurbo API Endpoint) affects MoneyPrinterTurbo up to v1.2.6, specifically the API Endpoint’s verify_token function in app/controllers/base.py. The root cause is missing authentication, enabling remote exploitation as described across multiple sources (NVD, Red Hat, Snyk,...

CVE-2025-7897 harry0703 MoneyPrinterTurbo API Endpoint base.py verify_token missing authentication

A vulnerability was found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this issue is the function verifytoken of the file app/controllers/base.py of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched...

CVE-2025-7897 harry0703 MoneyPrinterTurbo API Endpoint base.py verify_token missing authentication

A vulnerability was found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this issue is the function verifytoken of the file app/controllers/base.py of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched...

CVE-2025-49828

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted formerly known as Conjur Enterprise 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secre...

PT-2025-29936 · Unknown · Nbcio-Boot

Name of the Vulnerable Software and Affected Versions: nbcio-boot version 1.0.3 Description: nbcio-boot version 1.0.3 contains a SQL injection issue via the userIds parameter at the /sys/user/deleteRecycleBin API endpoint. Recommendations: nbcio-boot version 1.0.3: Sanitize or validate the userId...

CVE-2025-49828

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted formerly known as Conjur Enterprise 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secre...

CVE-2025-49828 Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) Vulnerable to Remote Code Execution

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted formerly known as Conjur Enterprise 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secre...

CVE-2025-49828

CVE-2025-49828 affects CyberArk Conjur: Conjur OSS versions 1.19.5–1.21.1 and Secrets Manager, Self-Hosted 13.1–13.4.1 are vulnerable to remote code execution via an exposed API endpoint. An authenticated attacker who can inject secrets or templates into the Secrets Manager database could cause a...

PT-2025-29613 · Cyberark · Secrets Manager +1

Name of the Vulnerable Software and Affected Versions: Conjur OSS versions 1.19.5 through 1.21.1 Secrets Manager, Self-Hosted versions 13.1 through 13.4.1 Description: Conjur provides secrets management and application identity for infrastructure. An authenticated attacker who can inject secrets ...

PT-2025-29564 · Nexxt Solutions · Nexxt Solutions Ncm-X1800 Mesh Router

Name of the Vulnerable Software and Affected Versions: Nexxt Solutions NCM-X1800 Mesh Router versions UV1.2.7 and below Description: A Cross-Site Scripting XSS issue exists in the Nexxt Solutions NCM-X1800 Mesh Router firmware. This allows attackers to inject JavaScript code that is executed with...

CVE-2025-53640 Indico vulnerable to user enumeration via API endpoint

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields such as ACLs could be misused to dump basic user details such ...

CVE-2025-53640 Indico vulnerable to user enumeration via API endpoint

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields such as ACLs could be misused to dump basic user details such ...

CVE-2025-53639

MeterSphere is affected by a SQL injection vulnerability in the sortField parameter of certain API endpoints, present in versions prior to 3.6.5-lts. The vulnerability arises from insufficient validation/sanitization of the sortField input, allowing an attacker to inject and execute arbitrary SQL...

PT-2025-29867 · Wegia · Wegia

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.4.5 Description: An authentication bypass issue exists in the /dao/verificar recursos cargo.php API endpoint of the WeGIA application. This allows unauthenticated users to access protected functionalities and retriev...

PT-2025-29231 · Unknown · Egroupware

Name of the Vulnerable Software and Affected Versions: eGroupWare version 17.1.20190111 Description: A user enumeration issue exists in eGroupWare. An unauthenticated remote attacker can enumerate users of web applications based on server response via the /calendar/freebusy.php API endpoint...