PT-2025-23409 · Jeewms · Jeewms

Name of the Vulnerable Software and Affected Versions: JeeWMS versions up to 20250504 Description: A critical issue affects the doAdd function of the /cgformTemplateController.do?doAdd API endpoint, leading to path traversal. This can be initiated remotely. Recommendations: For versions up to...

CVE-2025-48949 Navidrome allows SQL Injection via role parameter

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially...

CVE-2025-48949 Navidrome allows SQL Injection via role parameter

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially...

PT-2025-23306 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.7.x through 10.7.0 Mattermost versions 10.5.x through 10.5.3 Mattermost versions 9.11.x through 9.11.12 Description: The issue is related to the failure of Mattermost to properly enforce access controls for guest users...

Mattermost improperly allows team administrators to modify team invites

Mattermost versions 10.7.x = 10.7.0, 10.6.x = 10.6.2, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the...

Navidrome allows SQL Injection via role parameter

🛡 Security Advisory: SQL Injection Vulnerability in Navidrome v0.55.2 Overview This vulnerability arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized...

PT-2025-23169 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.11.x through 9.11.12 Mattermost versions 10.5.x through 10.5.3 Mattermost versions 10.6.x through 10.6.2 Mattermost versions 10.7.x through 10.7.0 Description: The issue is related to the improper validation of permissio...

PT-2025-23230 · Navidrome +1 · Navidrome +1

Name of the Vulnerable Software and Affected Versions: Navidrome versions 0.55.0 through 0.55.2 Description: The issue arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially...

Navidrome -- SQL Injection via role parameter

Deluan reports: This vulnerability arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user...

PT-2025-23226 · Vllm · Vllm

Name of the Vulnerable Software and Affected Versions: vLLM versions 0.8.0 through 0.9.0 Description: The issue arises when the /v1/completions API endpoint is hit with an invalid json schema as a Guided Param, causing the vLLM server to crash. This is similar to a previously known issue but...

PT-2025-23228 · Vllm · Vllm

Name of the Vulnerable Software and Affected Versions: vLLM versions 0.8.0 through 0.9.0 Description: The vLLM backend used with the "/v1/chat/completions" API endpoint fails to validate unexpected or malformed input in the pattern and type fields when the tools functionality is invoked. These...

PT-2025-23022 · Sscms · Sscms

Name of the Vulnerable Software and Affected Versions: SSCMS version 7.3.1 Description: The issue allows attackers to read arbitrary files by sending a crafted GET request to the "/cms/templates/templatesAssetsEditor" API endpoint, exploiting a flaw in the ReadTextAsynchronous function...

📄 Remote for Windows 2024.15 Unauthenticated Arbitrary Input

Remote for Windows version 2024.15 allows for unauthenticated arbitrary input into the active window. Exploit Title: Remote for Windows 2024.15 - Unauthenticated Arbitrary Input into Active Window Date: 2025-05-23 Exploit Author: Chokri Hammedi Vendor Homepage: https://rs.ltd Software Link:...

CVE-2025-48741

A Broken Access Control vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, and 5.4.0 before 5.4.10 allows remote, authenticated, and unprivileged users to retrieve alerts, cases, logs, observables, or tasks, regardless of the user's permissions, through a specific API...

CVE-2025-0783

A vulnerability, which was classified as problematic, was found in pankajindevops scale up to 20241113. This affects an unknown part of the component API Endpoint. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. This product does not use...

CVE-2024-7041

An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...

CVE-2024-20444

A vulnerability in Cisco Nexus Dashboard Fabric Controller NDFC, formerly Cisco Data Center Network Manager DCNM, could allow an authenticated, remote attacker with network-admin privileges to perform a command injection attack against an affected device. This vulnerability is due to insufficient...

CVE-2024-47530

Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lac...

CVE-2024-47085

This vulnerability exists in Apex Softcell LD DP Back Office due to improper validation of certain parameters cCdslClicentcode and cLdClientCode in the API endpoint. An authenticated remote attacker could exploit this vulnerability by manipulating parameters in the API request body leading to...

CVE-2024-31450

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The...