PT-2025-25203 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.7.x through 10.7.1 Mattermost versions 10.6.x through 10.6.3 Mattermost versions 10.5.x through 10.5.4 Mattermost versions 9.11.x through 9.11.13 Description: The issue is related to the improper validation of LDAP grou...

PT-2025-20482

Name of the Vulnerable Software and Affected Versions itsourcecode Gym Management System version 1.0 Description A critical issue has been found in the itsourcecode Gym Management System. The problem affects the /ajax.php?action=save payment API endpoint, where the manipulation of the registratio...

BIT-MASTODON-2024-34535

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header...

PT-2025-19923 · Mrcms · Mrcms

Name of the Vulnerable Software and Affected Versions: MRCMS version 3.1.2 Description: A vulnerability was found in MRCMS, classified as problematic, affecting an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has...

PT-2025-19961 · Tenda · Tenda Rx3

Name of the Vulnerable Software and Affected Versions: Tenda RX3 version V1.0br V16.03.13.11 Description: The issue concerns the manipulation of the mac parameter in the GetParentControlInfo function, accessible through the "/goform/GetParentControlInfo" API endpoint. This manipulation leads to a...

PT-2025-19840 · Unknown · Real Estate Management System

Name of the Vulnerable Software and Affected Versions: Real Estate Management System version 1.0 Description: The issue is related to a SQL injection vulnerability. It can be exploited via the message parameter at the "/contact.php" API endpoint. Recommendations: For Real Estate Management System...

PT-2025-19776 · Xinguan · Xinguan

Name of the Vulnerable Software and Affected Versions: Xinguan version 0.0.1-SNAPSHOT Description: The issue is related to incorrect access control in the "/system/user/findUserList" API endpoint, which allows attackers to access sensitive information by sending a crafted payload. Recommendations...

PT-2025-19782 · One · One

Name of the Vulnerable Software and Affected Versions: One version 1.0 Description: The issue is related to incorrect access control in the component "/api/user/manager" that allows attackers to access sensitive information via a crafted payload. Recommendations: For version 1.0, as a temporary...

PT-2025-19350 · Totolink · Totolink A720R

Name of the Vulnerable Software and Affected Versions: TOTOLINK A720R version 4.1.5cu.374 Description: A vulnerability was found in the Config Handler component of the TOTOLINK A720R, affecting an unknown function of the file /cgi-bin/cstecgi.cgi. The manipulation of the topicurl argument with th...

PT-2025-19780 · Xmall · Xmall

Name of the Vulnerable Software and Affected Versions: xmall version 1.1 Description: The issue is related to incorrect access control, allowing attackers to bypass authentication. This can be achieved via a crafted GET request to the "/index" API endpoint. Recommendations: For xmall version 1.1,...

CVE-2025-4175

A vulnerability, which was classified as critical, was found in AlanBinu007 Spring-Boot-Advanced-Projects up to 3.1.3. This affects the function uploadUserProfileImage of the file...

PT-2025-18699 · Tenda · Tenda Rx2 Pro

Name of the Vulnerable Software and Affected Versions: Tenda RX2 Pro version 16.03.30.14 Description: The issue is related to a lack of input validation/sanitization in the setLanCfg API endpoint in httpd, allowing a remote attacker authorized to the web management portal to gain root shell acces...

CVE-2025-27134

CVE-2025-27134 concerns Joplin server prior to version 3.3.3, where a vulnerability in the PATCH /api/users/:id endpoint allows a non-admin user to set the is_admin field to 1. This privilege escalation enables low-privilege users to perform administrative actions without proper authorization. Th...

CVE-2025-27134 Privilege escalation in Joplin server via user patch endpoint

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint PATCH /api/users/:id t...

CVE-2025-27134 Privilege escalation in Joplin server via user patch endpoint

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint PATCH /api/users/:id t...

PT-2025-18288 · Joplin · Joplin

Name of the Vulnerable Software and Affected Versions: Joplin versions prior to 3.3.3 Description: A privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint PATCH /api/users/:id to set the is admin field to 1. This issue allows maliciou...

PT-2025-18176 · Bookgy · Bookgy

Name of the Vulnerable Software and Affected Versions: Bookgy affected versions not specified Description: The issue is a SQL injection vulnerability that could allow an attacker to retrieve, create, update, and delete databases by sending an HTTP request through the IDRESERVA parameter in the...

PT-2025-18173 · Bookgy · Bookgy

Name of the Vulnerable Software and Affected Versions: Bookgy affected versions not specified Description: A Reflected Cross-Site Scripting XSS issue allows an attacker to execute JavaScript code in the victim's browser. This is achieved by sending a malicious URL through the TEXTO parameter in t...

PT-2025-18175 · Bookgy · Bookgy

Name of the Vulnerable Software and Affected Versions: Bookgy affected versions not specified Description: The issue is related to a SQL injection vulnerability. This could allow an attacker to retrieve, create, update, and delete databases by sending an HTTP request through the IDTIPO, IDPISTA,...

PT-2025-18053 · Playedu · Playedu

Name of the Vulnerable Software and Affected Versions: playeduxyz PlayEdu versions 1.8 and earlier Description: A problem was found in the processing of the "/api/backend/v1/user/create" file of the User Avatar Handler component. The manipulation of the Avatar argument leads to server-side reques...