PT-2025-17994 · Unknown · Codeprojects News Publishing Site Dashboard

Name of the Vulnerable Software and Affected Versions: codeprojects News Publishing Site Dashboard version 1.0 Description: A critical issue has been identified, affecting the /api.php file. The manipulation of the cat id argument leads to SQL injection. This issue can be exploited remotely...

PT-2025-17986 · Unknown · Withstars Books-Management-System

Name of the Vulnerable Software and Affected Versions: withstars Books-Management-System version 1.0 Description: A vulnerability was found in the withstars Books-Management-System, affecting unknown code of the file "/api/comment/add" of the component Comment Handler. The manipulation of the...

PT-2025-17993 · Unknown · Itwanger Paicoding

Name of the Vulnerable Software and Affected Versions: itwanger paicoding version 1.0.3 Description: A critical vulnerability was found in itwanger paicoding, affecting an unknown part of the file "/article/api/post" of the component Article Handler. The manipulation of the articleId argument lea...

WakaTime: Broken Access Control Exposes Email Verification Status and Privacy Settings via API Endpoint

The /api/v1/users/username endpoint leaked sensitive email-related metadata, such as the user's email confirmation status and privacy settings, without proper authorization checks. This allowed attackers to determine whether an account's email address was confirmed and the user's email privacy...

CVE-2025-41423

Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without...

CVE-2025-32950

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server...

Mattermost Playbooks fails to properly validate permissions

Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without...

CVE-2025-41423 Unauthorized Playbooks Post Deletion in Mattermost Playbooks Plugin

Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without...

CVE-2025-41423 Unauthorized Playbooks Post Deletion in Mattermost Playbooks Plugin

Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without...

CVE-2025-41423

Mattermost CVE-2025-41423 affects Mattermost versions 10.4.x up to 10.4.2, 10.5.x up to 10.5.0, and 9.11.x up to 9.11.10. The issue is improper permission validation on the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, which could allow any user or attacker to delete posts...

CVE-2025-42603 Information Disclosure Vulnerability in Meon KYC solutions

This vulnerability exists in the Meon KYC solutions due to transmission of sensitive data in plain text within the response payloads of certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting API response that contains unencrypted sensitive...

PT-2025-17638 · Tenda · Tenda Ac9

Name of the Vulnerable Software and Affected Versions: Tenda ac9 version V15.03.05.14 multi Description: The issue is a stack overflow vulnerability in the "/goform/WifiWpsStart" API endpoint, which may lead to remote arbitrary code execution. Recommendations: For Tenda ac9 version V15.03.05.14...

PT-2025-17637 · Tenda · Tenda Ac9

Name of the Vulnerable Software and Affected Versions: Tenda ac9 version 1.0 with firmware V15.03.05.14 multi Description: The issue is related to a stack overflow vulnerability in the rebootTime parameter of the "/goform/SetSysAutoRebbotCfg" API endpoint. This vulnerability can lead to remote...

PT-2025-17539 · Nextu · Nextu Fleta Ax1500 Wifi6 Router

Name of the Vulnerable Software and Affected Versions: NEXTU FLETA AX1500 WIFI6 Router version 1.0.3 Description: A stack overflow vulnerability was discovered, allowing attackers to cause a Denial of Service DoS via a crafted POST request. The issue is related to the url parameter at the...

CVE-2025-2298

CVE-2025-2298 is an improper authorization vulnerability in Dremio Software where authenticated users can delete arbitrary files across local and remote locations due to insufficient API endpoint access controls. Impact includes potential data loss and DoS, with possible escalation depending on d...

PT-2025-17453 · Flaskblog · Flaskblog

Name of the Vulnerable Software and Affected Versions: flaskBlog version 2.6.1 Description: A cross-site scripting XSS issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at the "/createpost" API endpoint. Recommendations:...

PT-2025-17413 · Unknown · Wing Ftp Server

Name of the Vulnerable Software and Affected Versions: Wing FTP Server versions prior to 7.4.4 Description: Wing FTP Server does not properly validate and sanitize the url parameter of the /downloadpass.html API endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link,...

CVE-2025-27719

Unauthenticated attackers can query an API endpoint and get device details...

CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=...

PT-2025-17078 · D Link · Dir 832

Name of the Vulnerable Software and Affected Versions: dlink DIR 832x version 240802 Description: The issue allows a remote attacker to execute arbitrary code via the macaddr key value to the function 0x42232c. This enables the attacker to potentially gain control over the device. Recommendations...