PT-2025-16961 · Unknown · Codeastro Internet Banking System

Name of the Vulnerable Software and Affected Versions: Code Astro Internet Banking System version 2.0.0 Description: The issue concerns Cross Site Scripting XSS via the name parameter in the "/admin/pages account.php" API endpoint. This allows for potential malicious script injection. No...

ROS-20250417-02

Vulnerability of /settings/store API endpoint of pgAdmin database management tool is related to failure to take measures to protect the structure of a web page. Exploitation of the vulnerability could allow an attacker, acting remotely, to perform a cross-site scripted attack Server mode...

PT-2025-17196 · Hazelcast · Hazelcast Management Center

Name of the Vulnerable Software and Affected Versions: Hazelcast Management Center versions prior to 6.0 Description: The issue allows remote code execution through a JndiLoginModule user.provider.url in a hazelcast-client XML document, which can be uploaded at the "/cluster-connections" API...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function over the PUT /api/v4/users/user-id/mfa endpoint. This allows a user with editotherusers permission to activate or deactivate multi-factor authentication for other users. Remediation Upgrade...

PT-2025-16893 · Sourcecodester · Sourcecodester Company Website Cms

Name of the Vulnerable Software and Affected Versions: SourceCodester Company Website CMS version 1.0 Description: The issue is related to Cross Site Scripting XSS via the /dashboard/Services API endpoint. This allows for potential malicious script injection. No information is provided about the...

PT-2025-16891 · Sourcecodester · Sourcecodester Company Website Cms

Name of the Vulnerable Software and Affected Versions: SourceCodester Company Website CMS version 1.0 Description: The issue concerns a file upload vulnerability via the "Create Services" file. This vulnerability can be exploited through the "/dashboard/Services" API endpoint. The Create Services...

PT-2025-16569 · Unknown · Xxyopen Novel-Plus

Name of the Vulnerable Software and Affected Versions: xxyopen Novel-Plus version 3.5.0 Description: A critical vulnerability has been found in xxyopen Novel-Plus. This affects an unknown part of the file "/api/front/search/books". The manipulation of the sort argument leads to SQL injection. It ...

CVE-2025-27719

Unauthenticated attackers can query an API endpoint and get device details...

CVE-2025-27719

Unauthenticated attackers can query an API endpoint and get device details...

CVE-2025-27719 Growatt Cloud portal Authorization Bypass Through User-Controlled Key

Unauthenticated attackers can query an API endpoint and get device details...

CVE-2025-32779 labsai/eddi Vulnerable to Path Traversal (Zip Slip) in ZIP Import Function

E.D.D.I Enhanced Dialog Driven Interface is a middleware to connect and manage LLM API bots. In versions before 5.5.0, an attacker with access to the /backup/import API endpoint can write arbitrary files to locations outside the intended extraction directory due to a Zip Slip vulnerability...

CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=...

CVE-2025-3579

Aidex CVE-2025-3579 affects versions prior to 1.7. The issue is a prompt-injection vulnerability in the /api//message endpoint where the content parameter can be manipulated by an authenticated user with access to an open registry, enabling execution of OS commands (Unix), interaction with intern...

CVE-2025-3579 Code Injection Vulnerability in AiDex

In versions prior to Aidex 1.7, an authenticated malicious user, taking advantage of an open registry, could execute unauthorised commands within the system. This includes executing operating system Unix commands, interacting with internal services such as PHP or MySQL, and even invoking native...

CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=...

CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=...

BIT-GRAFANA-2024-8118 Grafana alerting wrong permission on datasource rule write endpoint

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules...

PT-2025-16197 · H3C · H3C Magic Be18000 +4

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX30 Pro versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014 H3C Magic BE18000 versions up to V100R014 Description: A critical issue has been...

PT-2025-16203 · Unknown · Lingxing Erp

Name of the Vulnerable Software and Affected Versions: Lingxing ERP version 2 Description: A critical issue was found in the function DoUpload of the file /Api/FileUpload.ashx?method=DoUpload. The manipulation of the argument File leads to unrestricted upload. This issue can be exploited remotely...

PT-2025-18789 · Wavlink · Wavlink Wl-Wn530Hg4

Name of the Vulnerable Software and Affected Versions: Wavlink WL-WN530H4 version 20220801 Description: The issue is related to a command injection vulnerability in the ping test function of the adm.cgi via the pingIp parameter. This allows attackers to execute arbitrary commands via a crafted...