CVE-2025-54478

Mattermost Confluence Plugin version 1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint...

CVE-2025-8749

Path Traversal vulnerability in API Endpoint in Mobile Industrial Robots MiR Software Versions prior to 3.0.0 on MiR Robots allows authenticated users to extract files from the robot file system via a crafted API request...

CVE-2025-8749

CVE-2025-8749 describes a path-traversal vulnerability in the API endpoint of Mobile Industrial Robots (MiR) software, affecting MiR software versions prior to 3.0.0. An authenticated user can trigger the flaw via a crafted API request to extract files from the robot file system. The CVSS vector ...

CVE-2025-44779

An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull...

SUSE CVE-2025-30086

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter...

CVE-2025-51308

CVE-2025-51308 affects Gatling Enterprise, versions below 1.25.0. A low-privileged user without the admin role can issue REST API calls to read-only endpoints and collect information due to missing authorization checks. The issue is described as unauthorized access to information via read-only en...

PT-2025-32222 · Bottinelli Informatical · Vedo Suite

Name of the Vulnerable Software and Affected Versions: Bottinelli Informatical Vedo Suite version 2024.17 Description: Bottinelli Informatical Vedo Suite 2024.17 is vulnerable to Server-side Request Forgery SSRF in the /api vedo/video/preview endpoint. This allows remote authenticated attackers t...

PT-2025-32220 · Unknown · Vedo Suite

Name of the Vulnerable Software and Affected Versions: Vedo Suite version 2024.17 Description: An unrestricted file upload issue exists in Vedo Suite version 2024.17. Remote authenticated attackers can write to arbitrary filesystem paths by exploiting the insecure uploadPreviews custom function i...

CVE-2025-51054

Vedo Suite 2024.17 is vulnerable to Incorrect Access Control, which allows remote attackers to obtain a valid high privilege JWT token without prior authentication via sending an empty HTTP POST request to the /autologin/ API endpoint...

CVE-2025-51501

CVE-2025-51501 : Microweber CMS 2.0 is affected by a Reflected XSS in the id parameter of the live_edit.module_settings API endpoint. The vulnerability allows an authenticated attacker to inject and execute arbitrary JavaScript in a victim’s browser via the id parameter, with impact described as ...

PT-2025-31526 · Exagrid · Exagrid Ex10

Name of the Vulnerable Software and Affected Versions: ExaGrid EX10 versions 6.3 through 7.0.1.P08 Description: The software is susceptible to incorrect access control. Users with operator-level privileges can retrieve SMTP credentials, including plaintext passwords, by issuing an HTTP request to...

CVE-2025-54765

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include...

CVE-2025-54766

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information...

CVE-2025-54766

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information...

CVE-2025-54768

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to download logs from the appliance configuration, exposing sensitive information...

CVE-2025-54765

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include...

CVE-2025-54765

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include...

PT-2025-31218 · Unknown · Puneethreddyhc Online-Shopping-System-Advanced

Name of the Vulnerable Software and Affected Versions: PuneethReddyHC Online Shopping System Advanced version 1.0 Description: A SQL Injection issue exists due to improper sanitization of user-supplied input in the keyword POST parameter of the /action.php API endpoint. Recommendations: Apply inp...

CVE-2025-54768 KL-001-2025-015: Xorux LPAR2RRD Read Only User Log Download Exposing Sensitive Information

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to download logs from the appliance configuration, exposing sensitive information...

CVE-2025-54768

CVE-2025-54768 affects Xorux LPAR2RRD (versions 8.04 and prior). An API endpoint intended for web application administrators is accessible to lower-level read-only users, enabling download of appliance configuration logs and exposure of sensitive information (e.g., password hashes). The vulnerabi...