CVE-2025-54768

CVE-2025-54768 affects Xorux LPAR2RRD (versions 8.04 and prior). An API endpoint intended for web application administrators is accessible to lower-level read-only users, enabling download of appliance configuration logs and exposure of sensitive information (e.g., password hashes). The vulnerabi...

CVE-2025-54765 KL-001-2025-013: Xorux XorMon-NG Web Application Privilege Escalation to Administrator

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include...

CVE-2025-54765

CVE-2025-54765 concerns XorMon-NG from Xorux. Affected: version 1.8 and earlier. An API endpoint that should be restricted to web app administrators is accessible to lower-level read-only users, enabling import of appliance configuration and potentially granting administrative privileges. The vul...

CVE-2025-54766 KL-001-2025-012: Xorux XorMon-NG Read Only User Export Device Configuration Exposing Sensitive Information

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information...

CVE-2025-54766 KL-001-2025-012: Xorux XorMon-NG Read Only User Export Device Configuration Exposing Sensitive Information

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information...

CVE-2025-54766

Xorux XorMon-NG has a privilege-API endpoint that should be admin-only but is accessible to lower-level read-only users, enabling export of the appliance configuration. Technical description from KoreLogic (KL-001-2025-012) and corroborated by multiple sources shows affected Version: 1.8 and prio...

PT-2025-31155 · Xorux · Xormon-Ng

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. affected versions not specified Description: An API endpoint intended for web application administrators is accessible to lower-level read-only users. This allows unauthorized export of the appliance...

PT-2025-31158 · Xorux · Lpar2Rrd

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. affected versions not specified Description: An API endpoint intended for web application administrators is accessible to lower-level read-only users. This allows unauthorized download of appliance...

PT-2025-31156 · Appliance · Appliance

Name of the Vulnerable Software and Affected Versions: affected versions not specified Description: An API endpoint intended for web application administrators is accessible to lower-level read-only users. This allows unauthorized access to appliance configuration import functionality, potentiall...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the q URL parameter in the /api/v2.0/users endpoint. An attacker can retrieve sensitive password hash and salt values by abusing the filtering capability to extract this information character by character. Note:...

CVE-2025-30086

CVE-2025-30086 affects CNCF Harbor: Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 are vulnerable to an ORM leak via the /api/v2.0/users endpoint. The q URL parameter lets an administrator filter by any column and abuse password=~ to leak a user’s password hash and salt character by charact...

PT-2025-30656 · WordPress · Ai Engine

Name of the Vulnerable Software and Affected Versions: AI Engine plugin for WordPress versions through 2.9.4 Description: The AI Engine plugin for WordPress is susceptible to sensitive information exposure. The simpleTranscribeAudio API endpoint does not properly restrict URL schemes before...

PT-2025-30670 · Tenda · Tenda Ac8V4

Name of the Vulnerable Software and Affected Versions: Tenda AC8V4 version V16.03.34.06 Description: The Tenda AC8V4 device contains a stack overflow issue at the /goform/SetSysTimeCfg API endpoint. Manipulation of the timeZone and timeType parameters leads to a stack-based buffer overflow...

PT-2025-30682 · Tenda · Tenda Ac8V4

Name of the Vulnerable Software and Affected Versions: Tenda AC8V4 version V16.03.34.06 Description: The device contains a heap overflow at the /goform/GetParentControlInfo API endpoint. Manipulation of the mac parameter leads to a heap-based buffer overflow. Recommendations: Apply a newer versio...

PT-2025-30702 · Unknown · Deerwms Deer-Wms-2

Name of the Vulnerable Software and Affected Versions: deerwms deer-wms-2 versions 2.0 through 3.3 Description: A critical issue exists in deerwms deer-wms-2. The vulnerability is due to a SQL injection flaw within an unknown function of the /system/dept/edit API endpoint. The ancestors parameter...

PT-2025-30448 · Db-Gpt · Db-Gpt

Name of the Vulnerable Software and Affected Versions: DB-GPT version 0.7.0 Description: A file upload issue exists in the agent.hub.controller.refresh plugins component of DB-GPT. This allows remote attackers to execute arbitrary code by uploading a malicious plugin ZIP file to the...

PT-2025-30453 · Alertenterprise · Alertenterprise Guardian

Name of the Vulnerable Software and Affected Versions: AlertEnterprise Guardian version 4.1.14.2.2.1 Description: An issue allows for privilege escalation to administrator privileges via manipulation of the IsAdminApprover parameter within a Request Building Access request submitted through the...

PT-2025-30335 · Liner · Liner

Name of the Vulnerable Software and Affected Versions: Liner versions through 2025-06-03 Description: An Insecure Direct Object Reference IDOR vulnerability exists that allows attackers to gain sensitive information. The vulnerability is exploitable through crafted space id, thread id, and messag...

CVE-2025-7897 harry0703 MoneyPrinterTurbo API Endpoint base.py verify_token missing authentication

A vulnerability was found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this issue is the function verifytoken of the file app/controllers/base.py of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched...

CVE-2025-7897

CVE-2025-7897 (MoneyPrinterTurbo API Endpoint) affects MoneyPrinterTurbo up to v1.2.6, specifically the API Endpoint’s verify_token function in app/controllers/base.py. The root cause is missing authentication, enabling remote exploitation as described across multiple sources (NVD, Red Hat, Snyk,...