CVE-2025-7897

CVE-2025-7897 (MoneyPrinterTurbo API Endpoint) affects MoneyPrinterTurbo up to v1.2.6, specifically the API Endpoint’s verify_token function in app/controllers/base.py. The root cause is missing authentication, enabling remote exploitation as described across multiple sources (NVD, Red Hat, Snyk,...

CVE-2025-49828

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted formerly known as Conjur Enterprise 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secre...

PT-2025-29936 · Unknown · Nbcio-Boot

Name of the Vulnerable Software and Affected Versions: nbcio-boot version 1.0.3 Description: nbcio-boot version 1.0.3 contains a SQL injection issue via the userIds parameter at the /sys/user/deleteRecycleBin API endpoint. Recommendations: nbcio-boot version 1.0.3: Sanitize or validate the userId...

CVE-2025-49828

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted formerly known as Conjur Enterprise 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secre...

CVE-2025-49828 Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) Vulnerable to Remote Code Execution

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted formerly known as Conjur Enterprise 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secre...

CVE-2025-49828

CVE-2025-49828 affects CyberArk Conjur: Conjur OSS versions 1.19.5–1.21.1 and Secrets Manager, Self-Hosted 13.1–13.4.1 are vulnerable to remote code execution via an exposed API endpoint. An authenticated attacker who can inject secrets or templates into the Secrets Manager database could cause a...

PT-2025-29613 · Cyberark · Secrets Manager +1

Name of the Vulnerable Software and Affected Versions: Conjur OSS versions 1.19.5 through 1.21.1 Secrets Manager, Self-Hosted versions 13.1 through 13.4.1 Description: Conjur provides secrets management and application identity for infrastructure. An authenticated attacker who can inject secrets ...

PT-2025-29564 · Nexxt Solutions · Nexxt Solutions Ncm-X1800 Mesh Router

Name of the Vulnerable Software and Affected Versions: Nexxt Solutions NCM-X1800 Mesh Router versions UV1.2.7 and below Description: A Cross-Site Scripting XSS issue exists in the Nexxt Solutions NCM-X1800 Mesh Router firmware. This allows attackers to inject JavaScript code that is executed with...

CVE-2025-53640 Indico vulnerable to user enumeration via API endpoint

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields such as ACLs could be misused to dump basic user details such ...

CVE-2025-53640 Indico vulnerable to user enumeration via API endpoint

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields such as ACLs could be misused to dump basic user details such ...

CVE-2025-53639

MeterSphere is affected by a SQL injection vulnerability in the sortField parameter of certain API endpoints, present in versions prior to 3.6.5-lts. The vulnerability arises from insufficient validation/sanitization of the sortField input, allowing an attacker to inject and execute arbitrary SQL...

PT-2025-29867 · Wegia · Wegia

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.4.5 Description: An authentication bypass issue exists in the /dao/verificar recursos cargo.php API endpoint of the WeGIA application. This allows unauthenticated users to access protected functionalities and retriev...

PT-2025-29231 · Unknown · Egroupware

Name of the Vulnerable Software and Affected Versions: eGroupWare version 17.1.20190111 Description: A user enumeration issue exists in eGroupWare. An unauthenticated remote attacker can enumerate users of web applications based on server response via the /calendar/freebusy.php API endpoint...

CVE-2025-25268

An unauthenticated adjacent attacker can modify configuration by sending specific requests to an API-endpoint resulting in read and write access due to missing authentication...

GHSA-24CH-W38V-XMH8 Juju zip slip vulnerability via authenticated endpoint

Impact Any user with a Juju account on a controller can upload a charm to the /charms endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. A charm which exploits the zip slip vulnerability may be used to allow such a user to...

CVE-2025-40717

SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the pagina.filter.categoria mensaje in /QuiterGatewayWeb/api/v1/sucesospagina...

CVE-2025-25268

An unauthenticated adjacent attacker can modify configuration by sending specific requests to an API-endpoint resulting in read and write access due to missing authentication...

CVE-2025-25268 Unauthenticated Configuration Access via Exposed API Endpoint

An unauthenticated adjacent attacker can modify configuration by sending specific requests to an API-endpoint resulting in read and write access due to missing authentication...

PT-2025-28306 · Unknown · Hitsz-Ids Airda

Name of the Vulnerable Software and Affected Versions: hitzs-ids airda version 0.0.3 Description: A critical vulnerability exists in the execute function of the /v1/chat/completions file. Manipulation of the question argument results in SQL injection. The attack can be initiated remotely. The...

SUSE CVE-2025-48949

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially...