PT-2025-27799 · Plesk · Plesk Obsidian

Name of the Vulnerable Software and Affected Versions: Plesk Obsidian version 18.0.69 Description: The issue allows unauthenticated requests to the "/login up.php" API endpoint to reveal sensitive AWS credentials, including accessKeyId, secretAccessKey, region, and endpoint. Recommendations: For...

CVE-2025-53108 HomeBox Missing User Authorization

HomeBox is a home inventory and organization system. Prior to 0.20.1, HomeBox contains a missing authorization check in the API endpoints responsible for updating and deleting inventory item attachments. This flaw allows authenticated users to perform unauthorized actions on inventory item...

PT-2025-27608 · Nokia · Nokia Single Ran Baseband

Name of the Vulnerable Software and Affected Versions: Nokia Single RAN baseband software versions prior to 24R1-SR 1.0 MP Description: The issue arises when a crafted SOAP "provision" operation message is sent with a malicious PlanId field within the Mobile Network Operator MNO internal Radio...

PT-2025-27550 · Onelogin · Onelogin Ad Connector

Name of the Vulnerable Software and Affected Versions: OneLogin AD Connector versions prior to 6.1.5 Description: An information disclosure issue exists via the "/api/adc/v4/configuration" endpoint. An attacker with access to a valid directory token can retrieve a plaintext response disclosing...

PT-2025-27536 · Avtech · Avtech Ip Cameras +2

Name of the Vulnerable Software and Affected Versions: AVTECH IP cameras, DVRs, and NVRs affected versions not specified Description: An unauthenticated information disclosure issue exists, allowing access to sensitive internal device information such as firmware version, MAC address, and codec...

GHSA-WGVP-JJ4W-88HF Mattermost Incorrect Authorization vulnerability

Mattermost versions 10.5.x = 10.5.5, 9.11.x = 9.11.15, 10.8.x = 10.8.0, 10.7.x = 10.7.2, 10.6.x = 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive informatio...

Mattermost Incorrect Authorization vulnerability

Mattermost versions 10.5.x = 10.5.5, 9.11.x = 9.11.15, 10.8.x = 10.8.0, 10.7.x = 10.7.2, 10.6.x = 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive informatio...

PT-2025-27423 · Unknown · Daily Expense Manager

Name of the Vulnerable Software and Affected Versions: Daily Expense Manager version 1.0 Description: The issue allows an attacker to retrieve, create, update, and delete databases through the pname, pprice, and id parameters in the "/update.php" API endpoint. Recommendations: For Daily Expense...

PT-2025-27355 · Unknown · Langchain-Chatchat

Name of the Vulnerable Software and Affected Versions: Langchain-Chatchat versions up to 0.3.1 Description: A problematic vulnerability was found in Langchain-Chatchat, affecting unknown code of the file "/v1/files?purpose=assistants". This issue leads to path traversal and can be initiated...

PT-2025-27251

Name of the Vulnerable Software and Affected Versions: eosphoros-ai db-gpt versions up to 0.7.2 Description: A critical issue has been found, affecting the import flow function of the file /api/v2/serve/awel/flow/import. The manipulation of the File argument leads to path traversal, allowing for...

Lychee 安全漏洞

Lychee is a beautiful and easy to use photo management system open-sourced by The Lychee Organisation. It is used to manage and share photos. A security vulnerability exists in Lychee versions prior to 6.6.13, which stems from a server-side request forgery in the /api/v2/Photo::fromUrl endpoint...

PT-2025-27148 · Lychee · Lychee

Name of the Vulnerable Software and Affected Versions: Lychee versions prior to 6.6.13 Description: A critical Server-Side Request Forgery SSRF issue exists in the "/api/v2/Photo::fromUrl" endpoint, allowing an attacker to instruct the application's backend to make HTTP requests to any URL they...

PT-2025-27015

Name of the Vulnerable Software and Affected Versions: UTT HiPER 840G versions up to 3.1.1-190328 Description: A critical issue affects the strcpy function of the /goform/setSysAdm file in the API component. The manipulation of the passwd1 argument leads to buffer overflow, allowing remote attack...

PT-2025-27021

Name of the Vulnerable Software and Affected Versions: UTT HiPER 840G versions up to 3.1.1-190328 Description: A critical issue affects the function sub 484E40 of the file /goform/formP2PLimitConfig of the component API. The manipulation of the argument except leads to buffer overflow. The attack...

PT-2025-26711 · Mb Connect Line +1 · Mbconnect24 +2

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: An unauthenticated remote attacker can enumerate valid user names from an unprotected "API endpoint". No information is provided about the estimated number of potentially affected devices...

FreeBSD : Navidrome -- SQL Injection via role parameter (fc2d2fb8-4c83-11f0-8deb-f8f21e52f724)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the fc2d2fb8-4c83-11f0-8deb-f8f21e52f724 advisory. Deluan reports: This vulnerability arises due to improper input validation on the role parameter within...

PT-2025-26163 · Minitcg · Minitcg

Name of the Vulnerable Software and Affected Versions: miniTCG version 1.3.1 beta Description: A cross-site scripting XSS issue allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the id parameter at the "/members/edit.php" API endpoint. Recommendations:...

CVE-2025-5964

A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server...

PT-2025-25541 · Unknown · Parking Management System

Name of the Vulnerable Software and Affected Versions: Das Parking Management System version 6.2.0 Description: A critical issue was found in the API component, specifically affecting an unknown part of the /IntraFieldVehicle/Search file. The manipulation of the Value argument leads to SQL...

PT-2025-25508 · Utt · Utt 进取 750W

Name of the Vulnerable Software and Affected Versions: UTT 进取 750W versions up to 5.0 Description: A critical issue affects the strcpy function of the /goform/setSysAdm component API. The manipulation of the passwd1 argument leads to a buffer overflow. This issue can be exploited remotely...