CVE-2019-13275

An issue was discovered in the VeronaLabs wp-statistics plugin before 12.6.7 for WordPress. The v1/hit endpoint of the API, when the non-default "use cache plugin" setting is enabled, is vulnerable to unauthenticated blind SQL Injection...

CVE-2019-19631

An issue was discovered in Big Switch Big Monitoring Fabric 6.2 through 6.2.4, 6.3 through 6.3.9, 7.0 through 7.0.3, and 7.1 through 7.1.3; Big Cloud Fabric 4.5 through 4.5.5, 4.7 through 4.7.7, 5.0 through 5.0.1, and 5.1 through 5.1.4; and Multi-Cloud Director through 1.1.0. A read-only user can...

CVE-2019-8138

A stored cross-site scripting XSS vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event...

CVE-2018-1999019

Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for the api endpoint located at /webservices/api/v2.php that can result in Unauthenticated remote code execution. This attack appear to be exploitable via a simple GET request to the api endpoint. This...

Denial Of Service (DoS)

github.com/ollama/ollama is vulnerable to Denial of Service DoS. The vulnerability is due to improper input validation and unchecked array index access in the /api/pull endpoint, which allows an attacker to send a crafted manifest that crashes the server...

PT-2025-22131 · Vmware · Vmware Cloud Foundation

Name of the Vulnerable Software and Affected Versions: VMware Cloud Foundation affected versions not specified Description: The issue is an information disclosure vulnerability. A malicious actor with network access to port 443 on VMware Cloud Foundation may exploit this issue to gain access to...

PT-2025-21825 · Totolink · Totolink N300Rt

Name of the Vulnerable Software and Affected Versions: TOTOLINK N300RH version 6.1c.1390 B20191101 Description: A critical vulnerability has been found in the TOTOLINK N300RH router. This issue affects the setUnloadUserData function of the /cgi-bin/cstecgi.cgi file. The manipulation of the plugin...

CVE-2024-8988

The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the filedownload REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...

CVE-2025-4430 Unauthorized file manipulation in EZD RP

Unauthorized access to "/api/Token/gettoken" endpoint in EZD RP allows file manipulation.This issue affects EZD RP in versions before 20.19 published on 22nd August 2024...

PT-2025-21142 · WordPress · Peepso Core

Name of the Vulnerable Software and Affected Versions: PeepSo Core: File Uploads plugin for WordPress versions up to, and including, 6.4.6.0 Description: The issue allows unauthenticated attackers to download files uploaded by other users, potentially exposing sensitive information, due to missin...

Tenda RX2 Pro setLanCfg API Endpoint Input Validation Error Vulnerability

Tenda RX2 Pro is a high performance WiFi 6 signal amplifier from Tenda China. The Tenda RX2 Pro suffers from an input validation error vulnerability that stems from a lack of input validation in the setLanCfg API endpoint, which can be exploited by an attacker to gain root shell access...

CVE-2025-28057

Summary of CVE-2025-28057 : The owl-admin project is affected for versions 3.2.2 through 4.10.2 by a SQL Injection in the /admin-api/system/admin_menus/save_order endpoint. This is documented with a high-severity CVSS 3.1 score (7.2) impacting confidentiality, integrity, and availability. The roo...

PT-2025-20695 · Unknown · Abantecart

Name of the Vulnerable Software and Affected Versions: AbanteCart version 1.4.0 Description: A Reflected Cross-Site Scripting XSS issue allows an attacker to execute JavaScript code in a victim's browser by sending a malicious URL. This can be exploited to steal sensitive user data, such as sessi...

PT-2025-25203 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.7.x through 10.7.1 Mattermost versions 10.6.x through 10.6.3 Mattermost versions 10.5.x through 10.5.4 Mattermost versions 9.11.x through 9.11.13 Description: The issue is related to the improper validation of LDAP grou...

PT-2025-20482

Name of the Vulnerable Software and Affected Versions itsourcecode Gym Management System version 1.0 Description A critical issue has been found in the itsourcecode Gym Management System. The problem affects the /ajax.php?action=save payment API endpoint, where the manipulation of the registratio...

BIT-MASTODON-2024-34535

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header...

PT-2025-19923 · Mrcms · Mrcms

Name of the Vulnerable Software and Affected Versions: MRCMS version 3.1.2 Description: A vulnerability was found in MRCMS, classified as problematic, affecting an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has...

PT-2025-19840 · Unknown · Real Estate Management System

Name of the Vulnerable Software and Affected Versions: Real Estate Management System version 1.0 Description: The issue is related to a SQL injection vulnerability. It can be exploited via the message parameter at the "/contact.php" API endpoint. Recommendations: For Real Estate Management System...

PT-2025-19961 · Tenda · Tenda Rx3

Name of the Vulnerable Software and Affected Versions: Tenda RX3 version V1.0br V16.03.13.11 Description: The issue concerns the manipulation of the mac parameter in the GetParentControlInfo function, accessible through the "/goform/GetParentControlInfo" API endpoint. This manipulation leads to a...

PT-2025-19776 · Xinguan · Xinguan

Name of the Vulnerable Software and Affected Versions: Xinguan version 0.0.1-SNAPSHOT Description: The issue is related to incorrect access control in the "/system/user/findUserList" API endpoint, which allows attackers to access sensitive information by sending a crafted payload. Recommendations...