CVE-2025-41423 Unauthorized Playbooks Post Deletion in Mattermost Playbooks Plugin

Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without...

CVE-2025-41423 Unauthorized Playbooks Post Deletion in Mattermost Playbooks Plugin

Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without...

CVE-2025-41423

Mattermost CVE-2025-41423 affects Mattermost versions 10.4.x up to 10.4.2, 10.5.x up to 10.5.0, and 9.11.x up to 9.11.10. The issue is improper permission validation on the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, which could allow any user or attacker to delete posts...

CVE-2025-42603 Information Disclosure Vulnerability in Meon KYC solutions

This vulnerability exists in the Meon KYC solutions due to transmission of sensitive data in plain text within the response payloads of certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting API response that contains unencrypted sensitive...

PT-2025-17637 · Tenda · Tenda Ac9

Name of the Vulnerable Software and Affected Versions: Tenda ac9 version 1.0 with firmware V15.03.05.14 multi Description: The issue is related to a stack overflow vulnerability in the rebootTime parameter of the "/goform/SetSysAutoRebbotCfg" API endpoint. This vulnerability can lead to remote...

PT-2025-17638 · Tenda · Tenda Ac9

Name of the Vulnerable Software and Affected Versions: Tenda ac9 version V15.03.05.14 multi Description: The issue is a stack overflow vulnerability in the "/goform/WifiWpsStart" API endpoint, which may lead to remote arbitrary code execution. Recommendations: For Tenda ac9 version V15.03.05.14...

PT-2025-17539 · Nextu · Nextu Fleta Ax1500 Wifi6 Router

Name of the Vulnerable Software and Affected Versions: NEXTU FLETA AX1500 WIFI6 Router version 1.0.3 Description: A stack overflow vulnerability was discovered, allowing attackers to cause a Denial of Service DoS via a crafted POST request. The issue is related to the url parameter at the...

CVE-2025-2298

CVE-2025-2298 is an improper authorization vulnerability in Dremio Software where authenticated users can delete arbitrary files across local and remote locations due to insufficient API endpoint access controls. Impact includes potential data loss and DoS, with possible escalation depending on d...

PT-2025-17453 · Flaskblog · Flaskblog

Name of the Vulnerable Software and Affected Versions: flaskBlog version 2.6.1 Description: A cross-site scripting XSS issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at the "/createpost" API endpoint. Recommendations:...

PT-2025-17413 · Unknown · Wing Ftp Server

Name of the Vulnerable Software and Affected Versions: Wing FTP Server versions prior to 7.4.4 Description: Wing FTP Server does not properly validate and sanitize the url parameter of the /downloadpass.html API endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link,...

CVE-2025-27719

Unauthenticated attackers can query an API endpoint and get device details...

CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=...

PT-2025-17078 · D Link · Dir 832

Name of the Vulnerable Software and Affected Versions: dlink DIR 832x version 240802 Description: The issue allows a remote attacker to execute arbitrary code via the macaddr key value to the function 0x42232c. This enables the attacker to potentially gain control over the device. Recommendations...

PT-2025-17196 · Hazelcast · Hazelcast Management Center

Name of the Vulnerable Software and Affected Versions: Hazelcast Management Center versions prior to 6.0 Description: The issue allows remote code execution through a JndiLoginModule user.provider.url in a hazelcast-client XML document, which can be uploaded at the "/cluster-connections" API...

PT-2025-16961 · Unknown · Codeastro Internet Banking System

Name of the Vulnerable Software and Affected Versions: Code Astro Internet Banking System version 2.0.0 Description: The issue concerns Cross Site Scripting XSS via the name parameter in the "/admin/pages account.php" API endpoint. This allows for potential malicious script injection. No...

ROS-20250417-02

Vulnerability of /settings/store API endpoint of pgAdmin database management tool is related to failure to take measures to protect the structure of a web page. Exploitation of the vulnerability could allow an attacker, acting remotely, to perform a cross-site scripted attack Server mode...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function over the PUT /api/v4/users/user-id/mfa endpoint. This allows a user with editotherusers permission to activate or deactivate multi-factor authentication for other users. Remediation Upgrade...

PT-2025-16569 · Unknown · Xxyopen Novel-Plus

Name of the Vulnerable Software and Affected Versions: xxyopen Novel-Plus version 3.5.0 Description: A critical vulnerability has been found in xxyopen Novel-Plus. This affects an unknown part of the file "/api/front/search/books". The manipulation of the sort argument leads to SQL injection. It ...

PT-2025-16893 · Sourcecodester · Sourcecodester Company Website Cms

Name of the Vulnerable Software and Affected Versions: SourceCodester Company Website CMS version 1.0 Description: The issue is related to Cross Site Scripting XSS via the /dashboard/Services API endpoint. This allows for potential malicious script injection. No information is provided about the...

PT-2025-16891 · Sourcecodester · Sourcecodester Company Website Cms

Name of the Vulnerable Software and Affected Versions: SourceCodester Company Website CMS version 1.0 Description: The issue concerns a file upload vulnerability via the "Create Services" file. This vulnerability can be exploited through the "/dashboard/Services" API endpoint. The Create Services...