CVE-2025-27719

Unauthenticated attackers can query an API endpoint and get device details...

CVE-2025-27719

Unauthenticated attackers can query an API endpoint and get device details...

CVE-2025-27719 Growatt Cloud portal Authorization Bypass Through User-Controlled Key

Unauthenticated attackers can query an API endpoint and get device details...

CVE-2025-32779 labsai/eddi Vulnerable to Path Traversal (Zip Slip) in ZIP Import Function

E.D.D.I Enhanced Dialog Driven Interface is a middleware to connect and manage LLM API bots. In versions before 5.5.0, an attacker with access to the /backup/import API endpoint can write arbitrary files to locations outside the intended extraction directory due to a Zip Slip vulnerability...

CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=...

CVE-2025-3579

Aidex CVE-2025-3579 affects versions prior to 1.7. The issue is a prompt-injection vulnerability in the /api//message endpoint where the content parameter can be manipulated by an authenticated user with access to an open registry, enabling execution of OS commands (Unix), interaction with intern...

CVE-2025-3579 Code Injection Vulnerability in AiDex

In versions prior to Aidex 1.7, an authenticated malicious user, taking advantage of an open registry, could execute unauthorised commands within the system. This includes executing operating system Unix commands, interacting with internal services such as PHP or MySQL, and even invoking native...

CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=...

CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=...

BIT-GRAFANA-2024-8118 Grafana alerting wrong permission on datasource rule write endpoint

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules...

PT-2025-16197 · H3C · H3C Magic Be18000 +4

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX30 Pro versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014 H3C Magic BE18000 versions up to V100R014 Description: A critical issue has been...

PT-2025-16203 · Unknown · Lingxing Erp

Name of the Vulnerable Software and Affected Versions: Lingxing ERP version 2 Description: A critical issue was found in the function DoUpload of the file /Api/FileUpload.ashx?method=DoUpload. The manipulation of the argument File leads to unrestricted upload. This issue can be exploited remotely...

PT-2025-18789 · Wavlink · Wavlink Wl-Wn530Hg4

Name of the Vulnerable Software and Affected Versions: Wavlink WL-WN530H4 version 20220801 Description: The issue is related to a command injection vulnerability in the ping test function of the adm.cgi via the pingIp parameter. This allows attackers to execute arbitrary commands via a crafted...

CVE-2025-30150

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates...

CVE-2024-54092

A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 All versions, Industrial Edge Device Kit - arm64 V1.18 All versions, Industrial Edge Device Kit - arm64 V1.19 All versions, Industrial Edge Device Kit - arm64 V1.20 All versions V1.20.2-1, Industrial Edge Device Kit -...

CVE-2024-54092

A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 All versions, Industrial Edge Device Kit - arm64 V1.18 All versions, Industrial Edge Device Kit - arm64 V1.19 All versions, Industrial Edge Device Kit - arm64 V1.20 All versions V1.20.2-1, Industrial Edge Device Kit -...

PT-2025-15286 · Zhangyanbo2007 · Youkefu

Name of the Vulnerable Software and Affected Versions: zhangyanbo2007 youkefu version 4.2.0 Description: A critical issue was found in the File Upload component, specifically affecting the WebIMController.java file. The manipulation of the ID argument leads to path traversal. This issue can be...

DataEase 2.4.0 - Database Configuration Information Exposure

Exploit Title: DataEase 2.4.0 - Database Configuration Information Exposure Shodan Dork: http.html:"dataease" FOFA Dork: body="dataease" && title=="DataEase" Exploit Author: ByteHunter Email: [email protected] vulnerable Versions: 2.4.0-2.5.0 Tested on: 2.4.0 CVE : CVE-2024-30269 import...

CVE-2024-10697

A vulnerability has been found in Tenda AC6 15.03.05.19 and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac of the component API Endpoint. The manipulation of the argument mac leads to command injection. The attack can be...

CVE-2024-47212

An issue was discovered in Iglu Server 0.13.0 and below. It involves sending very large payloads to a particular API endpoint of Iglu Server and can render it completely unresponsive. If the operation of Iglu Server is not restored, event processing in the pipeline would eventually halt...