PT-2025-3444 · Ruoyi · Ruoyi

Name of the Vulnerable Software and Affected Versions: RuoYi version 4.8.0 Description: A SQL injection issue was found in RuoYi via the orderby parameter at the "/monitor/online/list" API endpoint. Recommendations: For RuoYi version 4.8.0, as a temporary workaround, consider restricting access t...

CVE-2025-0783

A vulnerability, which was classified as problematic, was found in pankajindevops scale up to 20241113. This affects an unknown part of the component API Endpoint. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. This product does not use...

CVE-2025-0783 pankajindevops scale API Endpoint access control

A vulnerability, which was classified as problematic, was found in pankajindevops scale up to 20241113. This affects an unknown part of the component API Endpoint. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. This product does not use...

CVE-2025-0783 pankajindevops scale API Endpoint access control

A vulnerability, which was classified as problematic, was found in pankajindevops scale up to 20241113. This affects an unknown part of the component API Endpoint. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. This product does not use...

CVE-2025-0783

CVE-2025-0783 affects pankajindevops Scale API Endpoint. Multiple connected sources describe a vulnerability in the API Endpoint component causing improper access controls, with remote initiation possible and no versioning/affected releases information available. The exact vulnerable versions are...

PT-2025-1313 · Cacti +1 · Cacti +1

Name of the Vulnerable Software and Affected Versions: Cacti versions prior to 1.2.29 Description: Cacti is an open source performance and fault management framework. It has a SQL injection vulnerability in the get discovery results function of automation devices.php using the network parameter...

Path Traversal

Ray is vulnerable to Path Traversal. The vulnerability is due to improper validation or sanitization of user input in the log API endpoint, allowing attackers to specify arbitrary file paths and access unauthorized files on the server...

PT-2025-4740

Name of the Vulnerable Software and Affected Versions RE11S version 1.11 Description RE11S version 1.11 contains a command injection issue through the command parameter at the ''/goform/mp'' API endpoint. This allows for potential unauthorized command execution. Recommendations RE11S version 1.11...

PT-2025-4741 · Re11S · Re11S

Name of the Vulnerable Software and Affected Versions: RE11S version 1.11 Description: A command injection issue was discovered via the L2TPUserName parameter at the "/goform/setWAN" API endpoint. This allows for potential command injection attacks. Recommendations: For RE11S version 1.11, as a...

CVE-2024-46310

Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint...

CVE-2024-46310

Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint...

CVE-2024-46310

Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint...

PT-2025-3088 · Monicahq · Monicahq

Name of the Vulnerable Software and Affected Versions: MonicaHQ version 4.1.2 Description: The issue is related to an authenticated Client-Side Injection vulnerability in MonicaHQ. This vulnerability can be exploited via the Reason parameter at the "/people/h:id/debts/create" API endpoint...

PT-2025-4748 · Tenda · Tenda Ac9

Name of the Vulnerable Software and Affected Versions: Tenda ac9 version 1.0 v15.03.05.19 Description: The issue concerns a stack overflow vulnerability in the /goform/SetOnlineDevName API endpoint, which may lead to remote arbitrary code execution. Recommendations: For Tenda ac9 version 1.0...

CVE-2024-11423

CVE-2024-11423 is exposed in the WordPress plugin “Ultimate Gift Cards for WooCommerce Pro” (Gift Cards for WooCommerce Pro). The root cause is a missing capability check on several REST API endpoints (notably /wp-json/gifting/recharge-giftcard), enabling unauthenticated attackers to modify data ...

VulnCheck KEV: CVE-2024-50603

Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloudtype for listflightpathdestinationinstances, or srccloudtype for flightpathconnectiontest...

CVE-2024-56828

File Upload vulnerability in ChestnutCMS through 1.5.0. Based on the code analysis, it was determined that the /api/member/avatar API endpoint receives a base64 string as input. This string is then passed to the memberService.uploadAvatarByBase64 method for processing. Within the service, the...

CVE-2024-56828

CVE-2024-56828 affects ChestnutCMS up to 1.5.0. The /api/member/avatar endpoint accepts a base64 data URL, decodes the payload via the service’s uploadAvatarByBase64, and derives a file suffix from the encoded content (substring from the 11th character to the first semicolon). The decoded data is...

PT-2025-3338 · Unknown · Chestnutcms

Name of the Vulnerable Software and Affected Versions: ChestnutCMS versions prior to 1.5.0 Description: The issue concerns a file upload vulnerability where the /api/member/avatar API endpoint receives a base64 string as input, which is then processed by the memberService.uploadAvatarByBase64...

CVE-2024-12195

CVE-2024-12195 affects the WordPress plugin “WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts.” The vulnerability is an SQL Injection in the REST endpoint /wp-json/pm/v2/projects/2/task-lists, exploitable through the project_id parameter in ve...