CVE-2025-69970

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API...

CVE-2025-69970

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API...

PT-2026-6311

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1 Description Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting XSS issue. The vulnerability resides in the...

EUVD-2020-30882

M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for al...

CVE-2026-0832 New User Approve <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure

The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny use...

PT-2026-5067

Name of the Vulnerable Software and Affected Versions New User Approve plugin for WordPress versions up to and including 3.2.2 Description The New User Approve plugin for WordPress is susceptible to unauthorized data access and modification. This is due to a missing capability check on multiple...

BIT-GITLAB-2025-13928 Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints...

CVE-2025-52023

A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public A...

phpMyFAQ information leakage vulnerability

phpMyFAQ is a multilingual, fully database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ 4.0.16 and earlier contained an information leakage vulnerability. This vulnerability was caused by insufficient access control, allowing sensitive user information to be exposed through...

CVE-2025-52023

CVE-2025-52023 affects the PHP backend of gemscms.aptsys.com.sg (thru 2025-05-28). The vulnerability allows unauthenticated remote attackers to trigger detailed error messages that reveal internal file paths, code snippets, and stack traces when hitting public API endpoints via crafted HTTP GET/P...

CVE-2025-52023

A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public A...

CVE-2025-52022

A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to publ...

CVE-2025-52024

A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services,...

CVE-2025-13928

GitLab CVE-2025-13928 = incorrect authorization validation in API endpoints could allow an unauthenticated attacker to cause DoS across GitLab CE/EE versions 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2. Remediations: upgrade to GitLab 18.6.4, 18.7.2, or 18.8.2 (patched versions...

CVE-2025-13928 Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints...

CVE-2025-13928 Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints...

CVE-2026-0554

CVE-2026-0554 pertains to the NotificationX WordPress plugin (versions up to 3.1.11) and describes a missing capability check on the REST endpoints /wp-json/notificationx/v1/campaigns/{campaign_id}/regenerate and /wp-json/notificationx/v1/campaigns/{campaign_id}/reset. This allows authenticated u...

CVE-2026-23848

MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via X-Forwarded-For header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating...

CVE-2026-23848 MyTube has Rate Limiting Bypass via X-Forwarded-For Header Spoofing

MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via X-Forwarded-For header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating...

CVE-2026-23848 MyTube has Rate Limiting Bypass via X-Forwarded-For Header Spoofing

MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via X-Forwarded-For header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating...