PT-2025-34898 · Cisco · Cisco Nexus Dashboard +1

Name of the Vulnerable Software and Affected Versions: Cisco Nexus Dashboard and Cisco Nexus Dashboard Fabric Controller NDFC affected versions not specified Description: A vulnerability exists in the REST API endpoints of Cisco Nexus Dashboard and Cisco Nexus Dashboard Fabric Controller NDFC. Th...

UBUNTU-CVE-2024-10219

An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users to bypass access controls and download private artifacts by accessing specific API endpoints...

CVE-2025-54864

CVE-2025-54864 affects Hydra (Nix-based CI) where the endpoints /api/push-github and /api/push-gitea were called without HTTP Basic authentication, despite the forges implementing HMAC with a secret key. The root cause is missing authentication on those calls, enabling heavy evaluations that can ...

PT-2025-32561

Name of the Vulnerable Software and Affected Versions Omnissa Workspace ONE UEM affected versions not specified Description Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal vulnerability. A malicious actor may be able to gain access to sensitive information by sending crafted...

PT-2025-31946

Name of the Vulnerable Software and Affected Versions Jointelli 5G CPE 21H01 firmware version 1.36 Description Jointelli 5G CPE 21H01 firmware version 1.36 contains a blind OS command injection issue. Multiple API endpoints are vulnerable, including /ubus/?flag=set WPS pin, /ubus/?flag=netAppStar...

GO-2025-3827 eKuiper API endpoints handling SQL queries with user-controlled table names. in github.com/lf-edge/ekuiper

eKuiper API endpoints handling SQL queries with user-controlled table names. in github.com/lf-edge/ekuiper...

CVE-2025-54378

HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS...

CVE-2025-54378

HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS...

CVE-2025-54378 HAX CMS Backend Lacks Comprehensive Authorization Checks

HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS...

CVE-2025-54378

CVE-2025-54378 affects HAX CMS backends (nodejs and PHP). The issue is that API endpoints do not verify authorization for resource interactions, only checking authentication, allowing an authenticated user to perform privileged operations. Affected versions: haxcms-nodejs ≤ 11.0.13 and haxcms-php...

CVE-2025-54378 HAX CMS Backend Lacks Comprehensive Authorization Checks

HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS...

CVE-2025-54378 HAX CMS Backend Lacks Comprehensive Authorization Checks

HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS...

CVE-2025-54379

CVE-2025-54379 affects LF Edge eKuiper prior to version 2.2.1, where the getLast API builds SQL using user-supplied table names, enabling unauthenticated remote attackers to execute arbitrary SQL on the SQLite database. The underlying root cause is unsanitized interpolation of the table name into...

CVE-2025-34140

An authorization bypass vulnerability exists in ETQ Reliance legacy CG and NXG SaaS platforms. By appending a specific URI suffix to certain API endpoints, an unauthenticated attacker can bypass access control checks and retrieve limited sensitive resources. The root cause was a misconfiguration ...

CVE-2025-51458

SQL Injection in editorsqlrun and queryex in eosphoros-ai DB-GPT 0.7.0 allows remote attackers to execute arbitrary SQL statements via crafted input passed to the /v1/editor/sql/run or /v1/editor/chart/run endpoints, interacting with apieditorv1.editorsqlrun, editorchartrun, and...

CVE-2025-34140

An authorization bypass vulnerability exists in ETQ Reliance legacy CG and NXG SaaS platforms. By appending a specific URI suffix to certain API endpoints, an unauthenticated attacker can bypass access control checks and retrieve limited sensitive resources. The root cause was a misconfiguration ...

PT-2025-30454 · Db-Gpt · Db-Gpt

Name of the Vulnerable Software and Affected Versions: DB-GPT version 0.7.0 Description: A SQL injection issue exists in the editor sql run and query ex functions of DB-GPT. Remote attackers can execute arbitrary SQL statements by providing crafted input to the /v1/editor/sql/run or...

PT-2025-30411 · Etq · Etq Reliance

Name of the Vulnerable Software and Affected Versions: ETQ Reliance versions prior to SE.2025.1 ETQ Reliance versions prior to 2025.1.2 Description: An authorization bypass allows an unauthenticated attacker to retrieve limited sensitive resources by appending a specific URI suffix to certain API...

CVE-2025-53639 Metersphere has SQL Injection Vulnerability in Sorting Field

MeterSphere is an open source continuous testing platform. Prior to version 3.6.5-lts, the sortField parameter in certain API endpoints is not properly validated or sanitized. An attacker can supply crafted input to inject and execute arbitrary SQL statements through the sorting functionality. Th...

CVE-2025-53639 Metersphere has SQL Injection Vulnerability in Sorting Field

MeterSphere is an open source continuous testing platform. Prior to version 3.6.5-lts, the sortField parameter in certain API endpoints is not properly validated or sanitized. An attacker can supply crafted input to inject and execute arbitrary SQL statements through the sorting functionality. Th...