GHSA-373J-MHPF-84WG Janssen Config API returns results without scope verification

Impact What kind of vulnerability is it? Who is impacted? The configAPI is an internal service and hence should never be exposed to the internet. With that said, this is a serious vulnerability that has a large internal surface attack area that exposes all sorts of information from the IDP...

CVE-2025-20281

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to...

CVE-2025-53018 Lychee has Server-Side Request Forgery (SSRF) in Photo::fromUrl API via unvalidated remote image URLs

Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery SSRF vulnerability exists in the /api/v2/Photo::fromUrl endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose...

CVE-2025-6734 UTT HiPER 840G API formP2PLimitConfig sub_484E40 buffer overflow

A vulnerability was found in UTT HiPER 840G up to 3.1.1-190328. It has been rated as critical. This issue affects the function sub484E40 of the file /goform/formP2PLimitConfig of the component API. The manipulation of the argument except leads to buffer overflow. The attack may be initiated...

CVE-2025-6733 UTT HiPER 840G API formConfigDnsFilterGlobal sub_416928 buffer overflow

A vulnerability was found in UTT HiPER 840G up to 3.1.1-190328. It has been declared as critical. This vulnerability affects the function sub416928 of the file /goform/formConfigDnsFilterGlobal of the component API. The manipulation of the argument GroupName leads to buffer overflow. The attack c...

CVE-2025-6733 UTT HiPER 840G API formConfigDnsFilterGlobal sub_416928 buffer overflow

A vulnerability was found in UTT HiPER 840G up to 3.1.1-190328. It has been declared as critical. This vulnerability affects the function sub416928 of the file /goform/formConfigDnsFilterGlobal of the component API. The manipulation of the argument GroupName leads to buffer overflow. The attack c...

CVE-2025-6733

CVE-2025-6733 affects UTT HiPER 840G up to 3.1.1-190328. The issue is a buffer overflow in the API’s formConfigDnsFilterGlobal function (sub_416928) triggered by manipulating the GroupName argument in /goform/formConfigDnsFilterGlobal. Publicly disclosed exploit and remote attack potential are no...

CVE-2025-6732 UTT HiPER 840G API setSysAdm strcpy buffer overflow

A vulnerability was found in UTT HiPER 840G up to 3.1.1-190328. It has been classified as critical. This affects the function strcpy of the file /goform/setSysAdm of the component API. The manipulation of the argument passwd1 leads to buffer overflow. It is possible to initiate the attack remotel...

PT-2025-27020

Name of the Vulnerable Software and Affected Versions: UTT HiPER 840G versions up to 3.1.1-190328 Description: A critical issue affects the function sub 416928 of the file /goform/formConfigDnsFilterGlobal in the component API. The manipulation of the argument GroupName leads to buffer overflow...

CVE-2025-20282 Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root. This vulnerability is due a lack of file validation checks tha...

CVE-2025-20282 Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root. This vulnerability is due a lack of file validation checks tha...

CVE-2025-20281 Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to...

CVE-2025-20281

CVE-2025-20281 affects Cisco Identity Services Engine (ISE) and ISE-PIC via an exposed API where insufficient input validation enables unauthenticated remote code execution as root. The flaw is described as an input-validation vulnerability in a specific API endpoint, allowing an attacker to craf...

CVE-2025-20281 Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to...

Cisco Identity Services Engine (cisco-sa-ise-unauth-rce-ZAd2GnJ6)

According to its self-reported version, Cisco ISE is affected by a vulnerability. - A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require...

PT-2025-26853

Name of the Vulnerable Software and Affected Versions Cisco ISE and Cisco ISE-PIC versions 3.4 Description A vulnerability exists in an internal API of Cisco ISE and Cisco ISE-PIC due to missing file validation checks. This allows an unauthenticated, remote attacker to upload arbitrary files to a...

Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

...

CVE-2025-6453 diyhi bbs API ForumManageAction.java add path traversal

A vulnerability classified as critical has been found in diyhi bbs 6.8. Affected is the function Add of the file /src/main/java/cms/web/action/template/ForumManageAction.java of the component API. The manipulation of the argument dirName leads to path traversal. It is possible to launch the attac...

PT-2025-26528 · Yealink · Yealink Ymcs Rps Api

Name of the Vulnerable Software and Affected Versions: Yealink YMCS RPS API versions prior to 2025-05-26 Description: The issue is related to the lack of rate limiting in the Yealink YMCS RPS API, which could potentially enable information disclosure via excessive requests. Recommendations: For...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the restful api-v1 endpoint. An attacker can gain unauthorized access to sensitive operations by submitting jobs through the /hazelcast/rest/maps/submit-job endpoint and setting extra...