CVE-2025-6118 Das Parking Management System 停车场管理系统 API search sql injection

A vulnerability was found in Das Parking Management System 停车场管理系统 6.2.0. It has been rated as critical. This issue affects some unknown processing of the file /vehicle/search of the component API. The manipulation of the argument vehicleTypeCode leads to sql injection. The attack may be initiate...

CVE-2025-6118

CVE-2025-6118 affects Das Parking Management System 6.2.0, specifically the /vehicle/search API where manipulating the vehicleTypeCode parameter leads to a SQL injection. Reported as remotely exploitable with public disclosure. Several connected sources confirm the vulnerability in the API path a...

CVE-2025-6116

A vulnerability was found in Das Parking Management System 停车场管理系统 6.2.0. It has been classified as critical. This affects an unknown part of the file /IntraFieldVehicle/Search of the component API. The manipulation of the argument Value leads to sql injection. It is possible to initiate the atta...

CVE-2025-6116 Das Parking Management System 停车场管理系统 API Search sql injection

A vulnerability was found in Das Parking Management System 停车场管理系统 6.2.0. It has been classified as critical. This affects an unknown part of the file /IntraFieldVehicle/Search of the component API. The manipulation of the argument Value leads to sql injection. It is possible to initiate the atta...

CVE-2025-6098 UTT 进取 750W API setSysAdm strcpy buffer overflow

A vulnerability was found in UTT 进取 750W up to 5.0. It has been classified as critical. This affects the function strcpy of the file /goform/setSysAdm of the component API. The manipulation of the argument passwd1 leads to buffer overflow. It is possible to initiate the attack remotely. The explo...

CVE-2025-6098

CVE-2025-6098 : A buffer overflow exists in the UTT Progress 750W API endpoint /goform/setSysAdm, triggered by the passwd1 argument in the strcpy usage. Affects versions up to 5.0; vulnerability can be exploited remotely, with exploitation described as a proof-of-concept in sources. Impact includ...

CVE-2025-5288

The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the processhandler function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an...

CVE-2025-49181

Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An attacker could also send HTTP POST requests to modify the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service atta...

CVE-2025-24922 Dell ControlVault3/ControlVault3 Plus securebio_identify stack-based buffer overflow vulnerability

A stack-based buffer overflow vulnerability exists in the securebioidentify functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted malicious cvobject can lead to a arbitrary code execution. An attacker can issue an API call to...

CVE-2025-5288

The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the processhandler function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an...

CVE-2025-5288 REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 - 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function

The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the processhandler function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an...

CVE-2025-28382

An issue in the openc3-api/tables endpoint of OpenC3 COSMOS before 6.1.0 allows attackers to execute a directory traversal...

GHSA-PRWH-7838-XF82 XWiki allows SQL injection in query endpoint of REST API with Oracle

Impact It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. Patches This has been patched ...

CVE-2024-56158 XWiki allows SQL injection in query endpoint of REST API with Oracle

XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. Thi...

CVE-2025-49181 Configurations endpoint does not require authorization

Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An attacker could also send HTTP POST requests to modify the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service atta...

PT-2025-25305

Name of the Vulnerable Software and Affected Versions The product name cannot be determined. Description Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An attacker could also send HTTP POST requests to modify the log...

PT-2025-25308

Name of the Vulnerable Software and Affected Versions The product name cannot be determined. Description The issue is related to unencrypted communication with the REST API, which uses HTTP. This allows an attacker to intercept traffic between the actor and the webserver, potentially leading to...

CVE-2025-4573 LDAP Injection in Mattermost Enterprise Edition When Using Active Directory

Mattermost versions 10.7.x = 10.7.1, 10.6.x = 10.6.3, 10.5.x = 10.5.4, 9.11.x = 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT...

(Pwn2Own) Autel MaxiCharger AC Wallbox Commercial Serial Number Exposed Dangerous Method Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharger AC Wallbox Commercial EV chargers. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the Autel Technician API...

CVE-2025-27505 GeoServer Missing Authorization on REST API Index

GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension e.g., rest.html. The REST API index can...