CVE-2025-48733 DuraComm DP-10iN-100-MU Missing Authentication for Critical Function

DuraComm SPM-500 DP-10iN-100-MU lacks access controls for a function that should require user authentication. This could allow an attacker to repeatedly reboot the device...

CVE-2025-7723 Authenticated command injection on VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2

A command injection vulnerability exists that can be exploited after authentication in VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2.This issue affects VIGI NVR1104H-4P V1: before 1.1.5 Build 250518; VIGI NVR2016H-16MP V2: before 1.3.1 Build 250407...

CVE-2025-7723

CVE-2025-7723 affects TP-Link VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2. The OS command injection vulnerability can be exploited after authentication, with affected builds: V1 before 1.1.5 (Build 250518) and V2 before 1.3.1 (Build 250407). Related vendor advisories (JPN/JP and PTSecurity) cor...

GHSA-9G4J-V8W5-7X42 Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources

Summary Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially access authentik even if their account is deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can...

CVE-2015-10140 Ajax Load More < 2.8.1.2 - Subscriber+ File Upload & Deletion

The Ajax Load More plugin before 2.8.1.2 does not have authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber, to upload and delete arbitrary files...

CVE-2024-13973

CVE-2024-13973 : A post-auth SQL injection vulnerability in the WebAdmin component of Sophos Firewall, affecting versions older than 21.0 MR1 (21.0.1). Exploitation could allow an administrator to achieve arbitrary code execution. The root cause is a SQL injection in WebAdmin; no exploit details ...

CVE-2024-13973

A post-auth SQL injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR1 21.0.1 can potentially lead to administrators achieving arbitrary code execution...

CVE-2025-46119

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where an authenticated request to the management endpoint /admin/cmdstat.jsp discloses the administrator password in a trivially reversible obfuscat...

PT-2025-30268 · Unknown · Parkingdoor

Name of the Vulnerable Software and Affected Versions: ParkingDoor affected versions not specified Description: An incorrect authentication issue exists in ParkingDoor, allowing operation of the device without access logging in the application, even if access permissions have been revoked...

CVE-2025-7897 harry0703 MoneyPrinterTurbo API Endpoint base.py verify_token missing authentication

A vulnerability was found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this issue is the function verifytoken of the file app/controllers/base.py of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched...

CVE-2025-7875

A vulnerability classified as critical has been found in Metasoft 美特软件 MetaCRM up to 6.4.2. This affects an unknown part of the file /debug.jsp. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may ...

CVE-2025-5816

The Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.0 via the getorderdetail due to missing validation on a user controlled key. This makes it possible for...

CVE-2025-7862 TOTOLINK T6 Telnet Service cstecgi.cgi setTelnetCfg missing authentication

A vulnerability has been found in TOTOLINK T6 4.1.5cu.748B20211015 and classified as critical. Affected by this vulnerability is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument telnetenabled with the input 1 leads to...

Mattermost Missing Authentication for Critical Function

Mattermost versions 10.5.x = 10.5.6, 10.8.x = 10.8.1, 10.7.x = 10.7.3, 9.11.x = 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of...

CVE-2025-7438 MasterStudy LMS – Online Courses, eLearning PRO Plus <= 4.7.9 - Authenticated (Subscriber+) Arbitrary File Upload

The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'installandactivateplugin' function in all versions up to, and including, 4.7.9. This makes it possible for authenticated attackers, with Subscriber-level access an...

PT-2025-29990 · WordPress · Aapanel Wp Toolkit

Name of the Vulnerable Software and Affected Versions: aapanel WP Toolkit versions 1.0 through 1.1 Description: The aapanel WP Toolkit plugin for WordPress is susceptible to privilege escalation due to missing authorization checks within the auto login function. Authenticated attackers with...

CVE-2025-53826

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. As of time of...

CVE-2025-54068

Summary (validated by connected docs): CVE-2025-54068 affects Laravel Livewire v3 up to 3.6.3, where the component hydration/update mechanism can allow unauthenticated remote command execution under specific mounting/config conditions. Public advisories and templates confirm an in-the-wild risk a...

CVE-2025-53887

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without...

PT-2025-29712 · Unknown · Tech.Palm.Id

Name of the Vulnerable Software and Affected Versions: tech.palm.id affected versions not specified Description: An authentication issue exists in the mobile application that may result in information disclosure. Recommendations: At the moment, there is no information about a newer version that...