CVE-2025-5953

The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajaxinsertemployee and updateempoyee functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $POST'role' and, after basic cleaning via...

CVE-2025-27451

For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one...

CVE-2025-48952

NetAlertX is a network, presence scanner, and alert framework. Prior to version 25.6.7, a vulnerability in the authentication logic allows users to bypass password verification using SHA-256 magic hashes, due to loose comparison in PHP. In vulnerable versions of the application, a password...

CVE-2025-53485

SetTranslationHandler.php does not validate that the user is an election admin, allowing any even unauthenticated user to change election-related translation text. While partially broken in newer MediaWiki versions, the check is still missing. This issue affects Mediawiki - SecurePoll extension:...

CVE-2025-47479 WordPress WP Compress plugin <= 6.30.30 - Broken Authentication Vulnerability

Weak Authentication vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Authentication Abuse.This issue affects WP Compress: from n/a through = 6.30.30...

Important: Red Hat Security Advisory: Red Hat build of Cryostat security update

An update is now available for the Red Hat build of Cryostat 4 on RHEL 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fro...

PT-2025-27787 · Vnc · Vnc

Name of the Vulnerable Software and Affected Versions: VNC affected versions not specified Description: The issue concerns the VNC authentication mechanism, which uses a challenge-response system. This system relies on both the server and client using the same password for encryption. An attacker...

CVE-2025-52997

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers could mount a...

PT-2025-27663 · Ns3000 +1 · Ns3000 +1

Name of the Vulnerable Software and Affected Versions: NS3000 versions 7.x through 8.1.1.125110 NS2000 version 7.02.08 Description: The issue is related to missing authentication checks in the "query.fcgi" endpoint, which allows attackers to execute a session hijacking attack. Recommendations: Fo...

CVE-2025-34081

The Contec Co.,Ltd. CONPROSYS HMI System CHS exposes a PHP phpinfo debug page to unauthenticated users that may contain sensitive data useful for an attacker.This issue affects CONPROSYS HMI System CHS: before 3.7.7...

CVE-2025-41656 Pilz: Missing Authentication in Node-RED integration

An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the NodeRED server is not configured by default...

CVE-2025-41656

CVE-2025-41656 concerns the Pilz IndustrialPI Node-RED integration, where the authentication for the Node-RED server is not configured by default. This allows an unauthenticated remote attacker to execute arbitrary commands with high privileges on affected devices. The CVSS 3.1 base score is 10.0...

CVE-2025-52997

CVE-2025-52997 affects File Browser prior to 2.34.1, where lack of password policy and brute-force protection enables credential guessing attacks that could disclose account passwords. The issue is addressed in version 2.34.1; upgrade to that version or apply the vendor’s fix. Exploitation status...

CVE-2024-8419 Improper Access Control vulnerability in AC4xxS devices

The endpoint hosts a script that allows an unauthorized remote attacker to put the system in a fail-safe state over the network due to missing authentication...

CVE-2025-5310 Dover Fueling Solutions ProGauge MagLink LX Consoles Missing Authentication for Critical Function

Dover Fueling Solutions ProGauge MagLink LX Consoles expose an undocumented and unauthenticated target communication framework TCF interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution...

CVE-2025-6763 Comet System H3531 Web-based Management setupA.cfg missing authentication

A vulnerability was found in Comet System T0510, T3510, T3511, T4511, T6640, T7511, T7611, P8510, P8552 and H3531 1.60. Affected by this issue is some unknown functionality of the file /setupA.cfg of the component Web-based Management Interface. Performing manipulation results in missing...

WordPress Auto Upload Images plugin code issue vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A code issue vulnerability exists in the WordPress Auto Upload Images plugin that stems from the server not implementing an adequate authentication mechanism to confirm the orig...

CVE-2025-6707

CVE-2025-6707 affects MongoDB Server versions prior to: 5.0.31, 6.0.24, 7.0.21, and 8.0.5. The issue: under certain conditions, an authenticated user request may execute with stale privileges after an intentional change by an authorized administrator, implying possible privilege escalation while ...

CVE-2025-34039

A code injection vulnerability exists in Yonyou UFIDA NC v6.5 and prior due to the exposure of the BeanShell testing servlet bsh.servlet.BshServlet without proper access controls. The servlet allows unauthenticated remote attackers to execute arbitrary Java code via the bsh.script parameter. This...

CVE-2025-6560

Multiple wireless router models from Sapido have an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to directly access a system configuration file and obtain plaintext administrator credentials. The affected models are out of support; replacing the devic...