310 matches found
EUVD-2023-41431
Malicious code in bioql PyPI...
EUVD-2024-47963
Malicious code in bioql PyPI...
mall 安全漏洞
mall is an e-commerce system for macro individual developers, including the front-end mall system and the back-end management system. A security vulnerability exists in mall version 1.0.3, which stems from an improperly restricted authentication attempt...
Important: Red Hat Security Advisory: Red Hat build of Quarkus 3.20.2 release and security update
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more informatio...
PT-2025-32218 · Unknown · Vedo Suite
Name of the Vulnerable Software and Affected Versions: Vedo Suite version 2024.17 Description: Vedo Suite 2024.17 is susceptible to an incorrect access control issue. This allows remote attackers to obtain a valid, high-privilege JWT JSON Web Token without authentication by sending an empty HTTP...
Mars: SQLi at █████ parameter
A SQL injection vulnerability was discovered in an items endpoint that accepted unauthenticated POST requests without CSRF validation. The vulnerability allowed execution of arbitrary SQL commands and extraction of database metadata. Additional security issues included stored XSS through the...
HAX CMS API Lacks Authorization Checks
Summary The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. Details The API endpoints within the HAX CMS...
CVE-2025-7882
A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been rated as problematic. This issue affects some unknown processing of the component Login. The manipulation leads to improper restriction of excessive authentication attempts. The attack can only be initiated...
CVE-2025-4972
An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality...
PT-2025-28946 · Ruckus +2 · Smartzone +1
Name of the Vulnerable Software and Affected Versions: RUCKUS SmartZone SZ versions prior to 6.1.2p3 Refresh Build Description: RUCKUS SmartZone SZ contains a hardcoded SSH private key for a root-equivalent user account. Recommendations: Update RUCKUS SmartZone SZ to version 6.1.2p3 Refresh Build...
CVE-2025-7031
Missing Authentication for Critical Function vulnerability in Drupal Config Pages Viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Config Pages Viewer: from 0.0.0 before 1.0.4...
CVE-2025-5451
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to trigger a denial of service...
Important: Red Hat Security Advisory: pam security update
An update for pam is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for ea...
CVE-2025-2938 Business Logic Errors in GitLab
An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval...
CVE-2025-52572 Hikka vulnerable to RCE through dangling web interface
Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web...
CVE-2025-27754
CVE-2025-27754 : A stored XSS flaw affects RSBlog! component for Joomla, versions 1.11.6–1.14.4. The root cause is insufficient input cleanup, allowing an authenticated user to inject JavaScript into the plugin’s resource; the payload is stored and later executed when other users view the affecte...
CVE-2024-6026
The Slider by 10Web WordPress plugin before 1.2.56 does not sanitise and escape some of its Slide options, which could allow authenticated users with access to the Sliders by default Administrator, however this can be changed via the Slider by 10Web WordPress plugin before 1.2.56's options and th...
CVE-2024-5639
The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'restapichangeprofileimage' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...
CVE-2024-10779
The Cowidgets – Elementor Addons plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.0 via the 'cetemplate' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with...
CVE-2024-50634
A vulnerability in a weak JWT token in Watcharr v1.43.0 and below allows attackers to perform privilege escalation using a crafted JWT token. This vulnerability is not limited to privilege escalation but also affects all functions that require authentication...