PT-2025-53666

Name of the Vulnerable Software and Affected Versions TaleLin Lin-CMS versions up to 0.6.0 Description A security issue exists in TaleLin Lin-CMS. The issue involves the manipulation of the username/password arguments, potentially leading to exposure of passwords within the configuration file...

CVE-2025-15108

A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be...

CVE-2025-15108 PandaXGO PandaX JWT Secret config.yml hard-coded key

A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be...

CVE-2025-15108

PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5 is affected in the JWT Secret Handler component. The issue stems from manipulating the key argument in config.yml, resulting in use of a hard-coded cryptographic key. The vulnerability can be exploited remotely and is described with h...

PT-2025-53624

Name of the Vulnerable Software and Affected Versions PandaXGO PandaX versions prior to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5 Description A security issue exists in PandaXGO PandaX related to the JWT Secret Handler component. The issue involves the manipulation of the key argument within the...

ChurchCRM Code Execution Vulnerability

ChurchCRM is an open source church management system. ChurchCRM suffers from a code execution vulnerability that stems from user input in the installation wizard being written directly to a configuration file without validation, which can be exploited by an attacker to cause remote code execution...

CVE-2018-25137

CVE-2018-25137 concerns FLIR Brickstream 3D+ (version 2.1.742.1842). The issue is an unauthenticated vulnerability in the ExportConfig REST API that enables downloading sensitive configuration files via the getConfigExportFile.cgi endpoint. This exposes system configurations and potentially allow...

CVE-2018-25131

CVE-2018-25131 concerns Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063. The vulnerability is a stored cross-site scripting (XSS) flaw in the configuration file upload functionality, allowing an uploaded HTML file to execute arbitrary JavaScript in a user’s browser session when viewed. Affecte...

Leica Geosystems GNSS 安全漏洞

Leica Geosystems GNSS is a line of mapping equipment from Leica Germany. A security vulnerability exists in Leica Geosystems GNSS version 4.30.063, which stems from the presence of stored cross-site scripting in the configuration file upload function that could lead to the execution of arbitrary...

📄 Backdoor.Win32.Netbus.170 MVID-2025-0703 Insecure Credential Storage

Backdoor.Win32.Netbus.170 malware listens on TCP ports 12632 and 12631. The backdoor server password "ecoli" is stored in cleartext in an .INI textfile, stored under "C:\Windows" having the same name as the malware. Third party attackers who have knowledge of the password can login and issue...

[SECURITY] Fedora 42 Update: mqttcli-0.2.8-1.fc42

mqttcli provides two programs pub and sub that allow command-line access to an MQTT broker. sub subscribes to a topic and prints messages received to standard output. pub publishes the provided message to the provided topic. Both programs accept flags that can be provided as a config file...

CVE-2025-65009 Insecure Password Storage in WODESYS WD-R608U router

In WODESYS WD-R608U router also known as WDR122B V2.0 and WDR28 admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question. The vendor was notified early about this vulnerability, but didn't respond with th...

PT-2025-52248

In WODESYS WD-R608U router also known as WDR122B V2.0 and WDR28 admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question. The vendor was notified early about this vulnerability, but didn't respond with th...

CVE-2025-62521 ChurchCRM has unauthenticated RCE in its Install Wizard

ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...

CVE-2025-14730

A security flaw has been discovered in CTCMS Content Management System up to 2.1.2. The impacted element is an unknown function in the library /ctcms/libs/CtConfig.php of the component Backend System Configuration Module. The manipulation of the argument CjAdd/CjEdit results in code injection. Th...

CVE-2025-34180

NetSupport Manager 14.12.0001 relies on a shared Gateway Key for authentication between Manager/Control, Client, and Connectivity Server components. The key is stored using a reversible encoding scheme. An attacker who obtains access to a deployed client configuration file can decode the stored...

CVE-2025-66482

Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option trustProxy has been added in config file to...

CVE-2025-34180

NetSupport Manager 14.12.0001 relies on a shared Gateway Key for authentication between Manager/Control, Client, and Connectivity Server components. The key is stored using a reversible encoding scheme. An attacker who obtains access to a deployed client configuration file can decode the stored...

EUVD-2025-202721

OS Command Injection vulnerability in Ruijie M18 EW3.01B11P226M1810223116 allowing attackers to execute arbitrary commands via a crafted POST request to the moduleset in file /usr/local/lua/devconfig/configretain.lua...

CVE-2025-56085

OS Command Injection vulnerability in Ruijie RG-EW1200 EW3.01B11P227EW120011130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the moduleset in file /usr/local/lua/devconfig/configretain.lua...