861 matches found
CVE-2025-13754 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.16 - Missing Authorization to Unauthenticated Sensitive Information Exposure
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at /wp-json/ssa/v1/embed-inner-admin without...
CVE-2025-13754
The CVE-2025-13754 entry affects the WordPress plugin Simply Schedule Appointments (Appointment Booking Calendar) up to version 1.6.9.16. Root cause is unauthenticated access to the admin embed endpoint /wp-json/ssa/v1/embed-inner-admin, causing leakage of private configuration data (staff names,...
CVE-2025-63391
An authentication bypass vulnerability exists in Open-WebUI =0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers...
PT-2025-52418
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at /wp-json/ssa/v1/embed-inner-admin without...
CVE-2025-63391
An authentication bypass vulnerability exists in Open-WebUI =0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers...
dify 安全漏洞
dify is an open source LLM application development platform from LangGenius Open Source. A security vulnerability exists in version 1.9.1 of dify, which stems from improper privileges and could lead to unauthorized access to system configuration data...
Open WebUI 安全漏洞
Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI Open Source. A security vulnerability exists in Open WebUI version 0.6.32 and earlier, which stems from an authentication bypass that could lead to unauthorized access to system configuration data...
CVE-2025-14540
The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userbackgetjson function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract...
CVE-2025-14540
CVE-2025-14540 affects the WordPress Userback plugin: versions up to and including 1.0.15 suffer a missing capability check in userback_get_json, enabling authenticated users with Subscriber+ access to exfiltrate the plugin’s configuration data, including the Userback API access token, and privat...
CVE-2025-13053
When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle MITM attack, which may obtain the sensitive information of th...
CVE-2025-14265
In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of...
CVE-2025-13053
The CVE-2025-13053 issue affects ASUSTOR ADM NAS: vulnerable in versions 4.1.0–4.3.3.RKD2 and 5.0.0–5.1.0.RN42. Root cause is non-enforced TLS certificate verification when configuring NAS to retrieve UPS status or control the UPS, enabling a network MITM attack to intercept traffic and potential...
CVE-2025-14265 Improper server-side validation in ScreenConnect extension framework
In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of...
EUVD-2025-202687
In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of...
PT-2025-50611
Name of the Vulnerable Software and Affected Versions ScreenConnect versions prior to 25.8 Description The ScreenConnect server component, in versions prior to 25.8, has insufficient server-side validation and integrity checks within its extension subsystem. This allows the installation and...
CVE-2025-13607 D-Link CCTV camera model DCS-F5614-L1 Missing Authentication for Critical Function
A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL...
CVE-2025-48610
In pkvmguestrelinquishtohost of memprotect.c, there is a possible configuration data leak due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
ownCloud < 10.15.1 Information Disclosure Vulnerability
ownCloud is prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:owncloud:owncloud";...
EUVD-2025-201753
In pkvmguestrelinquishtohost of memprotect.c, there is a possible configuration data leak due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-48610
In pkvmguestrelinquishtohost of memprotect.c, there is a possible configuration data leak due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...