CVE-2025-3653

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device contro...

CVE-2025-3653 Petlibro Smart Pet Feeder through 1.7.31 Platform Improper Access Control via API endpoint

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device contro...

PT-2026-1181

Name of the Vulnerable Software and Affected Versions Petlibro Smart Pet Feeder Platform versions up to 1.7.31 Description The Petlibro Smart Pet Feeder Platform is affected by an improper access control issue. The platform allows unauthorized device manipulation by accepting arbitrary serial...

CVE-2025-14097 Remote Code Execution Vulnerability in Radiometer Products

A vulnerability in the application software of multiple Radiometer products may allow remote code execution and unauthorized device management when specific internal conditions are met. Exploitation requires that a remote connection is established with additional information obtained through othe...

CVE-2025-14097

CVE-2025-14097 affects Radiometer analyzer software across multiple products. The issue allows remote code execution and unauthorized device management when specific internal conditions are met, requiring a remote connection with additional information obtained via other means. Root cause is a we...

Johnson Controls iSTAR Ultra

RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to modify firmware and gain full access to the device. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize...

CVE-2025-65291

Aqara Hub devices including Hub M2 4.3.60027, Hub M3 4.3.60025, Camera Hub G3 4.1.90027 fail to validate server certificates in TLS connections for discovery services and CoAP gateway communications, enabling man-in-the-middle attacks on device control and monitoring...

CVE-2025-41732

An unauthenticated remote attacker can abuse unsafe sscanf calls within the checkcookie function to write arbitrary data into fixed-size stack buffers which leads to full device compromise...

CVE-2025-65291

Aqara Hub devices including Hub M2 4.3.60027, Hub M3 4.3.60025, Camera Hub G3 4.1.90027 fail to validate server certificates in TLS connections for discovery services and CoAP gateway communications, enabling man-in-the-middle attacks on device control and monitoring...

WAGO Indsutrial-Managed-Switches 安全漏洞

WAGO Indsutrial-Managed-Switches is a series of high-performance network devices from WAGO, Germany. A security vulnerability exists in WAGO Indsutrial-Managed-Switches, which stems from an unsafe sscanf call in the checkaccount function, which could lead to full control of the device...

PT-2025-49434

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A flaw exists in the Linux kernel’s videobuf2 subsystem. The vb2 ioctl remove bufs function can manipulate the internal buffer list of a queue, potentially overwriting pointers used when...

CVE-2025-56400

Cross-Site Request Forgery CSRF vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa accoun...

CVE-2025-56400

Cross-Site Request Forgery CSRF vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa accoun...

CVE-2025-56400

Cross-Site Request Forgery CSRF vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa accoun...

CVE-2025-56400

CVE-2025-56400 describes a CSRF-type flaw in the OAuth flow of the Tuya SDK 6.5.0 for Android/iOS, affecting Tuya Smart and Smartlife apps and third‑party apps that integrate the SDK. The root cause is failure to validate the OAuth state parameter during account linking, allowing an attacker to t...

CVE-2025-56400

Cross-Site Request Forgery CSRF vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa accoun...

Comet Browser Flaw Lets Hidden API Run Commands on Users’ Devices

SquareX warns Perplexity's Comet AI browser contains a hidden MCP API that bypasses security, allowing attackers to install malware and seize full device control...

CVE-2025-63219

The ITEL ISO FM SFN Adapter firmware ISO2 2.0.0.0, WebServer 2.0 is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control the device, modify configurations, and...

CVE-2025-63219

The ITEL ISO FM SFN Adapter firmware ISO2 2.0.0.0, WebServer 2.0 is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control the device, modify configurations, and...

CVE-2025-63219

The ITEL ISO FM SFN Adapter firmware ISO2 2.0.0.0, WebServer 2.0 is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control the device, modify configurations, and...