PT-2025-32181 · Unknown · Gatling Enterprise

Name of the Vulnerable Software and Affected Versions: Gatling Enterprise versions prior to 1.25.0 Description: Gatling Enterprise is susceptible to an issue where a user with limited privileges, lacking the “admin” role, can execute REST API calls on read-only endpoints. This allows unauthorized...

CVE-2025-51308

In Gatling Enterprise versions below 1.25.0, a low-privileged user that does not hold the role "admin" could perform a REST API call on read-only endpoints, allowing him to collect some information, due to missing authorization checks...

CVE-2025-52892 EspoCRM is vulnerable to access denial through double slash in URI corrupting router cache

EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes e.g https://domain//Admin and the webserver does not strip the double slash, it can cause ...

CVE-2025-54554

tiaudit in Tera Insights tiCrypt before 2025-07-17 allows unauthenticated REST API requests that reveal sensitive information about the underlying SQL queries and database structure...

CVE-2025-7847

The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the restsimpleFileUpload function in versions 2.9.3 and 2.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on...

MAL-2025-6669 Malicious code in wild-pet-rest-api (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2025-6601 Malicious code in thoughtspot-rest-api-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in thoughtspot-rest-api-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=-...

CVE-2025-7847

The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the restsimpleFileUpload function in versions 2.9.3 and 2.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on...

PT-2025-31474 · WordPress · Ai Engine Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: AI Engine plugin for WordPress versions 2.9.3 and 2.9.4 Description: The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest simpleFileUpload function. This allows authenticat...

Exploit for CVE-2025-32429

CVE-2025-32429 XWiki SQL Injection PoC Author: Byte Reape...

Improper Authentication

github.com/mattermost/mattermost-server is vulnerable to improper authentication. The vulnerability is due to the failure to negotiate a new token when accepting an invite, which allows an attacker who intercepts both the invite and password to send synchronization payloads to the original server...

Mattermost Server 9.11.x < 9.11.17 / 10.5.x < 10.5.8 (MMSA-2025-00474)

The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2025-00474 advisory. - Mattermost versions 10.5.x = 10.5.7, 9.11.x = 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invi...

WordPress plugin bSecure 安全漏洞

WordPress bSecure plugin is a plugin used to enhance the security of the website, mainly for the payment page of GiveWP to provide security features. An elevation of privilege vulnerability exists in the WordPress bSecure plugin, which stems from a lack of authorization in the orderinfo REST...

CVE-2025-6227

Mattermost versions 10.5.x = 10.5.7, 9.11.x = 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API...

CVE-2025-4302

The Stop User Enumeration WordPress plugin before version 1.7.3 blocks REST API /wp-json/wp/v2/users/ requests for non-authorized users. However, this can be bypassed by URL-encoding the API path...

GHSA-4FWJ-8595-WP25 Mattermost has Insufficiently Protected Credentials

Mattermost versions 10.5.x = 10.5.7, 9.11.x = 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API...

Mattermost has Insufficiently Protected Credentials

Mattermost versions 10.5.x = 10.5.7, 9.11.x = 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API...

CVE-2025-6227

Mattermost versions 10.5.x = 10.5.7, 9.11.x = 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API...

CVE-2025-6227 Invite token is used as part of the secure communication

Mattermost versions 10.5.x = 10.5.7, 9.11.x = 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API...