PT-2025-38236

Name of the Vulnerable Software and Affected Versions: ZimaOS versions prior to 1.4.2 Description: ZimaOS, a fork of CasaOS, is susceptible to a file read issue. The /v2 1/files/file/download API endpoint allows unauthorized file access from any user with localhost access. File reads are executed...

PT-2025-38074

Name of the Vulnerable Software and Affected Versions: Ilevia EVE X1 Server versions prior to 4.7.18.0.eden Description: Ilevia EVE X1 Server contains an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. Remote attackers can execute arbitrary system commands by...

PT-2025-38080

Name of the Vulnerable Software and Affected Versions: Campcodes Grocery Sales and Inventory System version 1.0 Description: A SQL injection issue exists in Campcodes Grocery Sales and Inventory System 1.0. Manipulation of the ID argument in the /ajax.php?action=save category API endpoint can lea...

Indico may disclose unauthorized user details access via legacy API

Impact A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check. Patches You should to update to Indico 3.3.8 as soon as possible. See the docs for instructions on how to update. Workarounds It ...

PT-2025-37105

Name of the Vulnerable Software and Affected Versions: Scada-LTS versions prior to 2.7.8.2 Description: A vulnerability exists in Scada-LTS that allows for cross site scripting. The issue affects unknown code within the /data point edit.shtm file of the Data Point Edit Module. The manipulation of...

PT-2025-37103

Name of the Vulnerable Software and Affected Versions: 299ko versions up to 2.0.0 Description: A weakness exists in 299ko due to path traversal in the getSentDir/delete function of the plugin/filemanager/controllers/FileManagerAPIController.php file. This issue is remotely exploitable, and the...

PT-2025-35925

Name of the Vulnerable Software and Affected Versions: appRain CMF version 4.0.5 Description: A stored authenticated cross-site scripting XSS issue exists due to insufficient validation of user-supplied input. The vulnerability is present in the /apprain/developer/addons/update/cycle endpoint,...

PT-2025-35852

Name of the Vulnerable Software and Affected Versions: fuyang lipengjun platform version 1.0.0 Description: A vulnerability exists in the AdController function of the /ad/queryAll file, leading to improper authorization. The issue is remotely exploitable and the exploit is publicly available...

PT-2025-35458

Name of the Vulnerable Software and Affected Versions: itsourcecode Sports Management System version 1.0 Description: A flaw exists in itsourcecode Sports Management System version 1.0, specifically within an unknown function of the file /Admin/resultdetails.php. Manipulation of the ID argument c...

CVE-2025-57813

traQ is a messenger application built for Digital Creators Club traP. Prior to version 3.25.0, a vulnerability exists where sensitive information, such as OAuth tokens, are recorded in log files when an error occurs during the execution of an SQL query. An attacker could intentionally trigger an...

PT-2025-34839 · Unknown · Editso Fuso

Name of the Vulnerable Software and Affected Versions: editso fuso versions up to 1.0.4-beta.7 Description: A flaw exists due to inadequate encryption strength caused by the manipulation of the priv key argument within the PenetrateRsaAndAesHandshake function located in the...

PT-2025-34853 · Unknown · Patientservice.Pl

Name of the Vulnerable Software and Affected Versions: PatientService.pl affected versions not specified Description: The getPatientIdentifier function within the PatientService.pl service is susceptible to SQL injection due to improper handling of the pesel parameter. Recommendations: As a...

PT-2025-34855 · Unknown · Returnuserunitsxml.Pl

Name of the Vulnerable Software and Affected Versions: ReturnUserUnitsXML.pl affected versions not specified Description: The getUserInfo function within the ReturnUserUnitsXML.pl service is susceptible to SQL injection via the UserID parameter. Recommendations: As a temporary workaround, conside...

PT-2025-34844 · Cgm · Cgm Clininet

Name of the Vulnerable Software and Affected Versions: affected versions not specified Description: The system exposes several endpoints, typically including /int/ in their path, that should be restricted to internal services but are publicly accessible without authentication to any host able to...

PT-2025-34842 · Print.Pl · Print.Pl

Name of the Vulnerable Software and Affected Versions: Print.pl affected versions not specified Description: The uhcPrintServerPrint function allows execution of arbitrary code via the CopyCounter parameter. Recommendations: At the moment, there is no information about a newer version that contai...

PT-2025-34854 · Unknown · Preparecdexportjson.Pl

Name of the Vulnerable Software and Affected Versions: PrepareCDExportJSON.pl affected versions not specified Description: The getPerfServiceIds function within the PrepareCDExportJSON.pl service is susceptible to SQL injection. This allows for potential manipulation of database queries through...

PT-2025-34847 · Clininet · Clininet

Name of the Vulnerable Software and Affected Versions: CliniNET affected versions not specified Description: The vulnerability allows unauthenticated users to download a file containing session ID data by directly accessing the /cgi-bin/CliniNET.prd/utils/userlogxls.pl endpoint. Recommendations: ...

PT-2025-34829

Name of the Vulnerable Software and Affected Versions: Campcodes Online Loan Management System version 1.0 Description: A vulnerability exists in Campcodes Online Loan Management System that allows for SQL injection. The issue affects an unknown part of the /ajax.php?action=delete plan file...

CVE-2025-57813

CVE-2025-57813 affects the traQ messenger (github.com/traPtitech/traQ). Before version 3.25.0, error handling during SQL queries can write sensitive data (e.g., OAuth tokens) to log files. An attacker with log access could trigger SQL errors to illicitly read recorded secrets. The issue is fixed ...

PT-2025-34738

Name of the Vulnerable Software and Affected Versions: itsourcecode Apartment Management System version 1.0 Description: A SQL injection issue exists in the /maintenance/add maintenance cost.php file due to the manipulation of the ID argument. Remote exploitation is possible. The exploit has been...