PT-2026-49654

Name of the Vulnerable Software and Affected Versions NPort W2150A-W4/W2250A-W4 Series versions prior to 1.5.1 Description A stack-based buffer overflow occurs due to insufficient input validation of user-supplied input in the Server location parameter on the Basic settings page. An authenticated...

Nautobot 安全漏洞

Nautobot is a web-based automation platform developed by the Nautobot team. Versions of Nautobot prior to 2.4.33 and 3.1.2 contained security vulnerabilities. These vulnerabilities stemmed from users who had permission to add/modify GitRepository records being able to directly set the currenthead...

CVE-2026-44618

Technical details for CVE-2026-44618 are not publicly available in the provided documents. The records mention an XXE vulnerability in Apache CXF WS-Transfer and upgrade versions, but no further specifics are provided. Monitor for updates.

EUVD-2020-31231

Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service that allows local attackers to escalate privileges by exploiting the unquoted binary path. Attackers can insert a malicious executable into the service path and execute it with LocalSyste...

CVE-2026-5361

The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the updategallerydata function and improper output escaping in the galleryinit function. The...

GHSA-935G-9RQ5-Q95C short-video-maker has a path traversal vulnerability

A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. The attack can be launched remotely. The...

CVE-2026-1949

Delta Electronics AS320T is affected by CVE-2026-1949 due to an incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service. The available reports identify the host device and the vulnerable component as the AS320T web service handling GET/PUT requests,...

CVE-2026-4486

D-Link DIR-513 (firmware 1.10) Web Service: The formEasySetPassword function in /goform/formEasySetPassword is vulnerable. Manipulating the curTime argument leads to a stack-based buffer overflow, with remote access possible. The exploit is publicly available, and this affects products no longer ...

CVE-2025-50192 Chamilo: Time-based SQL Injection in /main/webservices/registration.soap.php

Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injection in found in /main/webservices/registration.soap.php. This issue has been patched in version 1.11.30...

CVE-2026-27457

Weblate CVE-2026-27457 records a missing access control in the AddonViewSet: before 5.16.1, the REST API uses Addon.objects.all() without proper get_queryset scoping, allowing any authenticated user (or anonymous if REQUIRE_LOGIN is not set) to list or retrieve all addons across projects via GET ...

CVE-2026-1104

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with...

PT-2026-7622

Name of the Vulnerable Software and Affected Versions Shenzhen Zhibotong Electronics ZBT WE2001 version 23.09.27 Description A missing session validation check within the web API component allows unauthenticated remote attackers to access administrative functions designed for authorized users...

CVE-2025-57795

Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remote code execution...

CVE-2024-41925

The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code...

CVE-2025-13093 Devs CRM – Manage tasks, attendance and teams all together <= 1.1.8 - Missing Authorization to Unauthenticated Lead Tag Update

The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible...

CVE-2023-7330

Ruijie NBR series routers contain an unauthenticated arbitrary file upload vulnerability via /ddi/server/fileupload.php. The endpoint accepts attacker-supplied values in the name and uploadDir parameters and saves the provided multipart file content without adequate validation or sanitization of...

CVE-2025-12633

CVE-2025-12633 : The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable due to a missing capability check on the REST endpoint /wp-json/bookit/v1/commerce/stripe/return, affecting all versions up to and including 2.5.0. This allows unauthenticated attackers to conn...

CanalDenuncia App Information Disclosure Vulnerability (CNVD-2025-30334)

CanalDenuncia App is a reporting channel application from CanalDenuncia Spain. The CanalDenuncia App suffers from an information disclosure vulnerability caused by incorrect authorization validation of parameters id and idsociedad in /api/buscarEmpresaById.php. An attacker can use this...

EUVD-2021-13408

Malware in sbrugna...

EUVD-2020-4908

Malware in sbrugna...