CVE-2025-9994

The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access...

CVE-2025-40689

SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'remark', 'status' and 'requestid' parameters in the endpoint '/ofrs/admin/request-details.php'...

WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled

Summary Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can: - Stream real-time application logs information disclosure. - Gain insight into internal file...

CVE-2025-54376

Hoverfly (versions

Exploit for CVE-2025-57520

PoC exploit for CVE-2025-57520, a stored cross-site scripting X...

CVE-2025-56407

A vulnerability has been found in HuangDou UTCMS V9 and classified as critical. This vulnerability affects the function RunSql of the file app/modules/ut-data/admin/mysql.php. The manipulation of the argument sql leads to sql injection. The attack can be initiated remotely. The exploit has been...

CVE-2025-9994

The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access...

CVE-2025-9994 Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not require authentication

The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access...

CVE-2025-9994 Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not require authentication

The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access...

CVE-2025-9994

The Amp’ed RF BT-AP 111 Bluetooth access point exposes an HTTP admin interface that has no authentication. This allows any user with network access to gain full administrative control of the device. Current public details do not indicate a fixed version; some sources note no fix is available yet....

BIT-ENVOY-GATEWAY-2025-24030 Envoy Admin Interface Exposed through prometheus metrics endpoint

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of Envoy Gateway prior...

Amp'ed RF BT-AP 111 Bluetooth access point lacks an authentication mechanism

Overview The Amp’ed RF BT-AP 111 Bluetooth Access Point exposes an HTTP-based administrative interface without authentication controls. This allows an unauthenticated remote attacker to gain full administrative access to the device. Description The Amp’ed RF BT-AP 111 is a Bluetooth-to-Ethernet...

PT-2025-36732

Name of the Vulnerable Software and Affected Versions: Amp’ed RF BT-AP 111 Bluetooth access point affected versions not specified Description: The HTTP admin interface lacks an authentication feature, enabling unauthorized access to individuals with network access. Recommendations: At the moment,...

CVE-2025-57766 Fides's Admin UI User Password Change Does Not Invalidate Current Session

Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors such as XSS ca...

PT-2025-36372

Name of the Vulnerable Software and Affected Versions: itsourcecode Online Discussion Forum version 1.0 Description: A SQL injection issue exists in itsourcecode Online Discussion Forum 1.0. The issue affects an unknown function within the /admin file. Manipulation of the Username parameter can...

CVE-2025-35452

PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface...

PT-2025-36321

Name of the Vulnerable Software and Affected Versions: PTZOptics and ValueHD-based pan-tilt-zoom cameras affected versions not specified Description: PTZOptics and ValueHD-based pan-tilt-zoom cameras utilize default, shared credentials for the administrative web interface. This allows unauthorize...

appRain CMF 跨站脚本漏洞

appRain CMF is a content management framework. A cross-site scripting vulnerability exists in appRain CMF due to improper validation of user-supplied input on the /appain/admin/filemanager endpoint, which can be exploited by an attacker to steal a victim's cookie-based authentication credentials...

CVE-2025-9731

A vulnerability was determined in Tenda AC9 15.03.05.19. The impacted element is an unknown function of the file /etcro/shadow of the component Administrative Interface. This manipulation causes hard-coded credentials. It is possible to launch the attack on the local host. The attack's complexity...

CVE-2025-9806

The CVE-2025-9806 entry concerns Tenda F1202 devices (firmware versions 1.2.0.9–1.2.0.20) with an issue in the Administrative Interface’s /etc_ro/shadow function. Manipulating the input Fireitup locally can cause hard-coded credentials to be exposed. Exploitation requires local access and a high ...