PT-2025-38225

Name of the Vulnerable Software and Affected Versions: SourceCodester Online Exam Form Submission version 1.0 Description: A SQL injection issue exists due to the manipulation of the email parameter within an unknown function of the /admin/index.php file. This allows for remote exploitation. The...

CVE-2009-20006 osCommerce <= 2.2 Admin File Manager Arbitrary PHP Code Execution

osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility admin/filemanager.php. The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to...

Unspecified Vulnerability in Dreamer CMS (CNVD-2025-21438)

Dreamer CMS is a dreamer content management system. A security vulnerability exists in Dreamer CMS 4.1.3.2 and earlier versions, which stems from improper handling of the file /admin/user/updatePwd, which could lead to weak password requirements. No details of the vulnerability are provided at th...

CVE-2025-10429 SourceCodester Pet Grooming Management Software ajax_product.php sql injection

A vulnerability was detected in SourceCodester Pet Grooming Management Software 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajaxproduct.php. The manipulation of the argument dropservices results in sql injection. The attack can be launched remotely. The...

CVE-2025-9994

The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access...

CVE-2025-40689

SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'remark', 'status' and 'requestid' parameters in the endpoint '/ofrs/admin/request-details.php'...

WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled

Summary Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can: - Stream real-time application logs information disclosure. - Gain insight into internal file...

CVE-2025-54376

Hoverfly (versions

Exploit for CVE-2025-57520

PoC exploit for CVE-2025-57520, a stored cross-site scripting X...

CVE-2025-56407

A vulnerability has been found in HuangDou UTCMS V9 and classified as critical. This vulnerability affects the function RunSql of the file app/modules/ut-data/admin/mysql.php. The manipulation of the argument sql leads to sql injection. The attack can be initiated remotely. The exploit has been...

CVE-2025-9994

The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access...

CVE-2025-9994 Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not require authentication

The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access...

CVE-2025-9994 Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not require authentication

The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access...

CVE-2025-9994

The Amp’ed RF BT-AP 111 Bluetooth access point exposes an HTTP admin interface that has no authentication. This allows any user with network access to gain full administrative control of the device. Current public details do not indicate a fixed version; some sources note no fix is available yet....

BIT-ENVOY-GATEWAY-2025-24030 Envoy Admin Interface Exposed through prometheus metrics endpoint

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of Envoy Gateway prior...

Amp'ed RF BT-AP 111 Bluetooth access point lacks an authentication mechanism

Overview The Amp’ed RF BT-AP 111 Bluetooth Access Point exposes an HTTP-based administrative interface without authentication controls. This allows an unauthenticated remote attacker to gain full administrative access to the device. Description The Amp’ed RF BT-AP 111 is a Bluetooth-to-Ethernet...

PT-2025-36732

Name of the Vulnerable Software and Affected Versions: Amp’ed RF BT-AP 111 Bluetooth access point affected versions not specified Description: The HTTP admin interface lacks an authentication feature, enabling unauthorized access to individuals with network access. Recommendations: At the moment,...

CVE-2025-57766 Fides's Admin UI User Password Change Does Not Invalidate Current Session

Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors such as XSS ca...

PT-2025-36372

Name of the Vulnerable Software and Affected Versions: itsourcecode Online Discussion Forum version 1.0 Description: A SQL injection issue exists in itsourcecode Online Discussion Forum 1.0. The issue affects an unknown function within the /admin file. Manipulation of the Username parameter can...

CVE-2025-35452

PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface...