1079 matches found
Wazuh server vulnerable to remote code execution
Summary An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. The vulnerability can be triggered by anybody with API access compromised dashboard or Wazuh servers in the cluster or, in certain configurations, even by a compromised agent. Details DistributedAPI...
GHSA-HCRC-79HJ-M3QH Wazuh server vulnerable to remote code execution
Summary An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. The vulnerability can be triggered by anybody with API access compromised dashboard or Wazuh servers in the cluster or, in certain configurations, even by a compromised agent. Details DistributedAPI...
CVE-2025-28367
mojoPortal =2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey...
CVE-2025-29513
Cross-Site Scripting XSS vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin API Access token generator...
CVE-2025-32796
Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabled and normal users are not permitted to make such changes...
CVE-2025-29513
NodeBB has a stored XSS vulnerability in the admin API Access token generator affecting NodeBB v4.0.4 and earlier. The issue allows remote attackers to store arbitrary code. A fix is available in NodeBB 4.0.5 and later (update to 4.0.5+), per PT-2025-17334. Other sources corroborate NodeBB
PT-2025-17314 · Unknown · Namelessmc
Name of the Vulnerable Software and Affected Versions: NamelessMC versions prior to 2.1.4 Description: The issue is related to SQL injection by providing an unexpected square bracket GET parameter syntax. This syntax refers to the structure ?param0=a¶m1=b¶m2=c utilized by PHP, which is...
CVE-2025-43703
An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API even though the attacker has no knowledge of an API key through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists...
CVE-2025-43703
An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API even though the attacker has no knowledge of an API key through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists...
CVE-2025-43703
An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API even though the attacker has no knowledge of an API key through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists...
CVE-2025-43703
An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API even though the attacker has no knowledge of an API key through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists...
CVE-2025-43703
An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API even though the attacker has no knowledge of an API key through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists...
PT-2025-16910 · Ankitects · Anki
Name of the Vulnerable Software and Affected Versions: Ankitects Anki versions prior to 25.02 Description: The issue allows for attacker-controlled access to the internal API through a crafted shared deck, even without knowledge of an API key. This can be achieved through various methods, includi...
CVE-2025-43703
Anki (Ankitects) up to version 25.02 is affected by CVE-2025-43703, which allows attacker-controlled access to the internal API via a crafted shared deck, even without knowledge of an API key. The issue stems from an incomplete fix for CVE-2024-32484 and can be triggered through methods such as s...
PT-2025-16195 · H3C · H3C Magic Nx15 +3
Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX30 Pro versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014 Description: A critical vulnerability has been found in H3C Magic NX series...
Linux Distros Unpatched Vulnerability : CVE-2025-32414
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API Python bindings because of an incorrect return value...
CVE-2025-24866 Unauthorized Access to User Activity Logs API by delegated granular administration roles
Mattermost versions 9.11.x = 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs...
CVE-2025-32357
In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for...
CVE-2025-32360
In Zammad 6.4.x before 6.4.2, there is information exposure. Only agents should be able to see and work on shared article drafts. However, a logged in customer was able to see details about shared drafts for their customer tickets in the browser console, which may contain confidential information...
CVE-2025-32359
In Zammad 6.4.x before 6.4.2, there is client-side enforcement of server-side security. When changing their two factor authentication configuration, users need to re-authenticate with their current password first. However, this change was enforced in Zammad only on the front end level, and not wh...