PT-2025-16893 · Sourcecodester · Sourcecodester Company Website Cms

Name of the Vulnerable Software and Affected Versions: SourceCodester Company Website CMS version 1.0 Description: The issue is related to Cross Site Scripting XSS via the /dashboard/Services API endpoint. This allows for potential malicious script injection. No information is provided about the...

PT-2025-16891 · Sourcecodester · Sourcecodester Company Website Cms

Name of the Vulnerable Software and Affected Versions: SourceCodester Company Website CMS version 1.0 Description: The issue concerns a file upload vulnerability via the "Create Services" file. This vulnerability can be exploited through the "/dashboard/Services" API endpoint. The Create Services...

CVE-2025-27719

Unauthenticated attackers can query an API endpoint and get device details...

CVE-2025-27719

Unauthenticated attackers can query an API endpoint and get device details...

CVE-2025-27719 Growatt Cloud portal Authorization Bypass Through User-Controlled Key

Unauthenticated attackers can query an API endpoint and get device details...

CVE-2025-32779 labsai/eddi Vulnerable to Path Traversal (Zip Slip) in ZIP Import Function

E.D.D.I Enhanced Dialog Driven Interface is a middleware to connect and manage LLM API bots. In versions before 5.5.0, an attacker with access to the /backup/import API endpoint can write arbitrary files to locations outside the intended extraction directory due to a Zip Slip vulnerability...

CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=...

CVE-2025-3579

Aidex CVE-2025-3579 affects versions prior to 1.7. The issue is a prompt-injection vulnerability in the /api//message endpoint where the content parameter can be manipulated by an authenticated user with access to an open registry, enabling execution of OS commands (Unix), interaction with intern...

CVE-2025-3579 Code Injection Vulnerability in AiDex

In versions prior to Aidex 1.7, an authenticated malicious user, taking advantage of an open registry, could execute unauthorised commands within the system. This includes executing operating system Unix commands, interacting with internal services such as PHP or MySQL, and even invoking native...

CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=...

CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=...

BIT-GRAFANA-2024-8118 Grafana alerting wrong permission on datasource rule write endpoint

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules...

PT-2025-16203 · Unknown · Lingxing Erp

Name of the Vulnerable Software and Affected Versions: Lingxing ERP version 2 Description: A critical issue was found in the function DoUpload of the file /Api/FileUpload.ashx?method=DoUpload. The manipulation of the argument File leads to unrestricted upload. This issue can be exploited remotely...

PT-2025-16197 · H3C · H3C Magic Be18000 +4

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX30 Pro versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014 H3C Magic BE18000 versions up to V100R014 Description: A critical issue has been...

PT-2025-18789 · Wavlink · Wavlink Wl-Wn530Hg4

Name of the Vulnerable Software and Affected Versions: Wavlink WL-WN530H4 version 20220801 Description: The issue is related to a command injection vulnerability in the ping test function of the adm.cgi via the pingIp parameter. This allows attackers to execute arbitrary commands via a crafted...

CVE-2025-30150

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates...

CVE-2024-54092

A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 All versions, Industrial Edge Device Kit - arm64 V1.18 All versions, Industrial Edge Device Kit - arm64 V1.19 All versions, Industrial Edge Device Kit - arm64 V1.20 All versions V1.20.2-1, Industrial Edge Device Kit -...

CVE-2024-54092

A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 All versions, Industrial Edge Device Kit - arm64 V1.18 All versions, Industrial Edge Device Kit - arm64 V1.19 All versions, Industrial Edge Device Kit - arm64 V1.20 All versions V1.20.2-1, Industrial Edge Device Kit -...

PT-2025-15286 · Zhangyanbo2007 · Youkefu

Name of the Vulnerable Software and Affected Versions: zhangyanbo2007 youkefu version 4.2.0 Description: A critical issue was found in the File Upload component, specifically affecting the WebIMController.java file. The manipulation of the ID argument leads to path traversal. This issue can be...

DataEase 2.4.0 - Database Configuration Information Exposure

Exploit Title: DataEase 2.4.0 - Database Configuration Information Exposure Shodan Dork: http.html:"dataease" FOFA Dork: body="dataease" && title=="DataEase" Exploit Author: ByteHunter Email: [email protected] vulnerable Versions: 2.4.0-2.5.0 Tested on: 2.4.0 CVE : CVE-2024-30269 import...