PT-2025-30671 · Tenda · Tenda Ac8V4

Name of the Vulnerable Software and Affected Versions: Tenda AC8V4 version V16.03.34.06 Description: The Tenda AC8V4 device contains a stack overflow issue at the /goform/saveParentControlInfo API endpoint. Manipulation of the time parameter leads to a stack-based buffer overflow. Recommendations...

PT-2025-30605 · Cncf · Cncf Harbor

Name of the Vulnerable Software and Affected Versions: CNCF Harbor versions 2.12.0 through 2.12.3 CNCF Harbor versions 2.13.0 through 2.13.0 Description: An ORM leak exists in the /api/v2.0/users endpoint, allowing administrators to potentially disclose users' password hash and salt values. The q...

CVE-2025-31513

An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can elevate to administrator privileges via the IsAdminApprover parameter in a Request%20Building%20Access requestSubmit API call. The vendor has stated that the system is protected by updating to a version equal to or greater...

CVE-2025-34140 ETQ Reliance CG/NXG API Authorization Bypass via ;localized-text URI Suffix

An authorization bypass vulnerability exists in ETQ Reliance legacy CG and NXG SaaS platforms. By appending a specific URI suffix to certain API endpoints, an unauthenticated attacker can bypass access control checks and retrieve limited sensitive resources. The root cause was a misconfiguration ...

CVE-2025-31513

An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can elevate to administrator privileges via the IsAdminApprover parameter in a Request%20Building%20Access requestSubmit API call. The vendor has stated that the system is protected by updating to a version equal to or greater...

PYSEC-2025-71

Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack. This XSS would notably allow an attacker to execute JavaScript code ...

CVE-2025-46122

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint /admin/cmdstat.jsp passes attacker-controlled input to the shell without adequate validation, enabling a remote attacker to specify a target by MAC...

PT-2025-30239 · Digiwin · Digiwin Eai

Name of the Vulnerable Software and Affected Versions: Digiwin EAI affected versions not specified Description: The EAI developed by Digiwin contains a flaw that allows remote attackers with regular privileges to elevate their privileges to administrator level. This is achieved through a specific...

CVE-2025-20272

A vulnerability in a subset of REST APIs of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager EPNM could allow an authenticated, low-privileged, remote attacker to conduct a blind SQL injection attack. This vulnerability is due to insufficient validation of user-supplied...

CVE-2025-20284

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as root. This vulnerability is due to insufficient validation of user-supplied input. An attacker with valid credentials coul...

CVE-2025-20337

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to...

CVE-2025-6227 Invite token is used as part of the secure communication

Mattermost versions 10.5.x = 10.5.7, 9.11.x = 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API...

CVE-2025-53639

MeterSphere is an open source continuous testing platform. Prior to version 3.6.5-lts, the sortField parameter in certain API endpoints is not properly validated or sanitized. An attacker can supply crafted input to inject and execute arbitrary SQL statements through the sorting functionality. Th...

CVE-2025-20337

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to...

CVE-2025-20283

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as root. This vulnerability is due to insufficient validation of user-supplied input. An attacker with valid credentials coul...

CVE-2025-20337

CVE-2025-20337 affects Cisco Identity Services Engine (ISE) and ISE-PIC via an API injection vulnerability. An unauthenticated, remote attacker can submit a crafted API request to exploit insufficient input validation and achieve arbitrary code execution as root on the underlying OS. Reported imp...

CVE-2025-20337 Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to...

CVE-2025-20284

Cisco ISE and Cisco ISE-PIC have a CVE-2025-20284 vulnerability in a specific API that could allow an authenticated, remote attacker with high privileges to execute arbitrary code as root on the underlying OS. Root cause is insufficient validation of user-supplied input, exploitable by submitting...

CVE-2025-20284 Cisco Identity Services Engine Authenticated Remote Code Execution Vulnerability

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as root. This vulnerability is due to insufficient validation of user-supplied input. An attacker with valid credentials coul...

CVE-2025-20283 Cisco Identity Services Engine Authenticated Remote Code Execution Vulnerability

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as root. This vulnerability is due to insufficient validation of user-supplied input. An attacker with valid credentials coul...