EUVD-2026-10553

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/filename allows any logged-in user to read arbitrary files from within the application container. The filename URL...

CVE-2025-9312 Improper Certificate-Based Authentication Enforcement in Multiple WSO2 Products

A missing authentication enforcement vulnerability exists in the mutual TLS mTLS implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components ma...

CVE-2025-9312 Improper Certificate-Based Authentication Enforcement in Multiple WSO2 Products

A missing authentication enforcement vulnerability exists in the mutual TLS mTLS implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components ma...

EUVD-2021-28346

Malicious code in bioql PyPI...

BIT-VAULT-2025-6013 Vault LDAP MFA Enforcement Bypass When Using Username As Alias

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

GHSA-RH67-4C8J-HJJH Nautobot may allows uploaded media files to be accessible without authentication

Impact Files uploaded by users to Nautobot's MEDIAROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by...

CVE-2025-49143

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIAROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint...

CVE-2025-49143

Summary: CVE-2025-49143 affects Nautobot before v2.4.10 and v1.6.32. The issue is improper access control on files stored in Nautobot’s MEDIA_ROOT, including DeviceType images and other attachments, which could be retrieved by anonymous users via guessed URLs. Affected versions: Nautobot 2.x vers...

CVE-2025-43004

Due to a security misconfiguration vulnerability, customers can develop Production Operator Dashboards PODs that enable outside users to access customer data when they access these dashboards. Since no mechanisms exist to enforce authentication, malicious unauthenticated users can view...

Information Disclosure

fastapi-opa is vulnerable to Information Disclosure. The vulnerability is due to lack of authentication enforcement for HTTP OPTIONS requests by OpaMiddleware, allowing an unauthenticated attacker to determine the existence of entities within the application based on the responses to these reques...

Critical Flaws Discovered in Cisco Small Business RV Series Routers

Cisco has patched multiple critical security vulnerabilities impacting its RV Series routers that could be weaponized to elevate privileges and execute arbitrary code on affected systems, while also warning of the existence of proof-of-concept PoC exploit code targeting some of these bugs. Three ...

Cisco SD-WAN Solution Privilege Escalation (cisco-sa-20190619-sdwan-privesca)

According to its self-reported version, Cisco SD-WAN Solution is affected by a vulnerability due to insufficient authorization enforcement. An authenticated, local attacker can exploit this, by authenticating to the targeted device and executing commands, in order to elevate lower-level privilege...

Loxone Miniserver Authorization Issues Vulnerability

Loxone Miniserver is a server that provides energy management and monitoring functions for automation of equipment and homes in buildings and houses by Loxone Corporation. Loxone Miniserver version 11.1.9.3 previously had an authorization issue vulnerability that arose from the inability of devic...

Survey: APIs a Growing Cybersecurity Risk

Like a lot of people, your mobile phone number is probably easily accessible to anyone with a bit of searching. Imagine if someone could take this number and your name and gain access to your mobile phone account including billing, email address and phone IMSI. Or maybe someone hacked into one of...

CVE-2014-0732

The Real Time Monitoring Tool RTMT web application in Cisco Unified Communications Manager Unified CM 10.01 and earlier does not properly enforce authentication requirements, which allows remote attackers to read application files via a direct request to a URL, aka Bug ID CSCum46495...

Cisco Unified Communications Manager Java Class File Availability Vulnerability

A vulnerability in the administration interface of Cisco Unified Communications Manager Cisco Unified CM could allow an unauthenticated, remote attacker to access Java class files. The vulnerability is due to insufficient authentication enforcement. An attacker could exploit this vulnerability by...

Cisco Unified Communications Manager Real Time Monitoring Tool Information Disclosure Vulnerability

A vulnerability in Real Time Monitoring Tool RTMT web application of Cisco Unified Communications Manager Cisco Unified CM could allow an unauthenticated, remote attacker to access several files related to the RTMT application. The vulnerability is due to insufficient authentication enforcement. ...

Novell ZENworks Control Center file upload vulnerability

Added: 05/03/2013 CVE: CVE-2013-1080 BID: 58668 OSVDB: 91627 Background Novell ZENworks Configuration Management is an IT desktop computer management suite that provides the ability to install, configure and administer desktop computers from a centralized location. The product is based on a...

Nmap NSE net: smb-brute

Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. SYNTAX: userdb: The filename of an alternate username database. brutelimit: Limits the number of usernames checked in the script. In some domains, it's possible to end up with...

The Danger of Open APIs

Ninety years ago KitchenAid released their first countertop mixer, which weighed in at about 69 pounds. More interestingly, the mixer also had a special socket that allowed users to attach assorted add-ons for new functionality such as slicers, shredders and meat grinders. Today this sort of...