CVE-2025-32808

W. W. Norton InQuizitive through 2025-04-08 allows students to insert arbitrary records of their quiz performance into the backend, because only client-side access control exists...

PT-2025-16017 · W. W. Norton · W. W. Norton Inquizitive

Name of the Vulnerable Software and Affected Versions: W. W. Norton InQuizitive versions through 2025-04-08 Description: The issue allows students to insert arbitrary records of their quiz performance into the backend due to the existence of only client-side access control. This is related to a...

CVE-2024-8196

In mintplex-labs/anything-llm v1.5.11 desktop version for Windows, the application opens server port 3001 on 0.0.0.0 with no authentication by default. This vulnerability allows an attacker to gain full backend access, enabling them to perform actions such as deleting all data from the workspace...

CVE-2024-8196

In mintplex-labs/anything-llm v1.5.11 desktop version for Windows, the application opens server port 3001 on 0.0.0.0 with no authentication by default. This vulnerability allows an attacker to gain full backend access, enabling them to perform actions such as deleting all data from the workspace...

CVE-2024-8196 Missing Authentication for Critical Function in mintplex-labs/anything-llm

In mintplex-labs/anything-llm v1.5.11 desktop version for Windows, the application opens server port 3001 on 0.0.0.0 with no authentication by default. This vulnerability allows an attacker to gain full backend access, enabling them to perform actions such as deleting all data from the workspace...

CVE-2024-8196 Missing Authentication for Critical Function in mintplex-labs/anything-llm

In mintplex-labs/anything-llm v1.5.11 desktop version for Windows, the application opens server port 3001 on 0.0.0.0 with no authentication by default. This vulnerability allows an attacker to gain full backend access, enabling them to perform actions such as deleting all data from the workspace...

CVE-2024-8489 CSRF due to overly permissive CORS headers in modelscope/agentscope

A vulnerability in modelscope/agentscope, specifically in the AgentScope Studio backend server, allows for Cross-Site Request Forgery CSRF due to overly permissive CORS headers. This issue affects the latest commit on the main branch 21161fe. The vulnerability permits an attacker to access all...

PT-2025-12223 · Unknown · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm version 1.5.11 Description: The application opens server port 3001 on 0.0.0.0 with no authentication by default, allowing an attacker to gain full backend access. This enables them to perform actions such as deletin...

AgentScope 跨站请求伪造漏洞

AgentScope is a ModelScope open source application. Build LLM-based multi-intelligence applications more simply. AgentScope suffers from a cross-site request forgery vulnerability that stems from the CORS header on the AgentScope Studio backend server being configured too loosely to allow...

CVE-2025-22212

CVE-2025-22212 affects the Joomla Convert Forms extension versions 1.0.0–4.4.9. An authenticated administrator can exploit a SQL injection in the submission management area of the backend to execute arbitrary SQL commands. The CVSSv3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N) yields a base sc...

Linux Distros Unpatched Vulnerability : CVE-2022-33740

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Linux disk/nic frontends data leaks This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CV...

PT-2025-7811 · Hikashop · Hikashop

Name of the Vulnerable Software and Affected Versions: Hikashop component for Joomla versions 3.3.0 through 5.1.4 Description: A SQL injection vulnerability in the Hikashop component for Joomla allows authenticated attackers administrator to execute arbitrary SQL commands in the category manageme...

Vulnerabilities fixed in Microsoft Azure

Microsoft has fixed vulnerabilities in Azure Network Watcher and the HPC Linux Node Agent. A malicious person could grant themselves elevated privileges by exploiting the vulnerability with attribute CVE-2025-21188 in the Network Watcher, or to execute arbitrary code by exploiting the vulnerabili...

PT-2025-2793 · Autolib Software Systems · Autolib Software Systems Opac

Name of the Vulnerable Software and Affected Versions: AutoLib Software Systems OPAC version 20.10 Description: The issue concerns exposed API keys within the source code. Attackers may use these keys to access the backend API or other sensitive information. Recommendations: For AutoLib Software...

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through the manipulation of Twig templates. An attacker can modify or delete data by bypassing the sandbox restrictions designed to limit template capabilities. Note: This is only exploitable if the...

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through the manipulation of Twig templates. An attacker can modify or delete data by bypassing the sandbox restrictions designed to limit template capabilities. Note: This is only exploitable if the...

CVE-2024-54149 Winter CMS Modules allows a sandbox bypass in Twig templates leading to data modification and deletion

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on Twig files and modify resources such...

CVE-2024-10295

A flaw was found in Gateway. Sending a non-base64 'basic' auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue c...

CVE-2024-10295 Gateway: apicast basic auth bypass via malformed base64 headerssending non-base64 'basic' auth with special characters causes apicast to incorrectly authenticate a request

A flaw was found in Gateway. Sending a non-base64 'basic' auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue c...

Input Validation

typo3/cms-backend is vulnerable to Input Validation. The vulnerability is due to a lack of proper validation checks on user input, allowing for the manipulation of data saved in the bookmark toolbar and triggering errors that disrupt access to the backend user interface...