CVE-2025-68719

CVE-2025-68719 affects KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1. The issue is a configuration management flaw that allows an authenticated user with an active session to access the backup endpoint and download a full configuration archive, including sensitive files such as /etc/shadow. Th...

CVE-2025-14823

In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored a...

Server-Side Template Injection (SSTI)

getgrav/grav is vulnerable to a Server-Side Template Injection SSTI. The vulnerability is due to improper input handling in form submissions, which allows an attacker to send a crafted POST payload to expose sensitive configuration details, including plugin configurations...

CVE-2025-14540 Userback <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Plugin's Configuration Exposure

The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userbackgetjson function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract...

WordPress Userback plugin <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) plugin's Configuration Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ plugin's Configuration Exposure vulnerability discovered by jsonc in WordPress Plugin Userback versions = 1.0.15...

CVE-2025-11379

The CVE-2025-11379 entry refers to the WordPress WebP Express plugin being vulnerable to information exposure via config files in all versions up to 0.25.9. The root cause is described as the plugin not properly randomizing the config file name, allowing direct access on NGINX and enabling unauth...

CVE-2025-66298

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details including plugin configuration details by using the correct POST payload to exploit a Server-Side Template SST vulnerability. Sensitive information may be...

CVE-2025-66298

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details including plugin configuration details by using the correct POST payload to exploit a Server-Side Template SST vulnerability. Sensitive information may be...

CVE-2020-36873

Astak CM-818T3 2.4GHz wireless security surveillance cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorizatio...

PT-2025-48192

Name of the Vulnerable Software and Affected Versions ESCAM QD-900 WIFI HD cameras affected versions not specified Description The ESCAM QD-900 WIFI HD cameras have an issue where the /web/cgi-bin/hi3510/backup.cgi endpoint allows the download of a compressed configuration backup without...

iCam365 P201和iCam365 QC021 访问控制错误漏洞

The iCam365 P201 and iCam365 QC021 are both a network surveillance camera from the Chinese company iCam365. An access control error vulnerability exists in the iCam365 P201 and iCam365 QC021 that stems from the product allowing unauthenticated access to the RTSP service, which could lead to...

CVE-2025-64309

Brightpick Mission Control discloses device telemetry, configuration, and credential information via WebSocket traffic to unauthenticated users when they connect to a specific URL. The unauthenticated URL can be discovered through basic network scanning techniques...

Radiometrics VizAir 安全漏洞

Radiometrics VizAir is a weather monitoring and warning system from Radiometrics, Inc. A security vulnerability exists in Radiometrics VizAir that stems from a publicly accessible configuration file exposing the system's REST API key, which could lead to remote tampering with weather data and...

EUVD-2025-37521

MantisBT unauthorized disclosure of private project column configuration...

CVE-2025-10897 WooCommerce Designer Pro <= 1.9.28 - Unauthenticated Arbitrary File Read

The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials when the wp-config.php file is read...

CVE-2025-10694 User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds <= 1.8.0 - Missing Authorization to Information Disclosure

The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybeloadonboardingwizard function in all versions up to, and including, 1.8.0. This makes it possibl...

PT-2025-42828

Name of the Vulnerable Software and Affected Versions Zyxel ATP series versions V4.32 through V5.40 Zyxel USG FLEX series versions V4.50 through V5.40 Zyxel USG FLEX 50W series versions V4.16 through V5.40 Zyxel USG20W-VPN series versions V4.16 through V5.40 Description A missing authorization fl...

EUVD-2009-4923

Malware in sbrugna...

EUVD-2012-4034

Malware in sbrugna...

EUVD-2021-26830

Malware in sbrugna...