EUVD-2025-199924

A security flaw has been discovered in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. This affects the function check/uncheck/delete of the file application/Comment/Controller/CommentadminController.class.php of the component CommentadminController. The manipulation of the argument...

EUVD-2025-199916

A vulnerability was identified in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. Affected by this issue is the function delete of the file application/Admin/Controller/SlideController.class.php of the component SlideController. The manipulation of the argument ids leads to sql...

CVE-2025-13783

A security flaw has been discovered in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. This affects the function check/uncheck/delete of the file application/Comment/Controller/CommentadminController.class.php of the component CommentadminController. The manipulation of the argument...

CVE-2025-13783 taosir WTCMS CommentadminController CommentadminController.class.php delete sql injection

A security flaw has been discovered in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. This affects the function check/uncheck/delete of the file application/Comment/Controller/CommentadminController.class.php of the component CommentadminController. The manipulation of the argument...

CVE-2025-13783

CVE-2025-13783 affects taosir WTCMS (CommentadminController) via SQL injection in the check/uncheck/delete path of application/Comment/Controller/CommentadminController.class.php. A remote attacker could exploit by manipulating the ids argument; exploits have been publicly released. Affected vers...

CVE-2025-13782 taosir WTCMS SlideController SlideController.class.php delete sql injection

A vulnerability was identified in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. Affected by this issue is the function delete of the file application/Admin/Controller/SlideController.class.php of the component SlideController. The manipulation of the argument ids leads to sql...

CVE-2025-13782

Affects taosir WTCMS (SlideController component). The delete function in application/Admin/Controller/SlideController.class.php accepts an ids parameter and can be abused to perform SQL injection. This is exploitable remotely; public exploit is referenced. Affected versions are prior to 01a5f68a3...

wtcms SQL注入漏洞

wtcms is a ThinkPHP-based content management system CMS by Taosir Individual Developer. An SQL injection vulnerability exists in wtcms, which stems from incorrect manipulation of the parameter ids in the file application/Admin/Controller/SlideController.class.php, which could lead to SQL injectio...

PT-2025-48382

Name of the Vulnerable Software and Affected Versions taosir WTCMS versions prior to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665 Description A flaw exists in taosir WTCMS related to the delete function within the SlideController.class.php file of the SlideController component. Manipulation of the id...

PT-2025-48385

Name of the Vulnerable Software and Affected Versions taosir WTCMS versions up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665 Description A security flaw exists in taosir WTCMS. The issue affects the check/uncheck/delete function within the...

wtcms SQL注入漏洞

wtcms is a ThinkPHP-based content management system CMS by Taosir Individual Developer. An SQL injection vulnerability exists in wtcms, which stems from incorrect manipulation of the parameter ids in the file application/Comment/Controller/CommentadminController.class.php, which could lead to SQL...

CVE-2025-3261

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...

CVE-2025-66384

app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmpname...

CVE-2025-66384

app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmpname...

CVE-2025-66385

UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges e.g., obtain a higher role such as admin via the user-edit endpoint by supplying or modifying roleid or organisationid fields in the edit request...

EUVD-2025-199869

app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmpname...

PT-2025-48316

Name of the Vulnerable Software and Affected Versions MISP versions prior to 2.5.24 Description The software contains flawed logic when validating uploaded files, specifically concerning the tmp name parameter. This issue resides in the app/Controller/EventsController.php file. Recommendations...

CVE-2025-66384

app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmpname...

EUVD-2025-199868

UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges e.g., obtain a higher role such as admin via the user-edit endpoint by supplying or modifying roleid or organisationid fields in the edit request...

ThingsBoard allows an authenticated user to upload malicious SVG images

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...