PT-2026-20530

gSOAP 2.8 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP path traversal techniques. Attackers can retrieve sensitive files like /etc/passwd by sending crafted GET requests with multiple '../' directory traversal...

CVE-2025-60912

phpIPAM v1.7.3 contains a Cross-Site Request Forgery CSRF vulnerability in the database export functionality. The generate-mysql.php function, located in the /app/admin/import-export/ endpoint, allows remote attackers to trigger large database dump downloads via crafted HTTP GET requests if an...

CVE-2025-60535

A Cross-Site Request Forgery CSRF in the component /endpoints/currency/currency of Wallos v4.1.1 allows attackers to execute arbitrary operations via a crafted GET request...

CVE-2025-59976

An arbitrary file download vulnerability in the web interface of Juniper Networks Junos Space allows a network-based authenticated attacker using a crafted GET method to access any file on the file system. Using specially crafted GET methods, an attacker can gain access to files beyond the file...

CVE-2025-59976

CVE-2025-59976 affects Juniper Networks Junos Space. A flaw in the web interface allows a network-authenticated attacker to download arbitrary files via crafted GET requests, escaping the JBoss file-path restrictions. All versions before 24.1R3 are affected. Remediation: upgrade to Junos Space 24...

EUVD-2024-54806

Malicious code in bioql PyPI...

EUVD-2024-0617

Malicious code in bioql PyPI...

CVE-2025-51281

D-Link DI-8100 16.07.26A1 is vulnerable to Buffer Overflow via the en, val and id parameters in the qjasp function. This vulnerability allows authenticated attackers to cause a Denial of Service DoS by sending crafted GET requests with overly long values for these parameters...

CVE-2025-51533

An Insecure Direct Object Reference IDOR in Sage DPW v202412004 and below allows unauthorized attackers to access internal forms via sending a crafted GET request...

CVE-2025-51533

An Insecure Direct Object Reference IDOR in Sage DPW v202412004 and below allows unauthorized attackers to access internal forms via sending a crafted GET request...

CVE-2024-55040

Cross Site Scripting vulnerability in Sensaphone WEB600 Monitoring System v.1.6.5.H and before allows a remote attacker to execute arbitrary code via a crafted GET requests to /@.xml, placing payloads in the g7200, g7300, g4601, and g1F02 parameters...

CVE-2024-55040

Cross Site Scripting vulnerability in Sensaphone WEB600 Monitoring System v.1.6.5.H and before allows a remote attacker to execute arbitrary code via a crafted GET requests to /@.xml, placing payloads in the g7200, g7300, g4601, and g1F02 parameters...

The vulnerability of the transformMiddleware function in the @fs mechanism of the local development server for Vite allows a hacker to read arbitrary files.

The vulnerability of the transformMiddleware function in the @fs mechanism of the local development server for Vite applications is related to incorrect processing of special symbols in input data. Exploiting this vulnerability allows a malicious actor to read arbitrary files by sending a special...

CVE-2025-25927

A Cross-Site Request Forgery CSRF in Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted GET request...

Linux Distros Unpatched Vulnerability : CVE-2024-1681

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a...

The vulnerability of the verify_url_valid() function in the Activitypub-Federation framework, a platform for creating and managing communities in the Lemmy ecosystem, allows attackers to circumvent security restrictions and gain unauthorized access to protected information.

The vulnerability of the verifyurlvalid function in the Activitypub-Federation framework, a platform for creating and managing communities in the Lemmy community, is related to insufficient validation of requests on the server side. Exploiting this vulnerability could allow an attacker to bypass...

The vulnerability of the log.php script in the CMSimple content management system allows a hacker to gain unauthorized access to protected information and execute arbitrary code.

The vulnerability of the CMSimple content management system is related to incorrect restrictions on the path to the restricted catalog. Exploiting this vulnerability could allow an attacker to gain unauthorized access to protected information by sending a specially crafted GET request...

Authorization

An Authorization Bypass Through User-Controlled Key vulnerability CWE-639 affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to access to other...

PT-2024-13651 · Unknown · Portiportal

Name of the Vulnerable Software and Affected Versions: PortiPortal versions 7.2.1 and below PortiPortal versions 7.0.6 and below PortiPortal versions 6.0.14 and below PortiPortal versions 5.3.8 and below Description: The issue allows a remote authenticated user with at least read-only permissions...

The vulnerability in the web interface of Supermicro X11 series BMC IPMI servers involves insufficient protection of the website structure, allowing attackers to carry out cross-site scripting attacks.

The vulnerability in the web interface of BMC IPMI Supermicro X11 series servers exists due to the lack of measures taken to protect the structure of the web page. Exploiting this vulnerability allows a malicious actor to carry out XSS attacks using specially crafted GET requests...