Authorization Bypass Through User-Controlled Key

Overview studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the DELETE /studiocmsapi/dashboard/api-tokens endpoint. An attacker can revoke AP...

EUVD-2018-10551

Malware in sbrugna...

EUVD-2025-16801

Malicious code in bioql PyPI...

EUVD-2022-6861

Malicious code in bioql PyPI...

EUVD-2025-22139

Malicious code in bioql PyPI...

EUVD-2025-20302

Malicious code in bioql PyPI...

PT-2025-27424 · Unknown · Daily Expense Manager

Name of the Vulnerable Software and Affected Versions: Daily Expense Manager version 1.0 Description: The issue is related to a user enumeration vulnerability. To exploit this, a POST request must be sent using the name parameter in the "/check.php" endpoint. Recommendations: For Daily Expense...

CVE-2025-5552 ChestnutCMS API Endpoint exec deserialization

A vulnerability was found in ChestnutCMS up to 15.1. It has been declared as critical. This vulnerability affects unknown code of the file /dev-api/groovy/exec of the component API Endpoint. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been...

CVE-2024-43379

TruffleHog is a secrets scanning tool. Prior to v3.81.9, this vulnerability allows a malicious actor to craft data in a way that, when scanned by specific detectors, could trigger the detector to make an unauthorized request to an endpoint chosen by the attacker. For an exploit to be effective, t...

CVE-2025-32012 Jellyfin Vulnerable to Denial of Service (DoS) via IP Spoofing

Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same...

DataEase 2.4.0 - Database Configuration Information Exposure

Exploit Title: DataEase 2.4.0 - Database Configuration Information Exposure Shodan Dork: http.html:"dataease" FOFA Dork: body="dataease" && title=="DataEase" Exploit Author: ByteHunter Email: [email protected] vulnerable Versions: 2.4.0-2.5.0 Tested on: 2.4.0 CVE : CVE-2024-30269 import...

PT-2024-39089 · Unknown · Modelscope/Agentscope

Name of the Vulnerable Software and Affected Versions: modelscope/agentscope version v0.0.4 Description: A Local File Inclusion LFI vulnerability exists in the "/load-workflow" endpoint, allowing an attacker to read arbitrary files from the server, including sensitive files such as API keys, by...

PT-2024-5343 · D Link · D-Link Dir-823X Ax3000 Dual-Band Gigabit Wireless Router

Name of the Vulnerable Software and Affected Versions: D-Link DIR-823X AX3000 Dual-Band Gigabit Wireless Router version v21 D240126 Description: The issue is related to a remote code execution vulnerability in the ntp zone val parameter at the /goform/set ntp API endpoint. This vulnerability can ...

PT-2023-22591 · Ourphp · Ourphp

Name of the Vulnerable Software and Affected Versions: OURPHP versions 7.2.0 and earlier Description: The issue is related to Cross Site Scripting XSS and can be exploited via the "/client/manage/ourphp out.php" API endpoint. Recommendations: For OURPHP versions 7.2.0 and earlier, at the moment,...

PT-2022-25588 · Tenda · Tenda Ac15 +1

Name of the Vulnerable Software and Affected Versions: Tenda AC15 and AC18 router version V15.03.05.19 Description: The issue is related to a stack overflow in the fromNatStaticSetting function when handling requests to the "/goform/NatStaticSetting" API endpoint. Recommendations: For Tenda AC15...

CVE-2022-32350

The CVE-2022-32350 entry concerns the Hospital’s Patient Records Management System v1.0, which is vulnerable to SQL Injection via the endpoint /hprms/classes/Master.php?f=delete_room_type. The root cause, as described across sources, is lack of input validation for SQL statements on that page, en...

Instacart: Fetch private list metadata and any user's personal name

Overview == When a user creates a list, they can choose whether to make the list visible in search and whether to show their name with the list. The problem is that the attacker can still access the information that the user chose to hide. Furthermore, if the attacker gets hold of a user's ID, th...