InnoShop 安全漏洞

InnoShop is an open-source e-commerce system based on Laravel 11, developed by InnoShop. Version 0.6.0 of InnoShop has a security vulnerability. This vulnerability stems from improper authorization; attackers can log in to the frontend and directly access the backend application interfaces, leadi...

CVE-2025-67732 Dify Vulnerable to Plaintext API Key Exposure via Model Provider Configuration Endpoint

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version...

CVE-2025-67732

Dify (open-source LLM app platform) prior to v1.11.0 exposes API keys in plaintext to the frontend, allowing non-administrator users to view and reuse them. This can enable unauthorized access to third‑party services and potential quota abuse. A fix is available in v1.11.0 or later.

CVE-2025-67732 Dify Vulnerable to Plaintext API Key Exposure via Model Provider Configuration Endpoint

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version...

PT-2026-1341

Name of the Vulnerable Software and Affected Versions Dify versions prior to 1.11.0 Description Dify is an open-source LLM app development platform. Before version 1.11.0, the API key was exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This could lead ...

CVE-2025-64050

A Remote Code Execution RCE vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is executed when visitors access frontend pages...

EUVD-2025-199601

A Remote Code Execution RCE vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is executed when visitors access frontend pages...

CVE-2025-64050

A Remote Code Execution RCE vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is executed when visitors access frontend pages...

PT-2025-48038

Name of the Vulnerable Software and Affected Versions REDAXO CMS version 5.20.0 Description A Remote Code Execution RCE issue exists in the template management component of REDAXO CMS. A remote, authenticated administrator can execute arbitrary operating system commands by injecting PHP code into...

CVE-2025-13164

EasyFlow GP from Digiwin has an Insufficiently Protected Credentials vulnerability that could let privileged remote attackers obtain plaintext credentials for Active Directory and system mail from the system frontend. The CVE entry notes impact to confidentiality (C) with high severity per CVSS d...

EUVD-2025-12227

Malicious code in bioql PyPI...

GHSA-QW93-H6PF-226X OctoPrint Authenticated Reverse Proxy Page Authentication Bypass

Impact OctoPrint versions up until and including 1.10.3 contain a vulnerability that allows an attacker to bypass the login redirect and directly access the rendered HTML of certain frontend pages. The impact on data exposure is minimal because, typically, data is loaded via API requests that...

PT-2024-27727 · Aenrich Technology · A+Hrd

Name of the Vulnerable Software and Affected Versions: aEnrich Technology a+HRD affected versions not specified Description: The issue concerns a lack of proper restrictions on a specific parameter in the front-end retrieval of system configuration values. This allows attackers to modify the...

SUSE CVE-2023-32725

The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user...

CVE-2023-32725

The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user...

DEBIAN-CVE-2023-32725

The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user...

Session fixation

The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user...

CVE-2023-32725

The CVE-2023-32725 issue affects the Zabbix frontend URL widget: testing or running scheduled reports can cause the site to receive a session cookie that can be used to access the frontend as the specific user. Root cause is improper handling of session cookies in the URL widget, enabling session...

CVE-2023-32725 Leak of zbx_session cookie when using a scheduled report that includes a dashboard with a URL widget.

The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user...

CVE-2023-32725

The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user...