CVE-2025-46175

Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java...

CVE-2025-64767

hpke-js is a Hybrid Public Key Encryption HPKE module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal calls. This can lead to complete loss of Confidentiality...

CVE-2025-46174

Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java...

CVE-2025-46174

Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java...

CVE-2025-46174

CVE-2025-46174 affects Ruoyi v4.8.0. The issue is an Incorrect Access Control due to a missing checkUserDataScope permission check in the resetPwd method of SysUserController.java. This could allow unauthorized password resets without proper data-scope validation, enabling potential privilege esc...

Ruoyi 安全漏洞

Ruoyi is a backend management system by Ruoyi Personal Developer. A security vulnerability exists in Ruoyi v4.8.0, which stems from a missing permission check in the resetPwd method of SysUserController.java...

Ruoyi 安全漏洞

Ruoyi is a backend management system by Ruoyi Personal Developer. A security vulnerability exists in Ruoyi v4.8.0, which stems from a missing permission check in the authRole method of SysUserController.java...

PT-2025-48151

Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java...

CVE-2025-46175

Ruoyi v4.8.0 is reported vulnerable to Incorrect Access Control due to a missing checkUserDataScope permission check in the authRole method of SysUserController.java. The CVE entry (CVE-2025-46175) shows a high impact with CVSS v3.1 base score 7.5 (Network, Low complexity, No privileges required,...

PT-2025-48150

Name of the Vulnerable Software and Affected Versions Ruoyi version 4.8.0 Description The software contains an incorrect access control issue. Specifically, a permission check is missing in the resetPwd method of the SysUserController.java file. This allows for potential privilege escalation...

CVE-2025-46175

Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java...

ROS-20251125-05

A vulnerability in HashiCorp's Vault and Vault Enterprise enterprise information archiving platforms is related to authentication bypass using an alternate path or channel in AWS authentication method AWS authentication method. Exploitation of the vulnerability could allow an attacker acting...

Arista NG Firewall replace_marker Exposed Dangerous Function Authentication Bypass Vulnerability

This vulnerability allows remote attackers to to bypass authentication on affected installations of Arista NG Firewall. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handler.p...

Cross-site Scripting (XSS)

joomla/filter is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper handling and validation of user-supplied input in the checkAttribute method, which allows an attacker to inject malicious scripts that can be executed in a victim’s browser...

📄 Flowise Custom MCP Remote Code Execution

This Metasploit module exploits a remote code execution vulnerability in Flowise versions greater than or equal to 2.2.7-patch.1 and less than 3.0.1. The vulnerability exists in the customMCP endpoint /api/v1/node-load-method/customMCP located in...

PT-2025-47943

Name of the Vulnerable Software and Affected Versions Magewell Pro Convert version 1.2.213 Description A Cross-Site Request Forgery CSRF exists in the /mwapi?method=add-user component. This allows attackers to create accounts by sending a specially crafted GET request. The API endpoint...

📄 Flowise JS Injection Remote Code Execution

This Metasploit module exploits a remote code execution vulnerability in Flowise versions greater than or equal to 2.2.7-patch.1 and less than 3.0.6. The vulnerability exists in the customMCP endpoint /api/v1/node-load-method/customMCP located in...

CVE-2025-63952

CVE-2025-63952 describes a CSRF vulnerability in Magewell Pro Convert v1.2.213, specifically in the /mwapi?method=add-user endpoint, which can allow an attacker to create accounts via a crafted GET request. Multiple connected sources (Red Hat, CNNVD, CVE lists, and PT Security) confirm the issue ...

CVE-2025-64048

Affected software/component: YCCMS 3.4, specifically the article management functionality in ArticleAction.class.php. Vulnerability: Stored cross-site scripting (XSS) in the article title input. The root cause is improper neutralization/validation of user-supplied data in the add() and getPost() ...

TASO: Jailbreak LLMs Via Alternative Template and Suffix Optimization

Many recent studies showed that LLMs are vulnerable to jailbreak attacks, where an attacker can perturb the input of an LLM to induce it to generate an output for a harmful question. In general, existing jailbreak techniques either optimize a semantic template intended to induce the LLM to produc...