48858 matches found
EUVD-2025-198311
SOPlanning is vulnerable to Broken Access Control in /status endpoint. Due to lack of permission checks in Project Status functionality an authenticated attacker is able to add, edit and delete any status. This issue was fixed in version 1.55...
ABB Edgenius Management Portal
SUMMARY ABB identified a critical vulnerability present in ABB Ability Edgenius starting from version 3.2.0.0. We have not received any reports of this vulnerability being exploited. An unauthenticated attacker could exploit this vulnerability to: → install and run arbitrary code, → uninstall...
CVE-2025-63221
The Axel Technology puma devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system...
CVE-2025-12372
The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action in the handleTPCAdminAjaxRequest function. This makes it possible for...
CVE-2025-12524
The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type...
CVE-2025-63218
The Axel Technology WOLF1MS and WOLF2MS devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and...
EUVD-2025-198066
A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the vi...
EUVD-2025-198048
Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure...
CVE-2025-12827
The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the topfriendsoptionssubpanel function. This makes it possible for unauthenticated attackers to modify plugin settings via a forge...
PT-2025-47394
Name of the Vulnerable Software and Affected Versions Eurolab ELTS100 UBX version ELTS100v1.UBX Description The Eurolab ELTS100 UBX device is subject to Broken Access Control because of a lack of authentication on critical administrative endpoints. Attackers can directly access and modify sensiti...
PT-2025-47389
Name of the Vulnerable Software and Affected Versions AOS-CX OS affected versions not specified Description A flaw exists in the web management interface of the AOS-CX OS user authentication service. An authenticated remote attacker may be able to hijack an active user session. Successful...
CVE-2025-36357
IBM Planning Analytics Local 2.1.0 through 2.1.14 could allow a remote authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing absolute path sequences to view, read, or write arbitrary files on the system...
Synology Contacts for DSM 跨站脚本漏洞
Synology Contacts for DSM is a contact server provided by the Chinese company Synology. There is a security vulnerability in Synology Contacts for DSM, which allows attackers to bypass access restrictions and read or modify files...
Malicious code in global-outercore-superagent-draco (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b30a6b026a32f8319d033c5904a53d0b60042fa626c7fa415fe8858ba9a0bb8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in taurus-css-minimizer-webpack-plugin-ophiuchus-webdriverio (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9f8ad6a47a997ae581afbb207779a8920a2efac4fcd400cab0db5924bf8227ea This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in refactor-file-sed-class-wind (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 20c5eb868bd7654b174c4709e96039eb8842f7d6311d2899f566d23882c27941 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in spinner-proxima-cybernetics-cosmochemistry (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7452dbccf4e36bdc41bf89259059d35e9ad079945737d08d43590057286583d9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in taurus-mutation-izar-node-sass (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c256602c1f7c8b93be5ed695597c57a40839d4299f5b8b8cbe4a4f17d74ed56c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in table-old-sun-await-decode (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3fff252c7519516e755af569d60b67bb3cbe754fc47400f464b2f0a3628ac9d4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in socketio-polaris-restart-adonis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e80f723fb0c38fbfaf0efdc1c70d08acd508343dbd594e403fca9751fb9b1719 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...