CVE-2025-69034

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Lekker lekker allows PHP Local File Inclusion.This issue affects Lekker: from n/a through = 1.8...

CVE-2025-13029 Knowband Mobile App Builder for wooCommerce < 3.0.0 – Unauthenticated Arbitrary User Deletion

The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users...

EUVD-2024-55371

Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities...

CVE-2024-58337

Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities...

CVE-2024-58337 Akuvox Smart Intercom S539 Improper Access Control via ServicesHTTPAPI

Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities...

EUVD-2025-205817

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enablenames is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...

GO-2025-4268 Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea

Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea...

PT-2025-54254

Name of the Vulnerable Software and Affected Versions Tinycontrol LAN Controller version 1.58a Description An authentication bypass allows unauthenticated attackers to change admin passwords. This is achieved by sending a crafted API request to the /stm.cgi endpoint with a specially crafted...

PT-2025-54189

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enable names is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...

EUVD-2025-205432

IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to mishandling access control to private resources. An attacker can gain unauthorized access to private resources by using an API token that is restricted to public resources. Remediation Upgrade...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to mishandling access control to private resources. An attacker can gain unauthorized access to private resources by using an API token that is restricted to public resources. Remediation Upgrade...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to mishandling access control to private resources. An attacker can gain unauthorized access to private resources by using an API token that is restricted to public resources. Remediation Upgrade...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to mishandling access control to private resources. An attacker can gain unauthorized access to private resources by using an API token that is restricted to public resources. Remediation Upgrade...

CVE-2025-66377

CVE-2025-66377 affects Pexip Infinity prior to 39.0. A missing authentication for a critical function in a product-internal API allows an attacker who already has code execution on one node to impact the operation of other nodes in the installation. This is not listed as exploitable in the provid...

CVE-2025-3232

CVE-2025-3232 affects Mitsubishi Electric Europe smartRTU, where a remote unauthenticated attacker can bypass authentication via a specific API route and execute arbitrary OS commands. The Red Hat/NVD/EUVD/NVD-derived records consistently describe an access-control failure enabling command execut...

CVE-2025-3232 Mitsubishi Electric Europe smartRTU Missing Authentication for Critical Function

A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands...

PT-2025-53377

Name of the Vulnerable Software and Affected Versions affected versions not specified Description A remote, unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands. The attack involves accessing an API endpoint that allows f...

Mitsubishi Electric smartRTU 访问控制错误漏洞

The Mitsubishi Electric smartRTU is a smart remote terminal unit RTU from Mitsubishi Electric Japan. The Mitsubishi Electric smartRTU suffers from an access control error vulnerability that stems from a specific API route that can bypass authentication and could lead to the execution of arbitrary...

golang: archive/tar: Unbounded allocation when parsing GNU sparse map

A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go...