CVE-2025-67718 Formio improperly authorized permission elevation through specially crafted request path

Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...

CVE-2025-67718

Form.io exposes a path-handling vulnerability that can let unauthenticated/unauthorized requests access protected API endpoints by sending crafted request paths. Affected versions: 3.5.6 and earlier, and 4.0.0-rc.1 through 4.4.2. Impact is data exposure from endpoints that should be protected. Fi...

CVE-2025-67718 Formio improperly authorized permission elevation through specially crafted request path

Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...

PT-2025-50565

Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...

GHSA-M654-769V-QJV7 Formio improperly authorized permission elevation through specially crafted request path

Security Advisory: Unauthorized permission elevation through specially crafted request path Summary: A flaw in path handling could allow an attacker to access protected API endpoints by sending a crafted request path. This issue could result in unauthorized data disclosure under certain...

CVE-2013-10072 Nagios XI < 2012R1.6 Auto-Discovery Missing Authorization

Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionality. Users with read-only roles could directly reach Auto-Discovery endpoints and pages that should require elevated permissions, exposing discovery results and allowing unintended access to discove...

CVE-2025-6892

CVE-2025-6892, -6893, and -6894 relate to Moxa network security devices. The connected Red Hat advisories describe a set of API/authorization flaws in Moxa appliances: (CVE-2025-6892) an Incorrect Authorization flaw in API authentication that allows unauthorized privileged operations after login;...

EUVD-2025-31126

Malicious code in bioql PyPI...

EUVD-2025-19645

Malicious code in bioql PyPI...

CVE-2025-59841

Flag Forge is a Capture The Flag CTF platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still...

CVE-2025-59841 FlagForgeCTF's Improper Session Handling Allows Access After Logout

Flag Forge is a Capture The Flag CTF platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still...

PT-2025-39418

Name of the Vulnerable Software and Affected Versions Flag Forge versions 2.2.0 through 2.3.0 Description Flag Forge improperly manages session invalidation. After a user logs out, they can still access protected endpoints, such as /api/profile, and CSRF tokens remain valid. This allows continued...

Linux Distros Unpatched Vulnerability : CVE-2022-42260

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - NVIDIA vGPU Display Driver for Linux guest contains a vulnerability in a D-Bus configuration file, where an unauthorized user in the guest VM can impact protect...

CVE-2025-34053

An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints...

CVE-2025-34053

An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints...

CVE-2025-35940

The CVE-2025-35940 entry concerns ArchiverSpaApi (ASP.NET) that uses a hard-coded JWT signing key. The information across sources indicates an unauthenticated attacker can generate a verifiable JWT token to access protected ArchiverSpaApi endpoints (e.g., /api/v1/login, /users/{id}). The Red Hat ...

CVE-2025-35940 Hard-coded ArchiverSpaApi JWT Signing Key

The ArchiverSpaApi ASP.NET application uses a hard-coded JWT signing key. An unauthenticated remote attacker can generate and use a verifiable JWT token to access protected ArchiverSpaApi URL endpoints...

CVE-2022-45922

An issue was discovered in OpenText Content Suite Platform 22.1 16.2.19.1803. The request handler for ll.KeepAliveSession sets a valid AdminPwd cookie even when the Web Admin password was not entered. This allows access to endpoints, which require a valid AdminPwd cookie, without knowing the...

OpenText Content Suite Platform 安全漏洞

OpenText Content Suite Platform is a top-of-the-line enterprise content management ECM system from OpenText. can manage the entire enterprise information lifecycle, from capture to archiving and disposal. A security vulnerability exists in OpenText Content Suite Platform version 22.1, which stems...

UBUNTU-CVE-2022-42260

NVIDIA vGPU Display Driver for Linux guest contains a vulnerability in a D-Bus configuration file, where an unauthorized user in the guest VM can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data...