PT-2025-39305

Name of the Vulnerable Software and Affected Versions Cisco IOS XE Software affected versions not specified Description A flaw exists in the HTTP API subsystem of Cisco IOS XE Software that may allow a remote attacker to inject commands that will execute with root privileges on the underlying...

GHSA-79HX-3FP8-HJ66 DragonFly vulnerable to arbitrary file read and write on a peer machine

Impact A peer exposes the gRPC API and HTTP API for consumption by other peers. These APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain...

CVE-2025-59352 Dragonfly allows arbitrary file read and write on a peer machine

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal...

Linux Distros Unpatched Vulnerability : CVE-2025-1385

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When the library bridge feature is enabled, the clickhouse-library-bridge exposes an HTTP API on localhost. This allows clickhouse-server to dynamically load a...

CVE-2025-8415

A vulnerability was found in the Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment...

CVE-2025-55295 qBit Manage Path Traversal Vulnerability

qBit Manage is a tool that helps manage tedious tasks in qBittorrent and automate them. A path traversal vulnerability exists in qbitmanage's web API that allows authenticated users to read arbitrary files from the server filesystem through the restoreconfigfrombackup endpoint. The vulnerability...

CVE-2025-55295

CVE-2025-55295 is a path traversal flaw in qBit Manage’s web API. Authenticated users can bypass directory restrictions via the backup_id parameter in the restore_config_from_backup endpoint, allowing reading of arbitrary server files. The issue affects qBit Manage prior to version 4.5.4. The fix...

qBit Manage 路径遍历漏洞

qBit Manage is an open source seed management tool by StuffAnThings. A path traversal vulnerability exists in qBit Manage, which stems from the presence of path traversal in the web API, which could lead to reading arbitrary files...

MAL-2025-28178 Malicious code in okcollege-web-api (npm)

The package okcollege-web-api was found to contain malicious code...

Malicious code in okcollege-web-api (npm)

The package okcollege-web-api was found to contain malicious code...

MAL-2025-38965 Malicious code in web-api-mongodb-connection-factory (npm)

The package web-api-mongodb-connection-factory was found to contain malicious code...

Malicious code in web-api-error (npm)

The package web-api-error was found to contain malicious code...

MAL-2025-38964 Malicious code in web-api-error (npm)

The package web-api-error was found to contain malicious code...

Tera Insights tiCrypt 安全漏洞

Tera Insights tiCrypt is a private cloud secure computing platform from Tera Insights, Inc. in the United States. A security vulnerability exists in versions of Tera Insights tiCrypt prior to 2025-07-17 that stems from tiaudit allowing unauthenticated REST API requests to disclose sensitive...

📄 Microsoft SharePoint 2019 NTLM Authentication Information Disclosure

Microsoft SharePoint Central Administration improperly exposes NTLM-authenticated endpoints to low-privileged or even brute-forced domain accounts. Once authenticated, an attacker can access the api/web endpoint, disclosing rich metadata about the SharePoint site, including user group...

CVE-2025-2745

A cross-site scripting vulnerability exists in AVEVA PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker with privileges to create/update annotations or upload media files to persist arbitrary JavaScript code that will be executed by users who were...

CVE-2025-2745

A cross-site scripting vulnerability exists in AVEVA PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker with privileges to create/update annotations or upload media files to persist arbitrary JavaScript code that will be executed by users who were...

CVE-2025-2745

CVE-2025-2745 is a cross-site scripting vulnerability in AVEVA PI Web API (versions 2023 SP1 and prior). The root cause is improper handling that allows an authenticated attacker, with privileges to create/update annotations or upload media files, to persist arbitrary JavaScript code. The code co...

CVE-2025-2745 AVEVA PI Web API Cross-site Scripting

A cross-site scripting vulnerability exists in AVEVA PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker with privileges to create/update annotations or upload media files to persist arbitrary JavaScript code that will be executed by users who were...

CVE-2025-2745 AVEVA PI Web API Cross-site Scripting

A cross-site scripting vulnerability exists in AVEVA PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker with privileges to create/update annotations or upload media files to persist arbitrary JavaScript code that will be executed by users who were...