PT-2025-25349 · Aveva · Aveva Pi Web Api

Name of the Vulnerable Software and Affected Versions: AVEVA PI Web API versions 2023 SP1 and prior Description: A cross-site scripting issue exists that could allow an authenticated attacker with privileges to create or update annotations, or upload media files, to persist arbitrary JavaScript...

CVE-2025-2407

Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5...

Prototype Pollution

Docarray is vulnerable to prototype pollution. The vulnerability is due to lack of input sanitization in the getitem function of torchdataset.py in the Web API component, allows an attacker to remotely manipulate object prototypes...

CVE-2025-5150

A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function getitem of the file /docarray/data/torchdataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes...

CVE-2025-2407

Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5...

CVE-2025-2407 Missing Authentication & Authorization in Web-API allows adversary unrestricted access

Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5...

CVE-2025-2407 Missing Authentication & Authorization in Web-API allows adversary unrestricted access

Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5...

PT-2025-22972 · Mobatime · Mobatime Amx Mtapi

Name of the Vulnerable Software and Affected Versions: Mobatime AMX MTAPI v6 versions prior to 1.5 Description: The issue concerns Missing Authentication & Authorization in the Web-API of Mobatime AMX MTAPI v6 on IIS, allowing adversaries to gain unrestricted access via the network...

docarray prototype pollution

A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function getitem of the file /docarray/data/torchdataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes...

GHSA-J9WP-865G-RF48 docarray prototype pollution

A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function getitem of the file /docarray/data/torchdataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes...

CVE-2025-5150

A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function getitem of the file /docarray/data/torchdataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes...

CVE-2025-5150 docarray Web API torch_dataset.py __getitem__ prototype pollution

A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function getitem of the file /docarray/data/torchdataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes...

CVE-2025-5150

CVE-2025-5150 affects docarray ≤ 0.40.1, specifically the Web API file /docarray/data/torch_dataset.py, where the vulnerable function is getitem . The issue enables prototype pollution via object prototype attributes, potentially allowing remote exploitation. Multiple sources corroborate a remote...

CVE-2024-45104

A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call...

CVE-2023-34418

A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API...

CVE-2023-34422

A valid, authenticated LXCA user with elevated privileges may be able to delete folders in the LXCA filesystem through a specifically crafted web API call due to insufficient input validation...

CVE-2023-34421

A valid, authenticated LXCA user with elevated privileges may be able to replace filesystem data through a specifically crafted web API call due to insufficient input validation...

CVE-2023-30612

Cloud hypervisor is a Virtual Machine Monitor for Cloud workloads. This vulnerability allows users to close arbitrary open file descriptors in the Cloud Hypervisor process via sending malicious HTTP request through the HTTP API socket. As a result, the Cloud Hypervisor process can be easily...

CVE-2023-34420

A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API...

CVE-2023-33237

TN-5900 Series firmware version v3.3 and prior is vulnerable to improper-authentication vulnerability. This vulnerability arises from inadequate authentication measures implemented in the web API handler, allowing low-privileged APIs to execute restricted actions that only high-privileged APIs ar...