EUVD-2025-201164

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers a normal user to stop arbitrary LLM response tasks...

Silicon Labs Simplicity Device Manager 安全漏洞

Silicon Labs Simplicity Device Manager is a component of an integrated development environment from Silicon Labs, Inc. A security vulnerability exists in Silicon Labs Simplicity Device Manager that stems from a publicly exposed web interface that could disclose NTLMv2 hashes...

CVE-2025-63681

Open-WebUI CVE-2025-63681 affects v0.6.33. The API endpoint /api/tasks/stop/ allows direct cancellation of tasks without verifying ownership, enabling a normal user to stop arbitrary LLM response tasks (Incorrect Access Control). Base score 4.3 (Medium); attack vector NETWORK, privileges required...

CVE-2025-13510

The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings...

[SECURITY] Fedora 41 Update: nextcloud-32.0.2-1.fc41

NextCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing rig ht on the web. NextCloud is extendable via a simple but powerful API...

CVE-2025-57202

CVE-2025-57202 describes a stored XSS in the PwdGrp.cgi endpoint of AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003. The vulnerability allows an attacker to inject arbitrary web scripts/HTML via a crafted payload in the username field. According to the provided metrics, the CVSS v...

CVE-2025-66460

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popu...

CVE-2025-66459 Lookyloo vulnerable to XSS due to unescaped error message passed to innerHTML

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, t...

CVE-2024-32384

Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker to intercept and modify traffic between the client and the device...

PT-2025-48770

Name of the Vulnerable Software and Affected Versions Iskra iHUB and iHUB Lite affected versions not specified Description The Iskra iHUB and iHUB Lite smart metering gateway’s web management interface is accessible without authentication. This allows unauthenticated users to access and modify...

PT-2025-48752

Name of the Vulnerable Software and Affected Versions Lookyloo versions prior to 1.35.3 Description Lookyloo is a web interface used to capture website pages and display a tree of domains that interact with each other. A cross-site scripting XSS issue can occur when a user submits URLs for captur...

EUVD-2024-30202

Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker to intercept and modify traffic between the client and the device...

CVE-2024-32384

Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker to intercept and modify traffic between the client and the device...

CVE-2024-32384

Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker to intercept and modify traffic between the client and the device...

CVE-2025-13807 orionsec orion-ops API MachineKeyController.java MachineKeyController improper authorization

A vulnerability was detected in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected is the function MachineKeyController of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineKeyController.java of the component API. The manipulation result...

Kerlink KerOS 安全漏洞

Kerlink KerOS is an operating system from the French company Kerlink. A security vulnerability exists in Kerlink KerOS versions prior to 5.10, which stems from exposing the web interface over HTTP only and does not support HTTPS, which could lead to a man-in-the-middle attack...

CVE-2024-32384

Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker to intercept and modify traffic between the client and the device...

PT-2025-48568

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.11.0-beta.1 Description The Grav admin plugin, an HTML user interface for configuring Grav and managing pages, contains a Reflected Cross-Site Scripting XSS issue. An attacker can inject malicious scripts through the...

CVE-2025-61915

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a user in the lpadmin group can use the cups web ui to change the config and insert a malicious line. Then the cupsd process which runs as root will parse the new config a...

ALPINE-CVE-2025-61915

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a user in the lpadmin group can use the cups web ui to change the config and insert a malicious line. Then the cupsd process which runs as root will parse the new config a...