Total
197 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11280 | 2025-10-05 | 2.6 LOW | 3.7 LOW | ||
| A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | |||||
| CVE-2025-1542 | 2025-10-03 | N/A | N/A | ||
| Improper permission control vulnerability in the OXARI ServiceDesk application could allow an attacker using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects OXARI ServiceDesk in versions before 2.0.324.0. | |||||
| CVE-2025-41404 | 1 Irohasoft | 1 Iroha Board | 2025-09-30 | N/A | 4.3 MEDIUM |
| Direct request ('Forced Browsing') issue exists in iroha Board versions v0.10.12 and earlier. If this vulnerability is exploited, non-public contents may be viewed by an attacker who can log in to the affected product. | |||||
| CVE-2024-55075 | 1 Grocy Project | 1 Grocy | 2025-09-29 | N/A | 4.3 MEDIUM |
| Grocy through 4.3.0 allows remote attackers to obtain sensitive information via direct requests to pages that are not shown in the UI, such as calendar and recipes. | |||||
| CVE-2025-59797 | 2025-09-22 | N/A | 5.8 MEDIUM | ||
| Profession Fit 5.0.99 Build 44910 allows authorization bypass via a direct request for /api/challenges/{id} and also URLs for eversports, the user-management page, and the plane page. | |||||
| CVE-2025-10287 | 2025-09-15 | 2.1 LOW | 3.1 LOW | ||
| A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The affected element is an unknown function of the file /auth/orderQuery. Such manipulation of the argument orderNo leads to direct request. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-9945 | 2025-08-29 | N/A | 5.3 MEDIUM | ||
| An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders. | |||||
| CVE-2025-31971 | 2025-08-29 | N/A | 5.1 MEDIUM | ||
| AIML Solutions for HCL SX is vulnerable to a URL validation vulnerability. The issue may allow attackers to launch a server-side request forgery (SSRF) attack enabling unauthorized network calls from the system, potentially exposing internal services or sensitive information. | |||||
| CVE-2022-43110 | 2025-08-25 | N/A | 9.8 CRITICAL | ||
| Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down. | |||||
| CVE-2025-55736 | 1 Dogukanurker | 1 Flaskblog | 2025-08-22 | N/A | 6.5 MEDIUM |
| flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file. | |||||
| CVE-2022-40845 | 1 Tenda | 2 W15e, W15e Firmware | 2025-07-07 | N/A | 6.5 MEDIUM |
| The Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) is affected by a password exposure vulnerability. When combined with the improper authorization/improper session management vulnerability, an attacker with access to the router may be able to expose sensitive information which they're not explicitly authorized to have. | |||||
| CVE-2025-53073 | 2025-06-26 | N/A | 4.2 MEDIUM | ||
| In Sentry 25.1.0 through 25.5.1, an authenticated attacker can access a project's issue endpoint and perform unauthorized actions (such as adding a comment) without being a member of the project's team. A seven-digit issue ID must be known (it is not treated as a secret and might be mentioned publicly, or it could be predicted). | |||||
| CVE-2025-6352 | 1 Code-projects | 1 Automated Voting System | 2025-06-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability classified as problematic has been found in code-projects Automated Voting System 1.0. Affected is an unknown function of the file /vote.php of the component Backend. The manipulation leads to direct request. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-52920 | 2025-06-23 | N/A | 6.4 MEDIUM | ||
| Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID. | |||||
| CVE-2025-47226 | 1 Snipeitapp | 1 Snipe-it | 2025-06-03 | N/A | 5.0 MEDIUM |
| Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information. | |||||
| CVE-2025-48201 | 2025-05-21 | N/A | 8.6 HIGH | ||
| The ns_backup extension through 13.0.0 for TYPO3 has a Predictable Resource Location. | |||||
| CVE-2025-48202 | 2025-05-21 | N/A | 5.3 MEDIUM | ||
| The femanager extension through 8.2.1 for TYPO3 allows Insecure Direct Object Reference. | |||||
| CVE-2025-48207 | 2025-05-21 | N/A | 8.6 HIGH | ||
| The reint_downloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference. | |||||
| CVE-2025-48205 | 2025-05-21 | N/A | 8.6 HIGH | ||
| The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. | |||||
| CVE-2022-36158 | 1 Contec | 8 Fxa2000, Fxa2000 Firmware, Fxa3000 and 5 more | 2025-05-21 | N/A | 8.0 HIGH |
| Contec FXA3200 version 1.13.00 and under suffers from Insecure Permissions in the Wireless LAN Manager interface which allows malicious actors to execute Linux commands with root privilege via a hidden web page (/usr/www/ja/mnt_cmd.cgi). | |||||