Total
942 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31654 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms"). | |||||
| CVE-2025-26857 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers). | |||||
| CVE-2025-31147 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. | |||||
| CVE-2025-27719 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can query an API endpoint and get device details. | |||||
| CVE-2025-27929 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts. | |||||
| CVE-2025-31360 | 2025-04-16 | N/A | 6.5 MEDIUM | ||
| Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users. | |||||
| CVE-2025-26977 | 1 Ninjateam | 1 Filebird | 2025-04-15 | N/A | 3.8 LOW |
| Authorization Bypass Through User-Controlled Key vulnerability in Ninja Team Filebird allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Filebird: from n/a through 6.4.2.1. | |||||
| CVE-2025-3575 | 2025-04-15 | N/A | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/establecerUsuarioSeleccion" endpoint. | |||||
| CVE-2025-3574 | 2025-04-15 | N/A | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/obtenerFamiliaUsuario" endpoint. | |||||
| CVE-2024-33668 | 1 Zammad | 1 Zammad | 2025-04-15 | N/A | 9.1 CRITICAL |
| An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to. | |||||
| CVE-2022-4097 | 1 Updraftplus | 1 All-in-one Security | 2025-04-14 | N/A | 5.3 MEDIUM |
| The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more). | |||||
| CVE-2024-12335 | 1 Theme-fusion | 1 Avada Builder | 2025-04-14 | N/A | 4.3 MEDIUM |
| The Avada (Fusion) Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.11.12 via the handle_clone_post() function and the 'fusion_blog' shortcode and due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | |||||
| CVE-2023-36238 | 1 Webkul | 1 Bagisto | 2025-04-14 | N/A | 6.5 MEDIUM |
| Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter. | |||||
| CVE-2024-47316 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-04-11 | N/A | 4.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Salon Booking System Salon booking system.This issue affects Salon booking system: from n/a through 10.9. | |||||
| CVE-2024-10670 | 1 Nicheaddons | 1 Primary Addon For Elementor | 2025-04-11 | N/A | 4.3 MEDIUM |
| The Primary Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.6.2 via the [prim_elementor_template] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created with Elementor that they should not have access to. | |||||
| CVE-2025-28874 | 1 Shanebp | 1 Bp Email Assign Templates | 2025-04-09 | N/A | 6.5 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BP Email Assign Templates: from n/a through 1.6. | |||||
| CVE-2025-2526 | 2025-04-08 | N/A | 8.8 HIGH | ||
| The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'st_Authentication_Controller::edit_profile' function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2024-50685 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | N/A | 9.1 CRITICAL |
| SunGrow iSolarCloud before the October 31, 2024 remediation, is vulnerable to insecure direct object references (IDOR) via the powerStationService API model. | |||||
| CVE-2024-50686 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | N/A | 9.1 CRITICAL |
| SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the commonService API model. | |||||
| CVE-2024-50687 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | N/A | 9.1 CRITICAL |
| SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model. | |||||