Tagged: Cybersecurity Alert

Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication,...

A vulnerability was detected in code-projects Content Management System 1.0. The affected element is an unknown function of the file /pages.php. The manipulation of the argument ID results in sql injection. The attack may...

A flaw has been found in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Frontend/ViewSongs.php. This manipulation of the argument ID causes sql injection. It is possible...

A security vulnerability has been detected in code-projects Content Management System 1.0. Impacted is an unknown function of the file /admin/edit_posts.php. The manipulation of the argument image leads to unrestricted upload. The attack is...

In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml. More information : https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md

In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint. More information : https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md

Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token. More information : https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md

In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account. More information : https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md

An authentication bypass in the /cgi-bin/jvsweb.cgi endpoint of Revotech I6032W-FHW v1.0.0014 – 20210517 allows attackers to access sensitive information and escalate privileges via a crafted HTTP request. More information : http://i6032w-fhw.com

Vatilon v1.12.37-20240124 was discovered to transmit user credentials in plaintext. More information : http://vatilon.com

An issue in Vatilon v1.12.37-20240124 allows attackers to access sensitive directories and files via a directory traversal. More information : http://vatilon.com

CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path...

A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. The manipulation of the argument column/group/order leads to sql injection....

Plane is an an open-source project management tool. In plane.io, a guest user doesn’t have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by...