Total
1235 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-27561 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can rename "rooms" of arbitrary users. | |||||
| CVE-2025-27565 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. | |||||
| CVE-2025-27575 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID. | |||||
| CVE-2025-27719 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can query an API endpoint and get device details. | |||||
| CVE-2025-27927 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API. | |||||
| CVE-2025-27929 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts. | |||||
| CVE-2025-30257 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account. | |||||
| CVE-2025-31147 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. | |||||
| CVE-2025-12366 | 2025-11-14 | N/A | 4.3 MEDIUM | ||
| The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators. | |||||
| CVE-2025-41069 | 2025-11-14 | N/A | N/A | ||
| Insecure Direct Object Reference (IDOR) vulnerability in DeporSite of T-INNOVA. This vulnerability allows an attacker to access or modify unauthorized resources by manipulating requests using the 'idUsuario' parameter in ‘/ajax/TInnova_v2/Formulario_Consentimiento/llamadaAjax/obtenerDatosConsentimientos’, which could lead to the exposure or alteration os confidential data. | |||||
| CVE-2025-8855 | 2025-11-14 | N/A | 8.1 HIGH | ||
| Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.This issue affects Brokerage Automation: before 1.1.71. | |||||
| CVE-2024-12767 | 1 Buddyboss | 1 Buddyboss Platform | 2025-11-13 | N/A | 3.5 LOW |
| The buddyboss-platform WordPress plugin before 2.7.60 lacks proper access controls and allows a logged-in user to view comments on private posts | |||||
| CVE-2025-27938 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms"). | |||||
| CVE-2025-27939 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 7.5 HIGH |
| An attacker can change registered email addresses of other users and take over arbitrary accounts. | |||||
| CVE-2025-30254 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username. | |||||
| CVE-2025-30514 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes"). | |||||
| CVE-2025-62241 | 1 Liferay | 1 Digital Experience Platform | 2025-11-12 | N/A | 4.3 MEDIUM |
| Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter. | |||||
| CVE-2025-64431 | 2025-11-12 | N/A | N/A | ||
| Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference (IDOR) attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belonging to other organizations. Note that this vulnerability is limited to organization-level data (name, domains, metadata). No other related data (such as users, projects, applications, etc.) is affected. This issue is fixed in version 4.6.3. | |||||
| CVE-2025-12854 | 2025-11-12 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability was identified in newbee-mall-plus up to 2.4.1. This vulnerability affects the function executeSeckill of the file /seckillExecution/. The manipulation of the argument userid leads to authorization bypass. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. | |||||
| CVE-2025-11532 | 2025-11-12 | N/A | 5.3 MEDIUM | ||
| The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlist_id' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists. | |||||