Total
44 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-30512 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 6.5 MEDIUM |
| Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off). | |||||
| CVE-2025-64726 | 2025-11-14 | N/A | N/A | ||
| Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable to arbitrary code execution when run in untrusted project directories. The vulnerability allows an attacker to execute arbitrary code by placing a malicious `.sfw.config` file in a project directory. When a developer runs Socket Firewall commands (e.g., `sfw npm install`) in that directory, the tool loads the `.sfw.config` file and populates environment variables directly into the Node.js process. An attacker can exploit this by setting `NODE_OPTIONS` with a `--require` directive to execute malicious JavaScript code before Socket Firewall's security controls are initialized, effectively bypassing the tool's malicious package detection. The attack vector is indirect and requires a developer to install dependencies for an untrusted project and execute a command within the context of the untrusted project. The vulnerability has been patched in Socket Firewall version 0.15.5. Users should upgrade to version 0.15.5 or later. The fix isolates configuration file values from subprocess environments. Look at `sfw --version` for version information. If users rely on the recommended installation mechanism (e.g. global installation via `npm install -g sfw`) then no workaround is necessary. This wrapper package automatically ensures that users are running the latest version of Socket Firewall. Users who have manually installed the binary and cannot immediately upgrade should avoid running Socket Firewall in untrusted project directories. Before running Socket Firewall in any new project, inspect `.sfw.config` and `.env.local` files for suspicious `NODE_OPTIONS` or other environment variable definitions that reference local files. | |||||
| CVE-2025-8283 | 1 Redhat | 2 Enterprise Linux, Openshift Container Platform | 2025-11-07 | N/A | 3.7 LOW |
| A vulnerability was found in the netavark package, a network stack for containers used with Podman. Due to dns.podman search domain being removed, netavark may return external servers if a valid A/AAAA record is sent as a response. When creating a container with a given name, this name will be used as the hostname for the container itself, as the podman's search domain is not added anymore the container is using the host's resolv.conf, and the DNS resolver will try to look into the search domains contained on it. If one of the domains contain a name with the same hostname as the running container, the connection will forward to unexpected external servers. | |||||
| CVE-2024-39800 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-11-03 | N/A | 9.1 CRITICAL |
| Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists in the `open_port` POST parameter. | |||||
| CVE-2024-39799 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-11-03 | N/A | 9.1 CRITICAL |
| Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists in the `sel_open_interface` POST parameter. | |||||
| CVE-2024-39798 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-11-03 | N/A | 9.1 CRITICAL |
| Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists in the `sel_open_protocol` POST parameter. | |||||
| CVE-2024-39795 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-11-03 | N/A | 9.1 CRITICAL |
| Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists in the `ftp_max_sessions` POST parameter. | |||||
| CVE-2024-39794 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-11-03 | N/A | 9.1 CRITICAL |
| Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists in the `ftp_port` POST parameter. | |||||
| CVE-2024-39793 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-11-03 | N/A | 9.1 CRITICAL |
| Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists in the `ftp_name` POST parameter. | |||||
| CVE-2024-39790 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-11-03 | N/A | 9.1 CRITICAL |
| Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists within the `ftp_max_sessions` POST parameter. | |||||
| CVE-2024-39789 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-11-03 | N/A | 9.1 CRITICAL |
| Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists within the `ftp_port` POST parameter. | |||||
| CVE-2024-39788 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-11-03 | N/A | 9.1 CRITICAL |
| Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists within the `ftp_name` POST parameter. | |||||
| CVE-2024-10979 | 1 Postgresql | 1 Postgresql | 2025-11-03 | N/A | 8.8 HIGH |
| Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected. | |||||
| CVE-2025-62527 | 1 Taguette | 1 Taguette | 2025-10-30 | N/A | 7.1 HIGH |
| Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim. This issue has been patched in version 1.5.0. | |||||
| CVE-2025-27253 | 2025-10-07 | N/A | 6.1 MEDIUM | ||
| A CWE-15 "External Control of System or Configuration Setting" in GE Vernova UR IED family devices from version 7.0 up to 8.60 allows an attacker to provide input that establishes a TCP connection through a port forwarding. The lack of the IP address and port validation may allow the attacker to bypass firewall rules or to send malicious traffic in the network. | |||||
| CVE-2025-43792 | 2025-09-16 | N/A | N/A | ||
| Remote staging in Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly obtain the remote address of the live site from the database which, which allows remote authenticated users to exfiltrate data to an attacker controlled server (i.e., a fake “live site”) via the _com_liferay_exportimport_web_portlet_ExportImportPortlet_remoteAddress and _com_liferay_exportimport_web_portlet_ExportImportPortlet_remotePort parameters. To successfully exploit this vulnerability, an attacker must also successfully obtain the staging server’s shared secret and add the attacker controlled server to the staging server’s whitelist. | |||||
| CVE-2025-41452 | 2025-08-22 | N/A | N/A | ||
| Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which could allow for a denial of service attack induced by improper handling of exceptional conditions | |||||
| CVE-2024-38666 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.1 CRITICAL |
| An external config control vulnerability exists in the openvpn.cgi openvpn_client_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2024-39280 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.1 CRITICAL |
| An external config control vulnerability exists in the nas.cgi set_smb_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2024-39602 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.1 CRITICAL |
| An external config control vulnerability exists in the nas.cgi set_nas() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||