Total
1091 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-58627 | 2025-11-17 | N/A | 9.8 CRITICAL | ||
| Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous Core Plugin: from n/a through < 2.0.9. | |||||
| CVE-2025-31357 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can obtain a user's plant list by knowing the username. | |||||
| CVE-2025-31933 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can check the existence of usernames in the system by querying an API. | |||||
| CVE-2025-31941 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can obtain a list of smart devices by knowing a valid username. | |||||
| CVE-2025-31949 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An authenticated attacker can obtain any plant name by knowing the plant ID. | |||||
| CVE-2025-24315 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users). | |||||
| CVE-2025-24850 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An attacker can export other users' plant information. | |||||
| CVE-2025-25276 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can hijack other users' devices and potentially control them. | |||||
| CVE-2025-26857 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers). | |||||
| CVE-2025-27561 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can rename "rooms" of arbitrary users. | |||||
| CVE-2025-27565 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. | |||||
| CVE-2025-27575 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID. | |||||
| CVE-2025-27719 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can query an API endpoint and get device details. | |||||
| CVE-2025-27927 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API. | |||||
| CVE-2025-27929 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts. | |||||
| CVE-2025-30257 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account. | |||||
| CVE-2025-31147 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. | |||||
| CVE-2025-12366 | 2025-11-14 | N/A | 4.3 MEDIUM | ||
| The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators. | |||||
| CVE-2025-64706 | 2025-11-14 | N/A | 5.0 MEDIUM | ||
| Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing the target user's ID and token ID, without requiring authorization checks. Version 3.13.0 fixes the issue. | |||||
| CVE-2025-8855 | 2025-11-14 | N/A | 8.1 HIGH | ||
| Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.This issue affects Brokerage Automation: before 1.1.71. | |||||