Total
1027 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-12524 | 2025-11-18 | N/A | 5.4 MEDIUM | ||
| The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact. | |||||
| CVE-2025-58627 | 2025-11-17 | N/A | 9.8 CRITICAL | ||
| Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous Core Plugin: from n/a through < 2.0.9. | |||||
| CVE-2025-31357 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can obtain a user's plant list by knowing the username. | |||||
| CVE-2025-31933 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can check the existence of usernames in the system by querying an API. | |||||
| CVE-2025-31941 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can obtain a list of smart devices by knowing a valid username. | |||||
| CVE-2025-31949 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An authenticated attacker can obtain any plant name by knowing the plant ID. | |||||
| CVE-2025-24315 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users). | |||||
| CVE-2025-24850 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An attacker can export other users' plant information. | |||||
| CVE-2025-25276 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can hijack other users' devices and potentially control them. | |||||
| CVE-2025-26857 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers). | |||||
| CVE-2025-27561 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can rename "rooms" of arbitrary users. | |||||
| CVE-2025-27565 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. | |||||
| CVE-2025-27575 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID. | |||||
| CVE-2025-27719 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can query an API endpoint and get device details. | |||||
| CVE-2025-27927 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API. | |||||
| CVE-2025-27929 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts. | |||||
| CVE-2025-30257 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account. | |||||
| CVE-2025-31147 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
| Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. | |||||
| CVE-2025-12366 | 2025-11-14 | N/A | 4.3 MEDIUM | ||
| The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators. | |||||
| CVE-2025-64523 | 2025-11-14 | N/A | N/A | ||
| File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Versions prior to 2.45.1 have an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authorization checks. The impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration. Version 2.45.1 contains a fix for the issue. | |||||