Total
954 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-30257 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account. | |||||
| CVE-2025-27565 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. | |||||
| CVE-2025-27927 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API. | |||||
| CVE-2025-27575 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID. | |||||
| CVE-2025-31933 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can check the existence of usernames in the system by querying an API. | |||||
| CVE-2025-27561 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can rename "rooms" of arbitrary users. | |||||
| CVE-2025-31147 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. | |||||
| CVE-2025-27719 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can query an API endpoint and get device details. | |||||
| CVE-2025-31949 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An authenticated attacker can obtain any plant name by knowing the plant ID. | |||||
| CVE-2025-27929 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts. | |||||
| CVE-2025-31941 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can obtain a list of smart devices by knowing a valid username. | |||||
| CVE-2025-24315 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users). | |||||
| CVE-2025-24850 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An attacker can export other users' plant information. | |||||
| CVE-2025-31360 | 2025-04-16 | N/A | 6.5 MEDIUM | ||
| Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users. | |||||
| CVE-2025-31654 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms"). | |||||
| CVE-2025-26977 | 1 Ninjateam | 1 Filebird | 2025-04-15 | N/A | 3.8 LOW |
| Authorization Bypass Through User-Controlled Key vulnerability in Ninja Team Filebird allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Filebird: from n/a through 6.4.2.1. | |||||
| CVE-2025-3575 | 2025-04-15 | N/A | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/establecerUsuarioSeleccion" endpoint. | |||||
| CVE-2025-3574 | 2025-04-15 | N/A | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/obtenerFamiliaUsuario" endpoint. | |||||
| CVE-2024-33668 | 1 Zammad | 1 Zammad | 2025-04-15 | N/A | 9.1 CRITICAL |
| An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to. | |||||
| CVE-2022-4097 | 1 Updraftplus | 1 All-in-one Security | 2025-04-14 | N/A | 5.3 MEDIUM |
| The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more). | |||||