9.4
CVE-2025-54816 - EVMAPA Missing Authentication for Critical Function
This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given thatβ¦
7.5
CVE-2025-53968 - EVMAPA Improper Restriction of Excessive Authentication Attempts
This vulnerability arises because there are no limitations on the number of authentication attempts a user can make. An attacker can exploit this weakness by continuously sending authentication requests, leading to a denial-of-service (DoS) condition. This can overwhelm the authentication systeβ¦
7.3
CVE-2025-55705 - EVMAPA Insufficient Session Expiration
This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging sessions. The lack of proper session management and expirationβ¦
6.1
CVE-2025-25051 - AutomationDirect CLICK Programmable Logic Controller Plaintext Storage of a Password
An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks.
8.9
CVE-2026-24124 - Dragonfly Manager Job API Allows Unauthenticated Access
Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with acceβ¦
6.1
CVE-2025-67652 - AutomationDirect CLICK Programmable Logic Controller Weak Encoding for Password
An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust encryption or secure handling mechanisms increases the likelihood of this type of exploitation, leaβ¦
5.3
CVE-2026-24117 - Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate stβ¦
9.1
CVE-2026-20912 - Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachβ¦
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
9.1
CVE-2026-20897 - Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
6.5
CVE-2026-20904 - Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.