Skip to main content
CVE-2025-15099 MEDIUM POC PATCH This Month

A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.

Authentication Bypass Sim
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-66737 MEDIUM POC This Month

Directory traversal in Yealink SIP-T21P(E2) IP phone firmware 52.84.0.15 exposes arbitrary files to low-privileged remote attackers via a crafted request to the diagnostic component's result read function. The flaw is confined to confidentiality impact - attackers can exfiltrate sensitive files (credentials, configuration, logs) stored on the device but cannot modify or crash it. A publicly available proof-of-concept exists, though EPSS at 0.62% indicates limited observed exploitation activity and the device is not listed in the CISA KEV catalog.

Path Traversal Sip T21 P E2 Firmware
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2025-15097 MEDIUM This Month

A vulnerability was found in Alteryx Server. Affected by this issue is some unknown functionality of the file /gallery/api/status/. Performing manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. Upgrading to version 2023.1.1.13.486, 2023.2.1.10.293, 2024.1.1.9.236, 2024.2.1.6.125 and 2025.1.1.1.31 can resolve this issue. Upgrading the affected component is recommended.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy