Server-side request forgery in welovemedia FFmate through version 2.0.15 allows authenticated remote attackers to manipulate the fireWebhook function and force the server to make arbitrary HTTP requests. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.
SQL injection in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to execute arbitrary SQL queries via the getDictItems API endpoint due to insufficient validation in the isExistSqlInjectKeyword function. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete database contents. No patch is currently available, and public exploit code has been disclosed.
Backstage is an open framework for building developer portals. versions up to 3.1.4 is affected by insertion of sensitive information into log file (CVSS 2.0).
Improper authorization in the FakeAppReceiver component of Freedom Factory dGEN1 (up to version 20260221) allows local attackers with user privileges to manipulate application permissions. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires local access but can result in unauthorized data access, modification, or service disruption.
Improper authorization in the FakeAppProvider component of Freedom Factory dGEN1 (versions up to 20260221) allows local authenticated users to bypass access controls and modify system data. Public exploit code exists for this vulnerability, though no patch is currently available from the vendor.
Improper authorization in Freedom Factory dGEN1's com.dgen.alarm component (up to version 20260221) allows local authenticated users to bypass access controls and modify system settings. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure attempts. The attack requires local access and valid credentials but poses a moderate risk to system integrity and confidentiality.
Improper authorization in the AlarmService component of Freedom Factory dGEN1 (up to version 20260221) allows local users with limited privileges to gain unauthorized access to alarm functionality. The vulnerability requires local access and has been publicly disclosed with exploit code available, though the vendor has not provided a patch or responded to initial contact.
Improper authorization in the FakeAppService function of Freedom Factory dGEN1 (up to version 20260221) allows local users with standard privileges to gain unauthorized access to protected resources. Public exploit code is available for this vulnerability, though no patch has been released by the vendor despite early notification.
A flaw has been found in Freedom Factory dGEN1 versions up to 20260221. contains a vulnerability that allows attackers to improper authorization (CVSS 3.3).
A weakness has been identified in Freedom Factory dGEN1 versions up to 20260221. contains a security vulnerability (CVSS 3.1).
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification.