Monthly
Arbitrary filesystem directory listing in Lyrion Music Server 9.2.0 exposes any host directory to remote unauthenticated attackers via the readdirectory query, which accepts an unsandboxed folder parameter with no path restriction. Both the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js are affected, presenting a dual-protocol attack surface that requires no credentials in the default configuration. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity - a single unauthenticated network request - significantly lowers the real-world barrier to abuse.
Information disclosure in Dell PowerFlex Manager (Appliance, Rack, and core Manager) versions 4.6.2 and earlier allows unauthenticated remote attackers to enumerate server contents through exposed directory listings. The flaw carries a CVSS 7.5 (high) rating driven entirely by confidentiality impact and requires no privileges or user interaction, though no public exploit identified at time of analysis and the issue is not on CISA KEV.
Vvveb before 1.0.8.3 allows unauthenticated remote attackers to enumerate sensitive files and directories through directory listing information disclosure. Multiple directories including admin, plugins, themes, and media folders lack proper index directives in .htaccess files, permitting attackers to view filenames, file sizes, modification timestamps, and unrendered admin templates that expose sensitive route maps. No active exploitation has been confirmed, but the vulnerability is trivial to exploit with network access and no authentication.
IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system. [CVSS 5.3 MEDIUM]
RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication. [CVSS 7.5 HIGH]
A vulnerability was determined in SourceCodester Farm Management System 1.0. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user's filesystem, including the user's home directory, exposing sensitive information about the file system's structure. This issue is fixed in version 0.13.20.
Information disclosure in the Grandstream GXP1628 IP phone (firmware 1.0.4.130 and earlier) exposes sensitive directories and files because directory listing is enabled on the device web interface, letting attackers browse and retrieve files that should be protected. The flaw (CWE-548) can leak configuration data, credentials, or other sensitive artifacts stored on the device. Publicly available exploit code exists, though EPSS remains low at 0.31% (22nd percentile) and it is not listed in CISA KEV.
CVE-2025-2827 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
A remote code execution vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
Arbitrary filesystem directory listing in Lyrion Music Server 9.2.0 exposes any host directory to remote unauthenticated attackers via the readdirectory query, which accepts an unsandboxed folder parameter with no path restriction. Both the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js are affected, presenting a dual-protocol attack surface that requires no credentials in the default configuration. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity - a single unauthenticated network request - significantly lowers the real-world barrier to abuse.
Information disclosure in Dell PowerFlex Manager (Appliance, Rack, and core Manager) versions 4.6.2 and earlier allows unauthenticated remote attackers to enumerate server contents through exposed directory listings. The flaw carries a CVSS 7.5 (high) rating driven entirely by confidentiality impact and requires no privileges or user interaction, though no public exploit identified at time of analysis and the issue is not on CISA KEV.
Vvveb before 1.0.8.3 allows unauthenticated remote attackers to enumerate sensitive files and directories through directory listing information disclosure. Multiple directories including admin, plugins, themes, and media folders lack proper index directives in .htaccess files, permitting attackers to view filenames, file sizes, modification timestamps, and unrendered admin templates that expose sensitive route maps. No active exploitation has been confirmed, but the vulnerability is trivial to exploit with network access and no authentication.
IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system. [CVSS 5.3 MEDIUM]
RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication. [CVSS 7.5 HIGH]
A vulnerability was determined in SourceCodester Farm Management System 1.0. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user's filesystem, including the user's home directory, exposing sensitive information about the file system's structure. This issue is fixed in version 0.13.20.
Information disclosure in the Grandstream GXP1628 IP phone (firmware 1.0.4.130 and earlier) exposes sensitive directories and files because directory listing is enabled on the device web interface, letting attackers browse and retrieve files that should be protected. The flaw (CWE-548) can leak configuration data, credentials, or other sensitive artifacts stored on the device. Publicly available exploit code exists, though EPSS remains low at 0.31% (22nd percentile) and it is not listed in CISA KEV.
CVE-2025-2827 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
A remote code execution vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.