Ana10gy

4 exploits Active since Dec 2025
CVE-2025-15098 WRITEUP MEDIUM WRITEUP
YunaiV yudao-cloud < 2025.11 - Server-Side Request Forgery via BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger
A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 6.3
CVE-2025-15372 WRITEUP LOW WRITEUP
youlai/vue3-element-admin < 3.4.0 - Cross-Site Scripting in Notice Handler
A weakness has been identified in youlaitech vue3-element-admin up to 3.4.0. This issue affects some unknown processing of the file src/views/system/notice/index.vue of the component Notice Handler. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 2.4
CVE-2026-1063 WRITEUP MEDIUM WRITEUP
Bastillion <4.0.1 - Command Injection
A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 4.7
CVE-2026-1064 WRITEUP MEDIUM WRITEUP
Bastillion <4.0.1 - Command Injection
A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 4.7