Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities
CVE-2026-6179 (GCVE-0-2026-6179)
Vulnerability from cvelistv5 – Published: 2026-04-13 02:27 – Updated: 2026-04-13 18:06
VLAI
Title
Stored Cross Site Scripting in NightWolf Penetration Testing Platform
Summary
Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| FPT Software | NightWolf Penetration Testing Platform |
Affected:
2.1.5
Unaffected: 2.1.6 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T17:36:38.518612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T18:06:17.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NightWolf Penetration Testing Platform",
"vendor": "FPT Software",
"versions": [
{
"status": "affected",
"version": "2.1.5"
},
{
"status": "unaffected",
"version": "2.1.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phan Cong Anh Tuan (phanconganhtuan2003@gmail.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user\u0027s browser"
}
],
"value": "Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user\u0027s browser"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T02:27:53.206Z",
"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"shortName": "FSOFT"
},
"references": [
{
"url": "https://bug.report.night-wolf.io/changelogs"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-11T10:00:00.000Z",
"value": "The reporter submits the vulnerability to security_report@fpt.com."
},
{
"lang": "en",
"time": "2026-04-12T11:00:00.000Z",
"value": "The security team verifies the issue and provides a fixing solution."
},
{
"lang": "en",
"time": "2026-04-13T01:00:00.000Z",
"value": "The security team releases the fix, retests the issue, and closes the vulnerability."
},
{
"lang": "en",
"time": "2026-04-13T02:00:00.000Z",
"value": "Assign a CVE to the reporter."
}
],
"title": "Stored Cross Site Scripting in NightWolf Penetration Testing Platform",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"assignerShortName": "FSOFT",
"cveId": "CVE-2026-6179",
"datePublished": "2026-04-13T02:27:53.206Z",
"dateReserved": "2026-04-13T02:18:11.562Z",
"dateUpdated": "2026-04-13T18:06:17.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3014 (GCVE-0-2025-3014)
Vulnerability from cvelistv5 – Published: 2025-03-31 03:48 – Updated: 2025-03-31 13:37
VLAI
Title
Insecure direct object references (IDOR) in NightWolf Penetration Platform
Summary
Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| FPT Software | NightWolf Penetration Platform |
Affected:
2.1.4
(custom)
Unaffected: 2.1.5 (custom) |
Date Public
2025-03-31 03:40
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T13:37:39.163781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T13:37:51.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"tracking"
],
"product": "NightWolf Penetration Platform",
"vendor": "FPT Software",
"versions": [
{
"status": "affected",
"version": "2.1.4",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2.1.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Hoang Anh Khoa (khoahoang329@gmail.com)"
},
{
"lang": "en",
"type": "finder",
"value": "Quyen Hong Son (sonqh.kma@gmail.com)"
}
],
"datePublic": "2025-03-31T03:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePenetration Testing \u003c/span\u003eallows an attacker to access via manipulating request parameters or object references.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references."
}
],
"impacts": [
{
"capecId": "CAPEC-27",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-27: Leveraging Trust in Client"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T03:52:24.208Z",
"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"shortName": "FSOFT"
},
"references": [
{
"url": "https://bug.report.night-wolf.io/changelogs"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-28T10:00:00.000Z",
"value": "The reporter submits the vulnerability to security_report@fpt.com."
},
{
"lang": "en",
"time": "2025-03-29T02:00:00.000Z",
"value": "The security team verifies the issue and provides a fixing solution."
},
{
"lang": "en",
"time": "2025-03-30T10:00:00.000Z",
"value": "The security team releases the fix, retests the issue, and closes the vulnerability."
},
{
"lang": "en",
"time": "2025-03-31T02:00:00.000Z",
"value": "Assign a CVE to the reporter."
}
],
"title": "Insecure direct object references (IDOR) in NightWolf Penetration Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"assignerShortName": "FSOFT",
"cveId": "CVE-2025-3014",
"datePublished": "2025-03-31T03:48:12.504Z",
"dateReserved": "2025-03-31T03:27:15.991Z",
"dateUpdated": "2025-03-31T13:37:51.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3013 (GCVE-0-2025-3013)
Vulnerability from cvelistv5 – Published: 2025-03-31 03:40 – Updated: 2025-03-31 15:55
VLAI
Title
Insecure direct object references (IDOR) in NightWolf Penetration Platform
Summary
Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| FPT Software | NightWolf Penetration Platform |
Affected:
2.1.2 , ≤ 2.1.4
(custom)
Unaffected: 2.1.5 (custom) |
Date Public
2025-03-31 03:29
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3013",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T15:53:42.558887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T15:55:30.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"portal"
],
"product": "NightWolf Penetration Platform",
"vendor": "FPT Software",
"versions": [
{
"lessThanOrEqual": "2.1.4",
"status": "affected",
"version": "2.1.2",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2.1.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Phan Quang Bao (quangbao368@gmail.com)"
}
],
"datePublic": "2025-03-31T03:29:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePenetration Testing\u0026nbsp;\u003c/span\u003eallows an attacker to access via manipulating request parameters or object references.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf\u00a0Penetration Testing\u00a0allows an attacker to access via manipulating request parameters or object references."
}
],
"impacts": [
{
"capecId": "CAPEC-27",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-27: Leveraging Trust in Client"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T03:45:01.982Z",
"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"shortName": "FSOFT"
},
"references": [
{
"url": "https://bug.report.night-wolf.io/changelogs"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-27T10:00:00.000Z",
"value": "The reporter submits the vulnerability to security_report@fpt.com."
},
{
"lang": "en",
"time": "2025-03-28T01:00:00.000Z",
"value": "The security team verifies the issue and provides a fixing solution."
},
{
"lang": "en",
"time": "2025-03-29T08:00:00.000Z",
"value": "The security team releases the fix, retests the issue, and closes the vulnerability."
},
{
"lang": "en",
"time": "2025-03-31T02:00:00.000Z",
"value": "Assign a CVE to the reporter."
}
],
"title": "Insecure direct object references (IDOR) in NightWolf Penetration Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"assignerShortName": "FSOFT",
"cveId": "CVE-2025-3013",
"datePublished": "2025-03-31T03:40:04.534Z",
"dateReserved": "2025-03-31T03:26:43.696Z",
"dateUpdated": "2025-03-31T15:55:30.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31165 (GCVE-0-2025-31165)
Vulnerability from cvelistv5 – Published: 2025-03-27 04:00 – Updated: 2025-03-28 03:58
VLAI
Title
Cross Site Scripting in NightWolf Penetration Platform
Summary
Cross-Site Scripting (XSS) vulnerability in the Logbug module of NightWolf Penetration Testing Platform 1.2.2 allows attackers to execute JavaScript through the markdown editor feature.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| FPT Software | NightWolf Penetration Platform |
Affected:
1.2.2
(custom)
Unaffected: 1.2.3 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T14:36:02.883849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:36:34.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"logbug"
],
"product": "NightWolf Penetration Platform",
"vendor": "FPT Software",
"versions": [
{
"status": "affected",
"version": "1.2.2",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.2.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Do Quang Dat (datdq111@gmail.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eCross-Site Scripting (XSS) vulnerability in the Logbug module of NightWolf Penetration Testing Platform 1.2.2 allows attackers to execute JavaScript through the markdown editor feature.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Cross-Site Scripting (XSS) vulnerability in the Logbug module of NightWolf Penetration Testing Platform 1.2.2 allows attackers to execute JavaScript through the markdown editor feature."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T03:58:34.636Z",
"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"shortName": "FSOFT"
},
"references": [
{
"url": "https://bug.report.night-wolf.io/changelogs"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Implement secure coding practices for the markdown editor to mitigate vulnerability."
}
],
"value": "Implement secure coding practices for the markdown editor to mitigate vulnerability."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-18T08:00:00.000Z",
"value": "The reported vulnerability has been submitted for the developer\u0027s review and resolution."
},
{
"lang": "en",
"time": "2025-03-18T10:00:00.000Z",
"value": "The reported vulnerability has been triaged, verified, and submitted for the developer\u0027s review and resolution."
},
{
"lang": "en",
"time": "2025-03-19T06:00:00.000Z",
"value": "The fixed version (1.2.3) has been released and deployed to the log bug server."
},
{
"lang": "en",
"time": "2025-03-27T04:00:00.000Z",
"value": "The CVE has been officially released and assigned to the reporter."
}
],
"title": "Cross Site Scripting in NightWolf Penetration Platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761",
"assignerShortName": "FSOFT",
"cveId": "CVE-2025-31165",
"datePublished": "2025-03-27T04:00:55.276Z",
"dateReserved": "2025-03-27T03:51:31.693Z",
"dateUpdated": "2025-03-28T03:58:34.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}