Total
30 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31357 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can obtain a user's plant list by knowing the username.
|
|||||
| CVE-2025-31933 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can check the existence of usernames in the system by querying an API.
|
|||||
| CVE-2025-31941 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.
|
|||||
| CVE-2025-31949 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An authenticated attacker can obtain any plant name by knowing the plant ID.
|
|||||
| CVE-2025-24297 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 9.8 CRITICAL |
|
Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.
|
|||||
| CVE-2025-24315 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).
|
|||||
| CVE-2025-24850 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An attacker can export other users' plant information.
|
|||||
| CVE-2025-25276 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can hijack other users' devices and potentially control them.
|
|||||
| CVE-2025-26857 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).
|
|||||
| CVE-2025-27561 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can rename "rooms" of arbitrary users.
|
|||||
| CVE-2025-27565 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.
|
|||||
| CVE-2025-27575 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.
|
|||||
| CVE-2025-27719 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can query an API endpoint and get device details.
|
|||||
| CVE-2025-27927 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
|
|||||
| CVE-2025-27929 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
|
|||||
| CVE-2025-30257 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.
|
|||||
| CVE-2025-30510 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 9.8 CRITICAL |
|
An attacker can upload an arbitrary file instead of a plant image.
|
|||||
| CVE-2025-30512 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 6.5 MEDIUM |
|
Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).
|
|||||
| CVE-2025-31147 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.
|
|||||
| CVE-2025-27938 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").
|
|||||
| CVE-2025-27939 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 7.5 HIGH |
|
An attacker can change registered email addresses of other users and take over arbitrary accounts.
|
|||||
| CVE-2025-30254 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.
|
|||||
| CVE-2025-30511 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 8.8 HIGH |
|
An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant.
|
|||||
| CVE-2025-30514 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").
|
|||||
| CVE-2025-31950 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can obtain EV charger energy consumption information of other users.
|
|||||
| CVE-2025-31945 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can obtain other users' charger information.
|
|||||
| CVE-2025-31654 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms").
|
|||||
| CVE-2025-31360 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 6.5 MEDIUM |
|
Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.
|
|||||
| CVE-2025-27568 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.
|
|||||
| CVE-2025-24487 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can infer the existence of usernames in the system by querying an API.
|
|||||