Filtered by vendor Growatt
Subscribe
Total
35 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-36753 | 1 Growatt | 2 Shine Lan-x, Shine Lan-x Firmware | 2026-01-14 | N/A | 9.8 CRITICAL |
|
The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and to extracting secrets or domains from within the device
|
|||||
| CVE-2025-36747 | 1 Growatt | 2 Shine Lan-x, Shine Lan-x Firmware | 2026-01-14 | N/A | 9.8 CRITICAL |
|
ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.
|
|||||
| CVE-2025-36748 | 1 Growatt | 2 Shine Lan-x, Shine Lan-x Firmware | 2026-01-14 | N/A | 5.4 MEDIUM |
|
ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.
|
|||||
| CVE-2025-36750 | 1 Growatt | 2 Shine Lan-x, Shine Lan-x Firmware | 2026-01-14 | N/A | 5.4 MEDIUM |
|
ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be displayed on the plant management page via a direct post. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.
|
|||||
| CVE-2025-36752 | 1 Growatt | 2 Shine Lan-x, Shine Lan-x Firmware | 2026-01-14 | N/A | 9.8 CRITICAL |
|
Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.
|
|||||
| CVE-2025-31357 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can obtain a user's plant list by knowing the username.
|
|||||
| CVE-2025-31933 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can check the existence of usernames in the system by querying an API.
|
|||||
| CVE-2025-31941 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.
|
|||||
| CVE-2025-31949 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An authenticated attacker can obtain any plant name by knowing the plant ID.
|
|||||
| CVE-2025-24297 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 9.8 CRITICAL |
|
Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.
|
|||||
| CVE-2025-24315 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).
|
|||||
| CVE-2025-24850 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An attacker can export other users' plant information.
|
|||||
| CVE-2025-25276 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can hijack other users' devices and potentially control them.
|
|||||
| CVE-2025-26857 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).
|
|||||
| CVE-2025-27561 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can rename "rooms" of arbitrary users.
|
|||||
| CVE-2025-27565 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.
|
|||||
| CVE-2025-27575 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.
|
|||||
| CVE-2025-27719 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can query an API endpoint and get device details.
|
|||||
| CVE-2025-27927 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
|
|||||
| CVE-2025-27929 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
|
|||||
| CVE-2025-30257 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.
|
|||||
| CVE-2025-30510 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 9.8 CRITICAL |
|
An attacker can upload an arbitrary file instead of a plant image.
|
|||||
| CVE-2025-30512 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 6.5 MEDIUM |
|
Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).
|
|||||
| CVE-2025-31147 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.
|
|||||
| CVE-2025-27938 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").
|
|||||
| CVE-2025-27939 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 7.5 HIGH |
|
An attacker can change registered email addresses of other users and take over arbitrary accounts.
|
|||||
| CVE-2025-30254 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.
|
|||||
| CVE-2025-30511 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 8.8 HIGH |
|
An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant.
|
|||||
| CVE-2025-30514 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").
|
|||||
| CVE-2025-31950 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can obtain EV charger energy consumption information of other users.
|
|||||
| CVE-2025-31945 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can obtain other users' charger information.
|
|||||
| CVE-2025-31654 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms").
|
|||||
| CVE-2025-31360 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 6.5 MEDIUM |
|
Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.
|
|||||
| CVE-2025-27568 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.
|
|||||
| CVE-2025-24487 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | N/A | 5.3 MEDIUM |
|
An unauthenticated attacker can infer the existence of usernames in the system by querying an API.
|
|||||