These security issues were responsibly disclosed to affected parties before public release, along with technical details and timelines.

[CVE-2025-52022] Information disclosure via verbose error messages in Aptsys gemsloyalty backend

Summary An information disclosure vulnerability was identified in the backend of Aptsys’ gemsloyalty platform, which powers POS and management systems for multiple F&B clients. The issue allow...

[CVE-2025-52026] Unauthenticated data exposure in Aptsys gemscms backend

Summary An unauthenticated information disclosure vulnerability was identified in Aptsys’ gemscms backend platform. A publicly reachable API used in production deployments returns staff/cashier ac...

[CVE-2025-52025] SQL Injection vulnerability in Aptsys gemscms backend

Summary A SQL Injection vulnerability was identified in Aptsys’ gemscms backend platform, a shared backend used by multiple F&B businesses for POS and restaurant management. A vulnerable backe...

[CVE-2025-52024] Unauthenticated access to exposed developer web service panels in Aptsys POS backend

Summary A security misconfiguration vulnerability was identified in Aptsys’ POS Platform Web Services module, part of the gemscms backend platform used by multiple F&B businesses. Developer-or...

[CVE-2025-52023] Information disclosure via verbose error messages in Aptsys gemscms backend

Summary An information disclosure vulnerability was identified in the backend of Aptsys’ gemscms platform, which powers POS and management systems for multiple F&B clients. The issue allows un...

[CVE REQUESTED] Debugging Stack Trace Disclosure on Ednovation Dashboard Subdomain

Summary A debugging error disclosure vulnerability exists on Ednovation’s https://dashboard.ednoland.com/ subdomain. By requesting a non-existent path, the application returns a full Laravel excep...

[CVE REQUESTED] Unauthenticated Internal API Testing Interface Exposing Hardcoded Production Credentials

Summary A publicly accessible internal API testing tool was discovered on Ednovation’s development subdomain. This tool contains hardcoded production credentials and allows unauthenticated users t...

[CVE REQUESTED] phpinfo() Exposure on Ednovation's Production Subdomain

Summary A publicly accessible PHP configuration page (phpinfo()) was discovered on Ednovation’s production subdomain eproject.ednoland.com. The exposure reveals sensitive server configuration deta...

[CVE REQUESTED] Directory Listing Exposure on Ednovation's Production Subdomain EProject

Summary A directory listing exposure was identified on Ednovation’s production subdomain eproject.ednoland.com. The vulnerability reveals sensitive server directories, configuration folders, and i...

[CVE REQUESTED] Weak Password Hashing Using MD5 in Ednovation's AIMath Web App

Summary A cryptographic weakness was discovered in the AIMath Web App, a math learning platform for children operated by Ednovation. User passwords are stored using the obsolete and insecure MD5 h...

[CVE REQUESTED] Directory Listing Exposure on Ednovation's Development Subdomain

Summary A publicly accessible directory listing was found on Ednovation’s development subdomain, exposing the internal file structure of a web application, including PHP request handlers, code lib...

[CVE REQUESTED] Public Data Exposure via Broken Auth in AIMath Web App

Summary A critical security flaw was identified in the AIMath Web App, a math learning platform operated by Ednovation, which exposes student and parent personal data via unauthenticated GET APIs....

[CVE REQUESTED] ParentCommApp SQL Injection Backend API

Summary A SQL injection vulnerability was identified in a backend API supporting Ednovation’s ParentCommApp — a communication platform used by preschools and parents. The vulnerability allows atta...

[CVE REQUESTED] ParentCommApp Insecure Direct Object Reference (IDOR)

Summary A critical Insecure Direct Object Reference (IDOR) vulnerability was discovered in Ednovation’s ParentCommApp for iOS, allowing authenticated users to retrieve private data of other childr...

[CVE REQUESTED] Broken JWT Authentication – Hardcoded Shared Secret in ParentCommApp (iOS)

Summary A critical design flaw was discovered in the JWT authentication implementation used by ParentCommApp, an iOS app developed by Ednovation. The app includes a hardcoded shared secret key use...

[CVE REQUESTED] Unauthenticated API Exposure in Ednovation ParentCommApp

Summary A critical security vulnerability was discovered in ParentCommApp — an iOS mobile application used by preschools and parents for communication within the Ednovation ecosystem. The vulnera...