CVE-2026-44776 Kavita: IDOR in /api/Download/*

Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not assigned to can downloa...

CVE-2025-12923

A vulnerability was determined in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function resourceDownload of the file /dev-api/common/download. Executing manipulation of the argument path can lead to path traversal. The attack can be launched remotely. The exploit has been...

CVE-2025-12923 liweiyi ChestnutCMS download resourceDownload path traversal

A vulnerability was determined in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function resourceDownload of the file /dev-api/common/download. Executing manipulation of the argument path can lead to path traversal. The attack can be launched remotely. The exploit has been...

EUVD-2023-2610

Malicious code in bioql PyPI...

CVE-2025-49089

wangxutech MoneyPrinterTurbo 1.2.6 allows path traversal via /api/v1/download/ URIs such as /api/v1/download//etc/passwd...

CVE-2023-31718

FUXA = 1.1.12 is vulnerable to Local via Inclusion via /api/download...

Logs Debug Injection In File Download

Description In 2 API: /code/download/:sessionId/:fileId and /download/:userId/:fileid The parameters sessionId, fileId, userId, fileid are not validated or filtered at all but are saved directly to log.debug Proof of Concept Prepare: The logs file on the server is stored at /app/api/debug-.log I...

CVE-2023-46730 Server-Side Request Forgery in groupoffice

Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery SSRF vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to...

CVE-2023-31718

FUXA = 1.1.12 is vulnerable to Local via Inclusion via /api/download...

CVE-2023-31718

CVE-2023-31718 affects the open-source web-based visualization tool FUXA up to version 1.1.12 . The vulnerability is described as a Local File Inclusion via the endpoint /api/download . The connected documents confirm the affected product and the specific attack vector, but do not provide concret...

CVE-2023-31718

FUXA = 1.1.12 is vulnerable to Local via Inclusion via /api/download...

CVE-2023-4615

This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of prope...