CVE-2022-2401

Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs...

CVE-2021-25036

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users...

CVE-2021-41127

Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model tar.gz file which allows a malicious actor to craft a model.tar.gz file which can overwrite or replace bot...

CVE-2021-25365

An improper exception control in softsimd prior to SMR APR-2021 Release 1 allows unprivileged applications to access the API in softsimd...

CVE-2020-3626

Any application can bind to it and exercise the APIs due to no protection for AIDL uimlpaservice in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ8096AU, APQ8098, MSM8905, MSM8909W, MSM8917, MSM8920,...

CVE-2020-24333

A vulnerability in Arista’s CloudVision Portal CVP prior to 2020.2 allows users with “read-only” or greater access rights to the Configlet Management module to download files not intended for access, located on the CVP server, by accessing a specific API...

CVE-2020-3956

VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to...

CVE-2019-15953

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end resource path, not for API requests. This leads to vertica...

CVE-2013-4859

INSTEON Hub 2242-222 lacks Web and API authentication...

PT-2025-21990 · Unknown · Easyvirt Dc Netscope

Name of the Vulnerable Software and Affected Versions: EasyVirt DC NetScope versions 8.7.0 and earlier Description: The issue allows remote authenticated attackers to execute arbitrary code. This can be achieved via several parameters, including the lang parameter to...

CVE-2025-3446

Mattermost versions 10.6.x = 10.6.1, 10.5.x = 10.5.2, 10.4.x = 10.4.4, 9.11.x = 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper validation of team invite permissions. An attacker can bypass access restrictions by exploiting the API to add unauthorized guest users to a team. Note: This is only exploitable if the attacker is...

PT-2025-21325 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.5.x through 10.5.2 Mattermost versions 9.11.x through 9.11.11 Description: The issue is related to improper verification of a user's permissions when accessing groups. This allows an attacker to view group information v...

Privilege Escalation

github.com/kyverno/kyverno is vulnerable to Privilege Escalation. The vulnerability is due to missing error propagation in the GetNamespaceSelectorsFromNamespaceLister function and causing policy rules with namespace selectors to be skipped during admission review processing, allows an attacker...

CVE-2025-4427 Authentication Bypass

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API...

CVE-2025-46737

SEL-5037 Grid Configurator contains an overly permissive Cross Origin Resource Sharing CORS configuration for a data gateway service in the application. This gateway service includes an API which is not properly configured to reject requests from unexpected sources...

PT-2025-25202 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.5.x through 10.5.4 Mattermost versions 9.11.x through 9.11.13 Description: The issue allows guest users to bypass permissions and view information about public teams they are not members of via a direct API call to...

Wazuh Server 4.4.0 < 4.9.1 RCE

The version of Wazuh Server on the remote host is at least 4.4.0 and prior to 4.9.1. It is, therefore, affected by a remote code execution vulnerability: - Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh...

CVE-2025-47419 Non-Secure Access

Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic. The device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords. This issue affects Automate VX: from...

PT-2025-19990 · Crestron · Crestron Automate Vx

Name of the Vulnerable Software and Affected Versions: Crestron Automate VX versions 5.6.8161.21536 through 6.4.0.49 Description: The issue allows for the cleartext transmission of sensitive information, such as user passwords, due to the device allowing Web UI and API access over non-secure...