CVE-2021-39875

In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint...

CVE-2021-24731

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection...

CVE-2021-21471

In CLA-Assistant, versions before 2.8.5, due to improper access control an authenticated user could access API endpoints which are not intended to be used by the user. This could impact the integrity of the application...

CVE-2021-24170

The REST API endpoint getusers in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less...

CVE-2020-2191

Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier does not check permissions on API endpoints that allow adding and removing agent labels...

CVE-2020-18164

SQL Injection vulnerability exists in tp-shop 2.x-3.x via the /index.php/home/api/shop fBill parameter...

CVE-2020-15348

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows use of live/CPEManager/AXCampaignManager/deletecpesbyids?cpeids= for eval injection of Python code...

CVE-2019-13275

An issue was discovered in the VeronaLabs wp-statistics plugin before 12.6.7 for WordPress. The v1/hit endpoint of the API, when the non-default "use cache plugin" setting is enabled, is vulnerable to unauthenticated blind SQL Injection...

CVE-2019-19631

An issue was discovered in Big Switch Big Monitoring Fabric 6.2 through 6.2.4, 6.3 through 6.3.9, 7.0 through 7.0.3, and 7.1 through 7.1.3; Big Cloud Fabric 4.5 through 4.5.5, 4.7 through 4.7.7, 5.0 through 5.0.1, and 5.1 through 5.1.4; and Multi-Cloud Director through 1.1.0. A read-only user can...

CVE-2019-8138

A stored cross-site scripting XSS vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event...

CVE-2018-1999019

Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for the api endpoint located at /webservices/api/v2.php that can result in Unauthenticated remote code execution. This attack appear to be exploitable via a simple GET request to the api endpoint. This...

Denial Of Service (DoS)

github.com/ollama/ollama is vulnerable to Denial of Service DoS. The vulnerability is due to improper input validation and unchecked array index access in the /api/pull endpoint, which allows an attacker to send a crafted manifest that crashes the server...

PT-2025-22131 · Vmware · Vmware Cloud Foundation

Name of the Vulnerable Software and Affected Versions: VMware Cloud Foundation affected versions not specified Description: The issue is an information disclosure vulnerability. A malicious actor with network access to port 443 on VMware Cloud Foundation may exploit this issue to gain access to...

PT-2025-21825 · Totolink · Totolink N300Rt

Name of the Vulnerable Software and Affected Versions: TOTOLINK N300RH version 6.1c.1390 B20191101 Description: A critical vulnerability has been found in the TOTOLINK N300RH router. This issue affects the setUnloadUserData function of the /cgi-bin/cstecgi.cgi file. The manipulation of the plugin...

CVE-2024-8988

The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the filedownload REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...

CVE-2025-4430 Unauthorized file manipulation in EZD RP

Unauthorized access to "/api/Token/gettoken" endpoint in EZD RP allows file manipulation.This issue affects EZD RP in versions before 20.19 published on 22nd August 2024...

Tenda RX2 Pro setLanCfg API Endpoint Input Validation Error Vulnerability

Tenda RX2 Pro is a high performance WiFi 6 signal amplifier from Tenda China. The Tenda RX2 Pro suffers from an input validation error vulnerability that stems from a lack of input validation in the setLanCfg API endpoint, which can be exploited by an attacker to gain root shell access...

PT-2025-21142 · WordPress · Peepso Core

Name of the Vulnerable Software and Affected Versions: PeepSo Core: File Uploads plugin for WordPress versions up to, and including, 6.4.6.0 Description: The issue allows unauthenticated attackers to download files uploaded by other users, potentially exposing sensitive information, due to missin...

CVE-2025-28057

Summary of CVE-2025-28057 : The owl-admin project is affected for versions 3.2.2 through 4.10.2 by a SQL Injection in the /admin-api/system/admin_menus/save_order endpoint. This is documented with a high-severity CVSS 3.1 score (7.2) impacting confidentiality, integrity, and availability. The roo...

PT-2025-25203 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.7.x through 10.7.1 Mattermost versions 10.6.x through 10.6.3 Mattermost versions 10.5.x through 10.5.4 Mattermost versions 9.11.x through 9.11.13 Description: The issue is related to the improper validation of LDAP grou...