PT-2025-3088 · Monicahq · Monicahq

Name of the Vulnerable Software and Affected Versions: MonicaHQ version 4.1.2 Description: The issue is related to an authenticated Client-Side Injection vulnerability in MonicaHQ. This vulnerability can be exploited via the Reason parameter at the "/people/h:id/debts/create" API endpoint...

CVE-2024-11423

CVE-2024-11423 is exposed in the WordPress plugin “Ultimate Gift Cards for WooCommerce Pro” (Gift Cards for WooCommerce Pro). The root cause is a missing capability check on several REST API endpoints (notably /wp-json/gifting/recharge-giftcard), enabling unauthenticated attackers to modify data ...

VulnCheck KEV: CVE-2024-50603

Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloudtype for listflightpathdestinationinstances, or srccloudtype for flightpathconnectiontest...

CVE-2024-56828

File Upload vulnerability in ChestnutCMS through 1.5.0. Based on the code analysis, it was determined that the /api/member/avatar API endpoint receives a base64 string as input. This string is then passed to the memberService.uploadAvatarByBase64 method for processing. Within the service, the...

CVE-2024-56828

CVE-2024-56828 affects ChestnutCMS up to 1.5.0. The /api/member/avatar endpoint accepts a base64 data URL, decodes the payload via the service’s uploadAvatarByBase64, and derives a file suffix from the encoded content (substring from the 11th character to the first semicolon). The decoded data is...

PT-2025-3338 · Unknown · Chestnutcms

Name of the Vulnerable Software and Affected Versions: ChestnutCMS versions prior to 1.5.0 Description: The issue concerns a file upload vulnerability where the /api/member/avatar API endpoint receives a base64 string as input, which is then processed by the memberService.uploadAvatarByBase64...

CVE-2024-12195

CVE-2024-12195 affects the WordPress plugin “WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts.” The vulnerability is an SQL Injection in the REST endpoint /wp-json/pm/v2/projects/2/task-lists, exploitable through the project_id parameter in ve...

PT-2025-1774 · WordPress · Wp Project Manager

Name of the Vulnerable Software and Affected Versions: WP Project Manager plugin versions up to and including 2.6.16 Description: The WP Project Manager plugin for WordPress is vulnerable to SQL Injection via the project id parameter of the "/wp-json/pm/v2/projects/2/task-lists" REST API endpoint...

ZenML < 0.56.2 Vulnerability - CVE-2024-2035

The version of ZenML installed on the remote host is prior to 0.56.2. It is, therefore, affected by An improper authorization vulnerability exists in the API /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing th...

PT-2025-4297 · Unknown +1 · Siyuan Note +1

Name of the Vulnerable Software and Affected Versions: SiYuan Note version 3.1.18 Description: SiYuan Note is self-hosted, open source personal knowledge management software. The software has an arbitrary file deletion vulnerability that exists in the POST /api/history/getDocHistoryContent...

CVE-2024-10044

CVE-2024-10044 describes a Server-Side Request Forgery (SSRF) in the lm-sys/fastchat Controller API Server, affecting the POST /worker_generate_stream endpoint. The vulnerability allows an attacker to misuse the controller API server’s credentials to perform unauthorized web actions or access res...

PT-2024-15992 · Unknown · Lm-Sys/Fastchat

Name of the Vulnerable Software and Affected Versions: lm-sys/fastchat versions as of commit e208d5677c6837d590b81cb03847c0b9de100765 Description: A Server-Side Request Forgery SSRF vulnerability exists in the "POST /worker generate stream" API endpoint of the Controller API Server. This issue...

CVE-2024-12901 FoxCMS API Endpoint Site.php improper authorization

A vulnerability classified as critical was found in FoxCMS up to 1.2. Affected by this vulnerability is an unknown functionality of the file /app/api/controller/Site.php of the component API Endpoint. The manipulation of the argument password leads to improper authorization. The attack can be...

CVE-2024-12901 FoxCMS API Endpoint Site.php improper authorization

A vulnerability classified as critical was found in FoxCMS up to 1.2. Affected by this vulnerability is an unknown functionality of the file /app/api/controller/Site.php of the component API Endpoint. The manipulation of the argument password leads to improper authorization. The attack can be...

CVE-2024-12901

FoxCMS up to version 1.2 is affected by a critical issue in the API Endpoint, specifically in /app/api/controller/Site.php, where manipulating the password argument leads to improper authorization. The vulnerability enables remote exploitation, and the exploit has been publicly disclosed. Multipl...

PT-2024-17789 · Foxcms · Foxcms

Name of the Vulnerable Software and Affected Versions: FoxCMS versions up to 1.2 Description: A critical issue was found in the API Endpoint component, specifically in the file /app/api/controller/Site.php. The manipulation of the password argument leads to improper authorization, allowing for...

CVE-2024-39703

In ThreatQuotient ThreatQ before 5.29.3, authenticated users are able to execute arbitrary commands by sending a crafted request to an API endpoint...

PT-2024-36564 · Kanboard +1 · Kanboard +1

Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.43 Description: Kanboard is project management software that focuses on the Kanban methodology. In affected versions, sessions are still usable even though their lifetime has exceeded. Kanboard implements a cust...

PT-2024-28642 · Threatquotient · Threatq

Name of the Vulnerable Software and Affected Versions: ThreatQuotient ThreatQ versions prior to 5.29.3 Description: The issue allows authenticated users to execute arbitrary commands by sending a crafted request to an API endpoint. Recommendations: For versions prior to 5.29.3, update to version...

CVE-2024-11275 WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.27 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion

The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes...