105 matches found
CVE-2026-54164
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an...
CVE-2026-49858
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. ApiPropertysecurity: ... is evaluated per request...
CVE-2026-54164 API Platform Core: Missing IRI type check enables resource type confusion
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an...
CVE-2026-54164
Summary: API Platform Core versions prior to 4.1.30, 4.2.26 and 4.3.12 contain a type-confusion in the serializer’s AbstractItemNormalizer when resolving relation IRIs. An attacker able to submit write requests (POST/PUT/PATCH) to an API endpoint with writable relations can supply a relation IRI ...
PT-2026-49086
Name of the Vulnerable Software and Affected Versions API Platform Core versions prior to 4.1.30 API Platform Core versions prior to 4.2.26 API Platform Core versions prior to 4.3.12 Description A type confusion issue exists in the serializer's AbstractItemNormalizer when resolving relation IRIs...
PT-2026-46233
Name of the Vulnerable Software and Affected Versions API Platform Core versions 2.6.0 through 4.1.28 API Platform Core versions 4.2.0 through 4.2.25 API Platform Core versions 4.3.0 through 4.3.11 Description A missing isCacheKeySafe gate in the JSON:API and HAL item normalizers leads to a...
CVE-2026-9808
An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints utilizing API Platform. Under certain conditions, roles configured with owner-scope restrictions such as viewown or editown are not properly enforced. This allows low-privilege authenticated API users to bypass...
CVE-2025-23204
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to security, the impact is there only when...
EUVD-2019-0695
Malware in sbrugna...
EUVD-2024-27740
Malicious code in bioql PyPI...
EUVD-2024-47149
Malicious code in bioql PyPI...
EUVD-2025-9735
Malicious code in bioql PyPI...
EUVD-2024-32497
Malicious code in bioql PyPI...
EUVD-2023-0802
Malicious code in bioql PyPI...
EUVD-2025-9737
Malicious code in bioql PyPI...
EUVD-2025-7991
Malicious code in bioql PyPI...
EUVD-2024-46488
Malicious code in bioql PyPI...
The vulnerability of the Sensedia API Platform Tools for Jenkins servers, related to the storage of tokens in unencrypted form, allows attackers to gain unauthorized access to protected information.
The vulnerability of the Sensedia Api Platform tools for Jenkins servers relates to the storage of tokens in an unencrypted form within the file com.sensedia.configuration.SensediaApiConfiguration.xml. Exploiting this vulnerability could allow a malicious actor to gain unauthorized access to...
The vulnerability of the Sensedia API Platform Tools for Jenkins servers, related to the storage of tokens in unencrypted form, allows attackers to gain unauthorized access to protected information.
The vulnerability of the Sensedia Api Platform tools for Jenkins servers relates to the storage of tokens in an unencrypted form within the file com.sensedia.configuration.SensediaApiConfiguration.xml. Exploiting this vulnerability could allow a malicious actor to gain unauthorized access to...
CVE-2025-53673
Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system...