PT-2025-1774 · WordPress · Wp Project Manager

Name of the Vulnerable Software and Affected Versions: WP Project Manager plugin versions up to and including 2.6.16 Description: The WP Project Manager plugin for WordPress is vulnerable to SQL Injection via the project id parameter of the "/wp-json/pm/v2/projects/2/task-lists" REST API endpoint...

ZenML < 0.56.2 Vulnerability - CVE-2024-2035

The version of ZenML installed on the remote host is prior to 0.56.2. It is, therefore, affected by An improper authorization vulnerability exists in the API /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing th...

PT-2025-4297 · Unknown +1 · Siyuan Note +1

Name of the Vulnerable Software and Affected Versions: SiYuan Note version 3.1.18 Description: SiYuan Note is self-hosted, open source personal knowledge management software. The software has an arbitrary file deletion vulnerability that exists in the POST /api/history/getDocHistoryContent...

CVE-2024-10044

CVE-2024-10044 describes a Server-Side Request Forgery (SSRF) in the lm-sys/fastchat Controller API Server, affecting the POST /worker_generate_stream endpoint. The vulnerability allows an attacker to misuse the controller API server’s credentials to perform unauthorized web actions or access res...

PT-2024-15992 · Unknown · Lm-Sys/Fastchat

Name of the Vulnerable Software and Affected Versions: lm-sys/fastchat versions as of commit e208d5677c6837d590b81cb03847c0b9de100765 Description: A Server-Side Request Forgery SSRF vulnerability exists in the "POST /worker generate stream" API endpoint of the Controller API Server. This issue...

CVE-2024-12901 FoxCMS API Endpoint Site.php improper authorization

A vulnerability classified as critical was found in FoxCMS up to 1.2. Affected by this vulnerability is an unknown functionality of the file /app/api/controller/Site.php of the component API Endpoint. The manipulation of the argument password leads to improper authorization. The attack can be...

CVE-2024-12901 FoxCMS API Endpoint Site.php improper authorization

A vulnerability classified as critical was found in FoxCMS up to 1.2. Affected by this vulnerability is an unknown functionality of the file /app/api/controller/Site.php of the component API Endpoint. The manipulation of the argument password leads to improper authorization. The attack can be...

CVE-2024-12901

FoxCMS up to version 1.2 is affected by a critical issue in the API Endpoint, specifically in /app/api/controller/Site.php, where manipulating the password argument leads to improper authorization. The vulnerability enables remote exploitation, and the exploit has been publicly disclosed. Multipl...

PT-2024-17789 · Foxcms · Foxcms

Name of the Vulnerable Software and Affected Versions: FoxCMS versions up to 1.2 Description: A critical issue was found in the API Endpoint component, specifically in the file /app/api/controller/Site.php. The manipulation of the password argument leads to improper authorization, allowing for...

CVE-2024-39703

In ThreatQuotient ThreatQ before 5.29.3, authenticated users are able to execute arbitrary commands by sending a crafted request to an API endpoint...

PT-2024-36564 · Kanboard +1 · Kanboard +1

Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.43 Description: Kanboard is project management software that focuses on the Kanban methodology. In affected versions, sessions are still usable even though their lifetime has exceeded. Kanboard implements a cust...

PT-2024-28642 · Threatquotient · Threatq

Name of the Vulnerable Software and Affected Versions: ThreatQuotient ThreatQ versions prior to 5.29.3 Description: The issue allows authenticated users to execute arbitrary commands by sending a crafted request to an API endpoint. Recommendations: For versions prior to 5.29.3, update to version...

CVE-2024-11275 WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.27 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion

The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes...

CVE-2024-11838

External Control of File Name or Path vulnerability in PlexTrac allows Local Code Inclusion through use of an undocumented API endpoint.This issue affects PlexTrac: from 1.61.3 before 2.8.1...

CVE-2024-11838

External Control of File Name or Path vulnerability in PlexTrac allows Local Code Inclusion through use of an undocumented API endpoint.This issue affects PlexTrac: from 1.61.3 before 2.8.1...

CVE-2024-11838

The CVE is confirmed for PlexTrac: external control of a file name or path enabling Local Code Inclusion via an undocumented API endpoint. Affected versions are 1.61.3 through 2.8.1. The underlying issue is an external control vulnerability allowing file path manipulation, leading to local code i...

PT-2024-36188 · Unknown · Aicomments

Name of the Vulnerable Software and Affected Versions: AIcomments versions 1.4.1 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability, which allows an attacker to perform unauthorized actions on a user's account. This can be achieved by tricking the user into...

GO-2024-3327 SiYuan has an arbitrary file read via /api/template/render in github.com/siyuan-note/siyuan/kernel

SiYuan has an arbitrary file read via /api/template/render in github.com/siyuan-note/siyuan/kernel...

CVE-2024-9387

An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint...

CVE-2024-9387 URL Redirection to Untrusted Site ('Open Redirect') in GitLab

An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint...