CVE-2025-56264

The /api/comment endpoint in zhangyd-c OneBlog 2.3.9 contains a denial-of-service vulnerability...

CVE-2025-43802

Stored cross-site scripting XSS vulnerability in a custom object’s /o/c/ API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. allows remote attackers to inject arbitrary web...

CVE-2025-10371

A security flaw has been discovered in eCharge Hardy Barth Salia PLCC up to 2.3.81. This issue affects some unknown processing of the file /api.php. The manipulation of the argument setrfidlist results in unrestricted upload. The attack may be performed from remote. The exploit has been released ...

CVE-2025-10371

CVE-2025-10371 affects eCharge Hardy Barth Salia PLCC (versions up to 2.3.81, and 2.2.0 cited in PTSecurity) with a vulnerability in the API endpoint /api.php. The issue allows manipulation of the setrfidlist parameter to achieve unrestricted file uploads, and can be exploited remotely. Public Po...

CVE-2025-54123

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at /api/v2/hoverfly/middleware endpoint due to insufficient validation and sanitization in user input. The vulnerability exists i...

CVE-2025-55976

Intelbras IWR 3000N 1.9.8 exposes the Wi-Fi password in plaintext via the /api/wireless endpoint. Any unauthenticated user on the local network can directly obtain the Wi-Fi network password by querying this endpoint...

Mattermost Server 9.11.x < 9.11.18 / 10.5.x < 10.5.9 / 10.10.0 Incorrect Authorization (MMSA-2025-00485)

The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2025-00485 advisory. - Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins t...

CVE-2025-6088

CVE-2025-6088 affects danny-avila/librechat. In version 0.7.8, improper authorization on the conversation sharing endpoint /api/share/conversationID allows a logged-in user to read other users’ conversations when the conversation ID is known. UUIDv4 IDs are server-side but can leak via logs, hist...

CVE-2025-54123

Hoverfly (versions

CVE-2025-56413

OS Command injection vulnerability in function OperateSSH in 1panel 2.0.8 allowing attackers to execute arbitrary commands via the operation parameter to the /api/v2/hosts/ssh/operate endpoint...

CVE-2025-8311

dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys. The vulnerability was triggered via the sites parameter, whi...

CVE-2025-20270

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager EPNM and Cisco Prime Infrastructure could allow an authenticated, remote attacker to obtain sensitive information from an affected system. This vulnerability is due to improper validation of reques...

Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager EPNM and Cisco Prime Infrastructure could allow an authenticated, remote attacker to obtain sensitive information from an affected system. This vulnerability is due to improper validation of reques...

simple-admin-core SQL Injection vulnerability

An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited SQL injection vulnerability, which may lead to partial data leakage or disruption of normal system operations...

CVE-2025-53363

dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in...

CVE-2025-53363

dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in...

SUSE CVE-2025-44001

Mattermost Confluence Plugin version 1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint...

SUSE CVE-2025-53857

Mattermost Confluence Plugin version 1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint...

Tenda AC6 安全漏洞

Tenda AC6 is a dual-band wireless router from Tenda that supports IPv4 and IPv6 protocols and utilizes the 802.11ac/n wireless standard to provide a wireless transmission rate of 1167Mbps. The Tenda AC6 suffers from an information disclosure vulnerability that originates from the...

Command Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Command Injection via the CustomMCP class. An attacker can gain unauthorized remote access and execute arbitrary operating system commands by sending crafted requests over the network. This i...