798 matches found
Umbraco Engage 安全漏洞
Umbraco Engage is an extension to the digital experience platform developed by the Danish company Umbraco. Versions of Umbraco Engage prior to 16.2.1 and 17.1.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authentication or authorization checks for certain AP...
CVE-2026-3131
Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data...
PT-2026-36799
Name of the Vulnerable Software and Affected Versions Ollama versions prior to 0.17.1 Description A heap out-of-bounds read issue exists in the GGUF model loader. This occurs during quantization within the WriteTo function in fs/ggml/gguf.go and server/quantization.go when the server processes a...
CVE-2026-3131
CVE-2026-3131 : Devolutions Server prior to 2025.3.14.0 suffers improper access control in multiple DVLS REST API endpoints, allowing an authenticated user with view-only permission to access sensitive connection data. Connected sources indicate remediation by upgrading to 2025.3.15.0 or later; o...
GO-2026-4515 Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints in github.com/akuity/kargo
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints in github.com/akuity/kargo...
CVE-2026-26977
Frappe Learning Management System LMS is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release...
PT-2026-20980
Frappe Learning Management System LMS is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release...
CVE-2026-1258
The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by',...
CVE-2026-1258
CVE-2026-1258 affects the WordPress plugin Mail Mint (
CVE-2026-1258 Mail Mint <= 1.19.2 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints
The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by',...
PT-2026-8099
The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by',...
Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution
Description Analyzed project version: MLflow 3.9.0 /version, commit 6e61043b0ff5d845bea479d7e7ea24dcd4b2c629. In MLflow 3.9.0, a new feature called MLflow Assistant was introduced, intended only for local development and designed to integrate with Claude Code accepting requests only from loopback...
CVE-2025-11004
The Simplicity Device Manager Tool has a Reflected XSS Cross-site-scripting vulnerability in several API endpoints. The attacker needs to be on the same network to execute this attack. These APIs can affect confidentiality, integrity, and availability of the system that has Simplicity Device...
CVE-2025-11004 Reflected XSS vulnerability in Simplicity Device Manager tool
The Simplicity Device Manager Tool has a Reflected XSS Cross-site-scripting vulnerability in several API endpoints. The attacker needs to be on the same network to execute this attack. These APIs can affect confidentiality, integrity, and availability of the system that has Simplicity Device...
CVE-2025-11004
The vulnerability CVE-2025-11004 is a reflected XSS in several API endpoints of the Simplicity Device Manager Tool. An attacker on the same network can exploit the issue, potentially affecting confidentiality, integrity, and availability of the system hosting the tool. The CVSS v4.0 vector indica...
CVE-2026-24321 Information Disclosure vulnerability in SAP Commerce Cloud
SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does...
PT-2026-7267
The Simplicity Device Manager Tool has a Reflected XSS Cross-site-scripting vulnerability in several API endpoints. The attacker needs to be on the same network to execute this attack. These APIs can affect confidentiality, integrity, and availability of the system that has Simplicity Device...
CVE-2025-13192
The CVE-2025-13192 entry describes a generic SQL Injection in the WordPress plugin “Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers” for versions up to 2.2.0. Root cause: insufficient escaping and inadequate query preparation on user-supplied par...
CVE-2025-13192 Popup builder with Gamification <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints
The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection via the sort parameter in API endpoints, which is processed by the getOrderBy function. An attacker can execute arbitrary SQL queries and extract sensitive database information by supplying crafted input to the API while...