CVE-2025-68435

Zerobyte (backup automation tool) has an authentication bypass vulnerability affecting versions prior to 0.18.5 and 0.19.0, where authentication middleware is not properly applied to API endpoints, allowing access without valid session credentials. This exposure is risky for deployments exposed o...

SUSE CVE-2017-18902

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints...

EUVD-2025-202641

TableProgressTracking is a MediaWiki extension to track progress against specific criterion. Versions 1.2.0 and below do not enforce CSRF token validation in the REST API. As a result, an attacker could craft a malicious webpage that, when visited by an authenticated user on a wiki with the...

CVE-2025-12807

A security issue was discovered in DataMosaix Private Cloud, allowing users with low privilege to perform sensitive database operations through exposed API endpoints...

CVE-2025-13006

The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract...

CVE-2025-13006

The CVE-2025-13006 entry concerns the WordPress plugin SurveyFunnel – Survey Plugin for WordPress (vulnerable through all versions up to and including 1.1.5). The vulnerability is an Information Disclosure via unprotected REST API endpoints under /wp-json/surveyfunnel/v2/, allowing unauthenticate...

CVE-2025-11726

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets...

CVE-2025-64067

Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data e.g., user profiles, project records fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This...

CVE-2025-64063

Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate...

GHSA-69J4-GRXJ-J64P vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`

Summary The /v1/chat/completions and /tokenize endpoints allow a chattemplatekwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chattemplatekwargs parameters, it is possible to block processing of the API server for long...

EUVD-2025-198127

The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally identifiable...

PT-2025-47442

The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces wp rest to unauthenticated users via the 'wp ajax nopriv rest-nonce' action. While the plugi...

CVE-2025-58121 Insufficient permission validation on multiple REST API endpoints

Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information...

CVE-2025-63667

Incorrect access control in SIMICAM v1.16.41-20250725, KEVIEW v1.14.92-20241120, ASECAM v1.14.10-20240725 allows attackers to access sensitive API endpoints without authentication...

CVE-2025-63667

CVE-2025-63667 affects SIMICAM v1.16.41-20250725, KEVIEW v1.14.92-20241120, and ASECAM v1.14.10-20240725, where an access control flaw allows unauthenticated access to sensitive API endpoints. The Red Hat and EU/CRC/CIRCL entries corroborate the same description. The provided sources do not inclu...

EUVD-2025-60977

The Shelf Planner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several REST API endpoints in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to modify several of the plugin's settings li...

PT-2025-46265

Name of the Vulnerable Software and Affected Versions Shelf Planner plugin for WordPress versions prior to 2.7.1 Description The Shelf Planner plugin for WordPress is susceptible to unauthorized data modification. This is due to a lack of proper capability checks on several REST API endpoints. An...

CVE-2025-20377

A vulnerability in the API subsystem of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to obtain sensitive information from an affected system. This vulnerability is due to improper validation of requests to certain API endpoints. An attacker could exploit this...

MOLE TalkTalk Android App 安全漏洞

MOLE TalkTalk Android App is a chat application from China-based MOLE. A security vulnerability exists in MOLE TalkTalk Android App version 3.3.6. The vulnerability stems from improper access control of multiple API endpoints, and an attacker may be able to obtain sensitive user information and...

CVE-2023-7320 WooCommerce <= 7.8.2 - Sensitive Information Exposure

The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract...