CVE-2025-53862

A flaw was found in Ansible. Three API endpoints are accessible and return verbose, unauthenticated responses. This flaw allows a malicious user to access data that may contain important information...

CVE-2025-53862

CVE-2025-53862 affects Red Hat Ansible. The vulnerability arises from three API endpoints that expose verbose, unauthenticated responses, enabling access to potentially sensitive information. Severity is low (CVSS 3.1: 3.5, ADJACENT access, low privileges, no user interaction). Public references ...

PT-2025-29229 · Red Hat · Ansible

Name of the Vulnerable Software and Affected Versions: Ansible affected versions not specified Description: A flaw exists in Ansible that allows a malicious user to access data through three API endpoints that return verbose, unauthenticated responses. This may contain important information...

SUSE CVE-2025-3260

A security vulnerability in the /apis/dashboard.grafana.app/ endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions v0alpha1, v1alpha1, v2alpha1. Impact: - Viewers can view all dashboards/folders regardless of permissions -...

PT-2025-27638 · Homebox · Homebox

Name of the Vulnerable Software and Affected Versions: HomeBox versions prior to 0.20.1 Description: The issue is related to a missing authorization check in the API endpoints responsible for updating and deleting inventory item attachments. This flaw allows authenticated users to perform...

PT-2025-26753 · Unknown · Phpgurukul Online Dj Booking Management System

Name of the Vulnerable Software and Affected Versions: PHPGurukul Online DJ Booking Management System version 2.0 Description: The issue concerns Cross Site Scripting XSS in specific API endpoints, namely "/admin/view-booking-detail.php" and "/admin/invoice-generating.php". Recommendations: For...

PT-2025-24680 · Keyoti · Keyoti Searchunit

Name of the Vulnerable Software and Affected Versions: Keyoti SearchUnit versions prior to 9.0.0. Description: The issue is related to Server-Side Request Forgery SSRF in the /Keyoti SearchEngine Web Common/SearchService.svc/GetResults and /Keyoti SearchEngine Web...

GHSA-F238-RGGP-82M3 Navidrome Transcoding Permission Bypass Vulnerability Report

Summary A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. Details Navidrome supports transcoding...

Navidrome Transcoding Permission Bypass Vulnerability Report

Summary A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. Details Navidrome supports transcoding...

PT-2025-23229 · Navidrome · Navidrome

Name of the Vulnerable Software and Affected Versions: Navidrome versions prior to 0.56.0 Description: A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including...

CVE-2024-7048

In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin. By exploiting this...

CVE-2024-47654

This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead...

CVE-2024-47657

This vulnerability exists in the Shilpi Net Back Office due to improper access controls on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter dfclientid through API request URLs which could lead to unauthorized access to sensitive...

CVE-2024-47086

This vulnerability exists in Apex Softcell LD DP Back Office due to improper implementation of OTP validation mechanism in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by providing arbitrary OTP value for authentication and subsequently changing its API...

CVE-2024-45786

This vulnerability exists in Reedos aiM-Star version 2.0.1 due to improper access controls on its certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL which could lead to gain unauthorized access to sensitive...

CVE-2024-49755

Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...

CVE-2024-45787

This vulnerability exists in Reedos aiM-Star version 2.0.1 due to transmission of sensitive information in plain text in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL and intercepting response of the AP...

CVE-2024-45788

This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP...

CVE-2024-12028

The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website,...

CVE-2024-48952

An issue was discovered in Logpoint before 7.5.0. SOAR uses a static JWT secret key to generate tokens that allow access to SOAR API endpoints without authentication. This static key vulnerability enables attackers to create custom JWT secret keys for unauthorized access to these endpoints...