CVE-2018-21257

An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions for setting a channel header via the Channel header slash command API...

PT-2025-20709 · Schweitzer Engineering Laboratories · Sel-5037 Sel Grid Configurator

Name of the Vulnerable Software and Affected Versions: Schweitzer Engineering Laboratories SEL-5037 Grid Configurator versions prior to 6.4.0.58 Description: The issue is related to an overly permissive Cross Origin Resource Sharing CORS configuration for a data gateway service in the application...

CVE-2025-20187

A vulnerability in the application data endpoints of Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, could allow an authenticated, remote attacker to write arbitrary files to an affected system. This vulnerability is due to improper validation of requests to APIs. An attacker could...

CVE-2025-20187 Cisco SD-WAN Manager Software Arbitrary File Creation Vulnerability

A vulnerability in the application data endpoints of Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, could allow an authenticated, remote attacker to write arbitrary files to an affected system. This vulnerability is due to improper validation of requests to APIs. An attacker could...

PT-2025-20045 · Unknown · Cocktailbarservice

Name of the Vulnerable Software and Affected Versions: CocktailBarService versions prior to SMR May-2025 Release 1 Description: The issue is related to the improper handling of insufficient permissions in CocktailBarService, allowing local attackers to use the privileged API. This enables local...

PT-2025-17613 · Unknown · Meon Kyc Solutions

Name of the Vulnerable Software and Affected Versions: Meon KYC solutions affected versions not specified Description: The issue arises from improper handling of access and refresh tokens in certain API endpoints of the authentication process. A remote attacker could exploit this by intercepting...

openjdk: Better TLS connection support (Oracle CPU 2025-04)

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JSSE. Supported versions that are affected are Oracle Java SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; Oracle...

CVE-2025-30691

Vulnerability in Oracle Java SE component: Compiler. Supported versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle GraalVM for JDK: 21.0.6 and 24. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java...

CVE-2025-24487 Growatt Cloud portal Authorization Bypass Through User-Controlled Key

An unauthenticated attacker can infer the existence of usernames in the system by querying an API...

GHSA-HH7J-6X3Q-F52H Shopware 6 allows attackers to check for registered accounts through the store-api

Impact Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response "errors":"status":"404","code":"CHECKOUTCUSTOMERNOTFOUND","title":"Not...

📄 InfluxDB OSS 2.7.11 Privilege Escalation

InfluxDB OSS versions 2.7.11 and below suffer from a privilege escalation vulnerability. Exploit Title: InfluxDB OSS Operator Privilege Escalation via BusinessLogic Flaw Date: 22/03/2024 Exploit Author: Andrea Pasin Xenom0rph97 Researcher Homepage: https://xenom0rph97.github.io/xeno/ GitHub Explo...

Legacy Stripe API Exploited to Validate Stolen Payment Cards in Web Skimmer Campaign

Threat hunters are warning of a sophisticated web skimmer campaign that leverages a legacy application programming interface API from payment processor Stripe to validate stolen payment information prior to exfiltration. "This tactic ensures that only valid card data is sent to the attackers,...

CVE-2025-30112

On 70mai Dash Cam 1S devices, by connecting directly to the dashcam's network and accessing the API on port 80 and RTSP on port 554, an attacker can bypass the device authorization mechanism from the official mobile app that requires a user to physically press on the power button during a...

CVE-2025-30179

Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries...

CVE-2025-0190

In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of Text objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these...

CVE-2024-8487 CORS Vulnerability in modelscope/agentscope

A Cross-Origin Resource Sharing CORS vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead to unauthorized dat...

CVE-2024-8487

AgentScope (modelscope/agentscope) v0.0.4 has a CORS misconfiguration that does not restrict access to trusted origins, enabling requests from any external domain. This can lead to unauthorized data access and information disclosure. Some sources note PoC availability and state there is no fixed ...

CVE-2024-12882 SSRF in comfyanonymous/comfyui

comfyanonymous/comfyui version v0.2.4 suffers from a non-blind Server-Side Request Forgery SSRF vulnerability. This vulnerability can be exploited by combining the REST APIs POST /internal/models/download and GET /view, allowing attackers to abuse the victim server's credentials to access...

CVE-2025-29997 Improper Access Control Vulnerability in CAP back office application

This vulnerability exists in the CAP back office application due to improper authorization checks on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating API request URL to gain unauthorized access to other user accounts...

CVE-2025-0352 Rapid Response Monitoring My Security Account App Authorization Bypass Through User-Controlled Key

Rapid Response Monitoring My Security Account App utilizes an API that could be exploited by an attacker to modify request data, potentially causing the API to return information about other users...