CVE-2025-14507

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names,...

EUVD-2026-1885

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably e.g., 1 to 1000, an attacker can extract a complete list of all users’ fu...

CVE-2025-68637 Apache Uniffle: Insecure SSL Configuration in Uniffle HTTP Client

The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle MITM attacks. This...

CVE-2026-21446

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints /install/api/ are directly accessible and exploitable without any authentication. An attacker can...

PT-2025-52444

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only...

CVE-2025-67789

The vulnerability CVE-2025-67789 affects DriveLock: versions 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. The issue allows authenticated users to retrieve the computer count of other DriveLock tenants via the DriveLock API, indicating an information-disclosure weakness likely d...

CVE-2025-67715

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue...

CVE-2025-67737 AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE

AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a...

PT-2025-51902

Name of the Vulnerable Software and Affected Versions macOS versions prior to Tahoe 26.2 Safari versions prior to 26.2 Description A flaw exists due to improved URL validation. Specifically, on a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that...

PT-2025-50896

Name of the Vulnerable Software and Affected Versions AzuraCast versions 0.23.1 Description AzuraCast is a self-hosted, all-in-one web radio management suite. Version 0.23.1 mistakenly includes an API endpoint intended for internal use by the SFTP software sftpgo, exposing it to the public-facing...

CVE-2025-13978 Generation of Error Message Containing Sensitive Information in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests...

CVE-2025-12535 SureForms <= 1.13.1 - Cross-Site Request Forgery Protection Bypass via Improper Nonce Distribution

The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces wprest to unauthenticated users via the 'wpajaxnoprivrest-nonce' action. While the plugin...

CVE-2025-13160

IQ-Support developed by IQ Service International has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access specific APIs to obtain sensitive information from the internal network...

SUSE CVE-2025-62714

Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints e.g., /api/v1/secret, /api/v1/service did not...

GO-2025-4061 Mattermost Server exposes sensitive information about team URLs via an API in github.com/mattermost/mattermost-server

Mattermost Server exposes sensitive information about team URLs via an API in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

CVE-2025-54548 On affected platforms, restricted users could view sensitive portions of the config database via a debug API (e.g., user password hashes)

On affected platforms, restricted users could view sensitive portions of the config database via a debug API e.g., user password hashes...

CVE-2025-34293

GN4 Publishing System before 2.6 is affected by an insecure direct object reference (IDOR) via the API. Authenticated requests to object endpoints allow an authenticated user to query arbitrary user IDs and retrieve sensitive data, including stored passwords and the account’s security question/an...

PT-2025-43674

Name of the Vulnerable Software and Affected Versions GN4 Publishing System versions prior to 2.6 Description GN4 Publishing System contains an insecure direct object reference IDOR vulnerability via the API. Authenticated requests to the API’s object endpoints allow an authenticated user to...

CVE-2025-61907

Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information tha...

CVE-2025-40676 Múltiples vulnerabilidades en Negotiator de BBMRI-ERIC

Insecure Direct Object Reference IDOR in Negotiator v3.15.2 from Biobanking and Biomolecular Resources - European Research Infrastructure BBMRI-ERIC. This vulnerability allows an attacker to access or modify unauthorised resources by manipulating requests that use the 'userID' parameter in...