LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header

Summary The webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected...

EUVD-2025-198127

The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally identifiable...

CVE-2025-12770

The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally identifiable...

EUVD-2025-19627

Malicious code in bioql PyPI...

EUVD-2022-43243

Malicious code in bioql PyPI...

Malicious code in simple-api-key-validation (npm)

The package simple-api-key-validation was found to contain malicious code...

MAL-2025-33264 Malicious code in simple-api-key-validation (npm)

The package simple-api-key-validation was found to contain malicious code...

CVE-2025-6920

A flaw was found in the authentication enforcement mechanism of a model inference API in ai-inference-server. All /v1/ endpoints are expected to enforce API key validation. However, the POST /invocations endpoint failed to do so, resulting in an authentication bypass. This vulnerability allows...

CVE-2025-6920 Ai-inference-server: authentication bypass via unprotected inference endpoint in api

A flaw was found in the authentication enforcement mechanism of a model inference API in ai-inference-server. All /v1/ endpoints are expected to enforce API key validation. However, the POST /invocations endpoint failed to do so, resulting in an authentication bypass. This vulnerability allows...

CVE-2025-6920 Ai-inference-server: authentication bypass via unprotected inference endpoint in api

A flaw was found in the authentication enforcement mechanism of a model inference API in ai-inference-server. All /v1/ endpoints are expected to enforce API key validation. However, the POST /invocations endpoint failed to do so, resulting in an authentication bypass. This vulnerability allows...

CVE-2025-6920

CVE-2025-6920 affects ai-inference-server: the POST /invocations endpoint bypasses API key validation, permitting unauthorized access to inference features and potentially backend resources. Affected: model inference API under /v1/*; root cause: authentication enforcement failure on /invocations....

Flowise Pre-auth Arbitrary File Upload

Summary An unauthorized attacker can leverage the whitelisted route /api/v1/attachments to upload arbitrary files when the storageType is set to local default. Details When a new request arrives, the system first checks if the URL starts with /api/v1/. If it does, the system then verifies whether...

WordPress plugin InstaWP Connect security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

Cross site scripting

The Clerk WordPress plugin before 4.0.0 is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options...