487 matches found
VulnCheck KEV: CVE-2025-4427
Ivanti Endpoint Manager Mobile EPMM contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring...
PT-2025-20319 · Maven · Org.Graylog2:Graylog2-Server
Impact Two minor vulnerabilities were identified in the Graylog2 enterprise server, which can be combined to carry out a stored cross-site scripting attack. An attacker with the permission FILES CREATE can exploit these vulnerabilities to upload arbitrary Javascript code to the Graylog2 server,...
CVE-2025-3518
It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the...
CVE-2025-3518
It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the...
CVE-2025-3518 File upload functionality possible even when disabled
It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the...
CVE-2025-3518 File upload functionality possible even when disabled
It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the...
CVE-2025-3518
CVE-2025-3518 affects Unblu Spark (and related Unblu platform components) where a user can upload a file to a conversation via direct API requests even if the file upload feature is disabled for certain use cases. The configured per-use-case enable/disable setting is bypassed by direct API upload...
PT-2025-17490 · Unblu · Unblu Spark +1
Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: A user can upload a file to a conversation even if the file upload functionality is disabled. The system allows file uploads through direct API requests, despite the functionality being...
CVE-2025-2586
OpenShift Lightspeed Service is affected by unauthenticated API request flooding that can exhaust resources and cause service degradation or unavailability. The vulnerability arises from repeated queries to non-existent endpoints (for example, /api/v1/nonexistent), inflating metrics storage/proce...
Mattermost Server 9.11.x < 9.11.9 / 10.3.x < 10.3.4 / 10.4.x < 10.4.3 / 10.5 (MMSA-2025-00444)
The version of Mattermost Server installed on the remote host is prior to 9.11.9, 10.3.4, 10.4.3, or 10.5. It is, therefore, affected by a vulnerability as referenced in the MMSA-2025-00444 advisory. - Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to...
CVE-2024-10481
A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. This vulnerability allows attackers to host malicious websites that, when visited by authenticated ComfyUI users, can perform arbitrary API requests on behalf of the user. This can be exploited to perform actions such as...
Mattermost Fails to Enforce MFA on Plugin Endpoints
Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes...
CVE-2025-25068
CVE-2025-25068 (Mattermost) affects Mattermost Server versions 9.11.x <= 9.11.8, 10.3.x <= 10.3.3, 10.4.x <= 10.4.2, and 10.5.x
CVE-2025-25068 Bypassing MFA Enforcement on Plugin Endpoints
Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes...
CVE-2024-8487
A Cross-Origin Resource Sharing CORS vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead to unauthorized dat...
CVE-2024-10481
A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. This vulnerability allows attackers to host malicious websites that, when visited by authenticated ComfyUI users, can perform arbitrary API requests on behalf of the user. This can be exploited to perform actions such as...
CVE-2024-10481
A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. This vulnerability allows attackers to host malicious websites that, when visited by authenticated ComfyUI users, can perform arbitrary API requests on behalf of the user. This can be exploited to perform actions such as...
CVE-2024-10481
CVE-2024-10481 is a CSRF vulnerability in comfyanonymous/comfyui
CVE-2024-10481 Cross-Site Request Forgery (CSRF) in comfyanonymous/comfyui
A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. This vulnerability allows attackers to host malicious websites that, when visited by authenticated ComfyUI users, can perform arbitrary API requests on behalf of the user. This can be exploited to perform actions such as...
CVE-2024-7819 CORS Misconfiguration in danswer-ai/danswer
A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the...