PT-2026-3495

Name of the Vulnerable Software and Affected Versions MyTube versions prior to 1.7.66 Description MyTube is a self-hosted downloader and player for several video websites. A flaw allows unauthenticated users to bypass the authentication check in the roleBasedAuthMiddleware. By not providing an...

CVE-2024-58337

Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities...

CVE-2025-11007

The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wpajaxnoprivce21singlesignonsaveapisettings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to update the plugin's API...

CVE-2025-11007

The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wpajaxnoprivce21singlesignonsaveapisettings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to update the plugin's API...

CVE-2025-11007 CE21 Suite 2.2.1 - 2.3.1 - Missing Authorization to Unauthenticated Privilege Escalation via Plugin Settings Update

The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wpajaxnoprivce21singlesignonsaveapisettings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to update the plugin's API...

EUVD-2025-27667

Malicious code in bioql PyPI...

PT-2025-37148

The The integration of the AMO.CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the settings page function. This makes it possible for unauthenticated attackers to modify...

CVE-2025-8812

A vulnerability, which was classified as problematic, was found in atjiu pybbs up to 6.0.0. This affects an unknown part of the file /api/settings of the component Admin Panel. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been...

CVE-2025-3471 SureForms < 1.4.4 - Contributor+ Settings Update

The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action...

Mautic allows Improper Authorization in Reporting API

Summary This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data. Improper Authorization: An authorization flaw exists in Mautic's API Authorization implementation. Any...

PT-2024-16167 · WordPress · Ce21 Suite

Name of the Vulnerable Software and Affected Versions: CE21 Suite plugin for WordPress versions up to, and including, 2.2.0 Description: The issue is related to unauthorized modification of data due to a missing capability check on the ce21 single sign on save api settings function. This allows...

VMware vCenter API Settings

Binary data vmwarevspherevcentersettings.nbin...

VulnCheck KEV: CVE-2020-27986

SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it...

CVE-2023-20194

A vulnerability in the ERS API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. To exploit this vulnerability, an attacker must have valid Administrator-level privileges on the affected device. This...

CVE-2023-20194

Cisco ISE ERS API vulnerability (CVE-2023-20194) allows an authenticated Administrator to read arbitrary OS files due to improper privilege management in the ERS API. Exploitation requires valid admin privileges and a crafted ERS API request; impact is information disclosure and potential privile...

CVE-2023-4613

LG LED Assistant is affected by CVE-2023-4613, a path traversal vulnerability in the /api/settings/upload endpoint. The flaw stems from inadequate validation of a user-supplied path used in file operations, enabling remote attackers to execute arbitrary code in the current user context. Public de...

LG LED Assistant upload Directory Traversal Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/settings/upload endpoint. The issue results from the lack of proper validation...

CVE-2021-46006

In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication...

CVE-2020-27986

SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it...

PT-2020-16890 · Sonarsource · Sonarqube

Name of the Vulnerable Software and Affected Versions: SonarQube version 8.4.2.36762 Description: The issue allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the "api/settings/values" URI. The vendor's position is that it is the administrator's responsibility to...