CVE-2025-47420 User Permissions on Network API

266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49...

CVE-2025-35996 KUNBUS Revolution Pi Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. Due to a missing escape or sanitization, t...

CVE-2025-35996

CVE-2025-35996 concerns KUNBUS Revolution Pi PiCtory: versions 2.11.1 and earlier are vulnerable to a cross-site scripting (XSS) flaw caused by unescaped filenames stored by API endpoints. An authenticated remote attacker can craft a filename that is later rendered in the client’s HTML (via expor...

CVE-2025-42605

This vulnerability exists in Meon Bidding Solutions due to improper authorization controls on certain API endpoints for the initiation, modification, or cancellation operations. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body to...

CVE-2024-7819 CORS Misconfiguration in danswer-ai/danswer

A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the...

Data Leaks and AI Agents: Why Your APIs Could Be Exposing Sensitive Information

Most organizations are using AI in some way today, whether they know it or not. Some are merely beginning to experiment with it, using tools like chatbots. Others, however, have integrated agentic AI directly into their business procedures and APIs. While both types of organizations are undoubted...

CVE-2025-29997

CVE-2025-29997 affects the CAP back office application. The root cause is improper authorization checks on certain API endpoints, allowing an authenticated remote attacker to manipulate API request URLs and gain unauthorized access to other user accounts. The vulnerability is rated HIGH (CVSS 4.0...

CVE-2025-29995 Account Takeover Vulnerability in CAP back office application

This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An authenticated remote attacker with a valid login ID could exploit this vulnerability through vulnerable API endpoint which could lead to account takeover of targete...

API Armor: How Bybit’s Real-Time Blacklisting Is Thwarting a $1.5B Crypto Heist

APIs present a security risk—that much is a given. Attacks on APIs have caused some of the most significant security incidents of the past decades. But the question now is: How can we flip the script and leverage their power to enhance security? Bybit might just have the answer. Bybit—one of the...

Important: Red Hat Security Advisory: postgresql:16 security update

An update for the postgresql:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Important: postgresql:16 security update

PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation CVE-2025-1094 For more details about the security issues, including the impact, a CVSS score,...

CVE-2025-26523

CVE-2025-26523 affects the RupeeWeb trading platform. The vulnerability arises from insufficient authorization controls on certain API endpoints that perform add and delete operations, enabling an authenticated remote attacker to modify information belonging to other user accounts. Documented imp...

CVE-2024-32838 Apache Fineract: SQL injection vulnerabilities in offices API endpoint

SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints' query parameter. Users are recommended to upgrade to...

Cisco Identity Services Engine Multiple Vulnerabilities (cisco-sa-ise-multi-vuln-DBQdWRy)

According to its self-reported version, Cisco Identity Services Engine Vulnerabilities is affected by multiple vulnerabilities. - A vulnerability in the web-based management interface of Cisco ISE could allow an unauthenticated, remote attacker to conduct an XSS attack against a user of the...

Broadcom Patches VMware Aria Flaws – Exploits May Lead to Credential Theft

Broadcom has released security updates to patch five security flaws impacting VMware Aria Operations and Aria Operations for Logs, warning customers that attackers could exploit them to gain elevated access or obtain sensitive information. The list of identified flaws, which impact versions 8.x o...

CVE-2024-50603

An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloudtype for...

CVE-2024-11972 Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation

The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin...

CVE-2024-12744

A SQL injection in the Amazon Redshift JDBC Driver in v2.1.0.31 allows a user to gain escalated privileges via the getSchemas, getTables, or getColumns Metadata APIs. Users should upgrade to the driver version 2.1.0.32 or revert to driver version 2.1.0.30...

CVE-2024-12645

CVE-2024-12645 affects Chunghwa Telecom topm-client. One API is vulnerable to Relative Path Traversal and the suite also lacks CSRF protection, enabling phishing-based unauthenticated access to read arbitrary files on the user’s system. Per CNNVD, affected topm-client versions are 0.3.14 through ...

EUVD-2024-44956

In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API...