CVE-2026-25729

DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresse...

Authorization Bypass Through User-Controlled Key

Overview spreeapi is a Spree Api module Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the billaddressid and shipaddressid parameters in the checkout process. An attacker can gain unauthorized access to other users' personally identifiable...

Amazon Linux 2 : python-urllib3, --advisory ALAS2-2026-3156 (ALAS-2026-3156)

The version of python-urllib3 installed on the remote host is prior to 1.25.9-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3156 advisory. urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number...

Important: python-urllib3

Issue Overview: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage an...

MiracleLinux 8 : python-urllib3-1.24.2-9.el8_10 (AXSA:2026-099:02)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2026-099:02 advisory. urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion CVE-2025-66418 urllib3: urllib3 Streaming API improperly handles highly...

CVE-2026-24766

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint, causing all database write operations to fail application-wide until server...

PT-2026-5218

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.301.0 Description An authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint. This causes all database write operations to fail...

MiracleLinux 4 : rh-mariadb102-galera-25.3.29-1.AXS4, rh-mariadb102-mariadb-10.2.33-1.AXS4 (AXSA:2020-657:01)

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-657:01 advisory. mysql: Server: Replication unspecified vulnerability CPU Apr 2019 CVE-2019-2614 mysql: Server: Security: Privileges unspecified vulnerability CPU Apr...

Synology DiskStation Manager Cross-Site Request Forgery (CVE-2024-45538)

Cross-Site Request Forgery CSRF vulnerability in WebAPI Framework in Synology DiskStation Manager DSM before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller DSMUC before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors. This plugin only works wit...

openc3-api Vulnerable to Unauthenticated Remote Code Execution

Summary OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using Stringconverttovalue. For array-like inputs, converttovalu...

Linux Distros Unpatched Vulnerability : CVE-2025-59057

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exist...

CVE-2021-33217

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. The Web Application allows Arbitrary Read/Write actions by authenticated users. The API allows an HTTP POST of arbitrary content into any file on the filesystem as root...

CVE-2021-22023

The vRealize Operations Manager API 8.x prior to 8.5 has insecure object reference vulnerability. A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover...

CVE-2022-26332

Cipi 3.1.15 allows Add Server stored XSS via the /api/servers name field...

CVE-2017-18919

An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation...

CVE-2024-39020

idccms v1.35 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability via /admin/vpsApiDatadeal.php?mudi=rev=close...

CVE-2023-49617

The MachineSense application programmable interface API is improperly protected and can be accessed without authentication. A remote attacker could retrieve and modify sensitive information without any authentication...

CVE-2023-40585

ironic-image is a container image to run OpenStack Ironic as part of Metal³. Prior to version capm3-v1.4.3, if Ironic is not deployed with TLS and it does not have API and Conductor split into separate services, access to the API is not protected by any authentication. Ironic API is also listenin...

CVE-2022-37919

A vulnerability exists in the API of Aruba EdgeConnect Enterprise. An unauthenticated attacker can exploit this condition via the web-based management interface to create a denial-of-service condition which prevents the appliance from properly responding to API requests in Aruba EdgeConnect...

CVE-2019-7554

An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter...