CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=...

CVE-2025-27892

Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression...

CVE-2025-27980

The set of connected records confirm CVE-2025-27980 affects CashBook v4.0.3, where an arbitrary file read is possible through the API endpoint /api/entry/flow/invoice/show?invoice=. The vulnerability exposes confidential data (CVE metrics indicate Confidentiality Impact: High, Integrity: Low, Ava...

PT-2025-16345

Name of the Vulnerable Software and Affected Versions Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC version V3 1.0.15 Description A command injection issue was discovered in the Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC. The issue occurs via the foldername in the...

PT-2025-16129 · Unknown · Powersystem Center

Name of the Vulnerable Software and Affected Versions: PowerSYSTEM Center affected versions not specified Description: The issue is related to a mishandling of exceptional conditions, where crafted data passed to the API can trigger an exception, resulting in a denial-of-service condition...

Langflow /api/v1/validate/code command injection

Added: 04/11/2025 CVE: CVE-2025-3248 Background Langflow is a low-code tool for building AI agents and workflows. Problem A command injection vulnerability in the /api/v1/validate/code API endpoint could allow a remote unauthenticated attacker to execute arbitrary commands by sending a specially...

CVE-2025-24866 Unauthorized Access to User Activity Logs API by delegated granular administration roles

Mattermost versions 9.11.x = 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs...

BIT-KIBANA-2024-52974

An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them...

CVE-2025-21421

Memory corruption while processing escape code in API...

CVE-2025-32017 Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users

Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is patched in 14.3.4 an...

CVE-2025-32017 Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users

Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is patched in 14.3.4 an...

CVE-2025-30150

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates...

CVE-2025-30150

CVE-2025-30150 affects Shopware 6 platforms. The vulnerability allows an attacker using the store-api to determine whether an email address is registered by querying /store-api/account/recovery-password ; responses differentiate between found vs not found accounts, enabling information exposure. ...

CVE-2024-47261

51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access to create image overlays in the web interface of the Axis device...

Shopware 安全漏洞

Shopware is a suite of open source e-commerce software from the German company Shopware. A security vulnerability exists in Shopware, which stems from a store-api that detects the existence of an e-mail account, which could lead to information disclosure...

CVE-2025-32414

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API Python bindings because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters...

CVE-2025-32414

CVE-2025-32414 concerns libxml2 prior to 2.13.8 and 2.14.x prior to 2.14.2, where the Python bindings can trigger an out-of-bounds memory access due to an incorrect return value in the Python API. Affected code paths include xmlPythonFileRead and xmlPythonFileReadRaw, caused by a mismatch between...

CVE-2025-21421

Memory corruption while processing escape code in API...

PT-2025-15200 · Qualcomm · Snapdragon +35

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The issue involves memory corruption that occurs while processing an escape code in an API. Recommendations: At the moment, there is no information about a newer version that contains a fix...

The vulnerability of the webapi component in the operating systems Synology BeeStation Manager (BSM), Synology DiskStation Manager (DSM), and Synology BeeStation OS allows a malicious individual to gain unauthorized access to protected information.

The vulnerability of the webapi component in Synology BeeStation Manager BSM, Synology DiskStation Manager DSM, and Synology BeeStation OS is related to a lack of mechanisms for encoding or shielding output data. Exploiting this vulnerability can allow an attacker operating remotely to gain...