524 matches found
CVE-2026-3014
CVE-2026-3014 concerns Milestone XProtect. A vulnerability in the Management Server API could allow users with edit permissions on the Management Server to execute arbitrary code in the context of the Management Server Service. Milestone has released a new version of XProtect with cumulative patc...
CVE-2026-55516 Snipe-IT: Cross-company asset maintenance re-parenting via API update
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, PATCH or PUT /api/v1/maintenances/maintenanceid checks access to the current maintenance record and asset but then fills attacker-controlled fields including assetid without re-authorizing the newly supplied asset, allowing an...
EUVD-2026-42596
A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.20, SICORE Base system All versions V26.20.0. The affected application contains insufficient validation of authentication credentials when processing administrative account modifications through the we...
CVE-2026-56460
HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system...
CVE-2026-56460 HCL DevOps Deploy / HCL Launch is susceptible to an Insertion of Sensitive Information Into Sent Data vulnerability
HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system...
CVE-2026-56460
HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system...
EUVD-2026-42555
HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system...
CVE-2026-22555
Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets...
CVE-2026-59097 Taiga < 6.10.2 - Unauthorized Due-Date Creation via API Viewsets
Taiga before 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary...
CVE-2026-47262
CVE-2026-47262 affects containerd where a maliciously crafted image can trigger a Denial of Service by exhausting memory during container creation, causing an Out-Of-Memory (OOM) kill of the containerd process and making the runtime API unavailable (impacting clients like Docker Engine and Kubern...
CVE-2026-58024 API identification of users on private wikis
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiUserrights.Php. This issue affects MediaWiki: from before 1.46.0, 1.45.4, 1.44.6, 1.43.9...
EUVD-2026-40892
The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
CVE-2026-56350
n8n before 2.8.0 contains an authentication bypass vulnerability allowing authenticated SSO users to disable SSO enforcement through the API. Attackers can create local password credentials to authenticate directly, bypassing organizational SSO policies and identity-provider-enforced multi-factor...
GO-2026-5347 OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration in github.com/OliveTin/OliveTin
OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration in github.com/OliveTin/OliveTin...
PT-2026-52207
Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 9.3 through 18.11.5 GitLab CE/EE versions 19.0 through 19.0.2 GitLab CE/EE versions 19.1 through 19.1.0 Description Insufficient filtering in a CI/CD API endpoint could allow sensitive information to be written to...
EUVD-2026-38792
An unauthorized user can modify configuration through API calls that affects the OpenText Access Manager. This issue affects Access Manager before 5.1.3...
CVE-2026-48493 Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/theirownid and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc. The issue is...
PT-2026-51507
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description Multiple OS command injection issues exist in the Custom MCP Server feature. These occur due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker wi...
PT-2026-56266
Name of the Vulnerable Software and Affected Versions Anki versions prior to 25.09.4 Description Webview-based pages communicate with the Rust backend via an internal localhost API. User scripts included through iframes in the editor can bypass protections to access this API. A malicious imported...
ember
🔥 Ember AI systems burn brightly but hide their secrets. Em...