Lucene search
K

508 matches found

EUVD
EUVD
added 2026/03/24 9:31 p.m.3 views

EUVD-2026-14955

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data...

8.7CVSS6.1AI score0.0024EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/24 6:52 p.m.10 views

CVE-2026-33314

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @localcheck decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints,...

6.5CVSS5.9AI score0.00183EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.11 views

dagu 路径遍历漏洞

Dagu is a workflow engine developed under open source by Dagu Workflow Engine. Versions of Dagu from 2.0.0 to 2.3.1 had a path traversal vulnerability. This vulnerability stemmed from the fact that API endpoints such as GET, DELETE, RENAME, and EXECUTE did not call the ValidateDAGName function. A...

8.1CVSS6.4AI score0.00469EPSS
Exploits1References2
OSV
OSV
added 2026/03/23 6:16 p.m.3 views

GO-2026-4805 Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api

Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest...

5.7CVSS5.8AI score0.00258EPSS
Exploits1References1
OSV
OSV
added 2026/03/20 5:25 p.m.1 views

GHSA-MR3J-P26X-72X4 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments

An authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Details The GET /api/v1/tasks/taskID/comments/commentID endpoint performs an authorizati...

5.3CVSS5.8AI score0.00254EPSS
Exploits0References5
NVD
NVD
added 2026/03/20 3:16 p.m.5 views

CVE-2026-33312

Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delet...

5.4CVSS0.00211EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/03/19 12:0 a.m.5 views

Discourse 安全漏洞

Discourse is an open-source community discussion platform developed by Discourse. This platform includes features such as communities, email communication, and chat rooms. Versions of Discourse prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain security vulnerabilities. These...

8.7CVSS5.8AI score0.00254EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/18 5:18 a.m.2 views

CVE-2026-32596

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials passwords, API keys,...

8.7CVSS5.8AI score0.0155EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/13 3:5 p.m.3 views

GHSA-9WMW-9WPH-2VWP Dagu: SSE Authentication Bypass in Basic Auth Mode

SSE Authentication Bypass in Basic Auth Mode Summary When Dagu is configured with HTTP Basic authentication DAGUAUTHMODE=basic, all Server-Sent Events SSE endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow...

7.5CVSS6AI score0.00778EPSS
Exploits1References6
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/03/13 10:47 a.m.6 views

Malicious code in ighack (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 889207a729f6b97c385d6c0afe217776d10331cdf7e5dd511f80e0d01e899842 Instagram hacking tool that besides abusing the Instagram API, also automatically uses user's credentials to follow hardcoded accounts. --- Category: MALICIOUS...

5.8AI score
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/12 6:10 p.m.2 views

CVE-2026-32100 swag/platform-security: `/api/_info/config` route exposes information about licenses and active security fixes

Shopware is an open commerce platform. /api/info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7...

5.3CVSS5.8AI score0.00201EPSS
Exploits0References1
CVE
CVE
added 2026/03/07 5:46 a.m.18 views

CVE-2026-30829

Checkmate is an open‑source self‑hosted tool for monitoring server hardware and incidents. Before version 3.4.0, the GET /api/v1/status-page/:url endpoint exposes full status page details without authentication or published-page checks, allowing access to unpublished pages and internal data to an...

5.3CVSS5.7AI score0.00386EPSS
Exploits1References1Affected Software1
Fedora
Fedora
added 2026/03/07 12:33 a.m.7 views

[SECURITY] Fedora 44 Update: nextcloud-32.0.6-1.fc44

NextCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing rig ht on the web. NextCloud is extendable via a simple but powerful API...

8.2CVSS5.8AI score0.02591EPSS
Exploits1
ATTACKERKB
ATTACKERKB
added 2026/03/06 4:16 p.m.3 views

CVE-2025-15602

Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the...

8.8CVSS5.8AI score0.0046EPSS
Exploits1References4
CVE
CVE
added 2026/03/05 8:38 p.m.14 views

CVE-2026-28442

ZimaOS 1.5.2-beta3 (a CasaOS fork) exposes an improper input validation and broken access control in filesystem operations. By altering the path parameter in the delete API, restricted system files/directories can be removed, bypassing UI protections. Backend lacks validation to ensure the path i...

8.5CVSS5.9AI score0.00304EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2026/03/05 7:50 p.m.3 views

EUVD-2026-9854

Gogs: Access tokens get exposed through URL params in API requests...

6.9CVSS5.9AI score0.00254EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/03/05 7:20 p.m.3 views

CVE-2026-21621

Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...

7CVSS6AI score0.00323EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/05 12:0 a.m.7 views

PT-2026-23517

Name of the Vulnerable Software and Affected Versions ZimaOS version 1.5.2-beta3 Description ZimaOS, a fork of CasaOS, exhibits a security issue where restrictions on deleting internal system files and folders can be bypassed through manipulation of the API. Specifically, altering the path...

8.5CVSS5.8AI score0.00304EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/03/05 12:0 a.m.4 views

PT-2026-23478

Name of the Vulnerable Software and Affected Versions Tata Consultancy Services Cognix Recon Client version 3.0 Description A lack of proper authentication and authorization in the web API of Tata Consultancy Services Cognix Recon Client v3.0 enables remote attackers to access application...

7.5CVSS5.8AI score0.00411EPSS
Exploits0References7
OSV
OSV
added 2026/03/04 4:16 p.m.4 views

CVE-2025-59784

2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. This vulnerability can only be exploited after authenticating with administrator privileges...

7.2CVSS5.7AI score0.00286EPSS
Exploits0References1
Rows per page
Query Builder