PT-2025-50859

The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Calendl...

CVE-2025-67718

Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...

The Privacy Gap in API Security: Why Protecting APIs Shouldn’t Put Your Data at Risk

The more critical APIs become, the more sensitive data they carry identities, payment details, health records, customer preferences, tokens, keys, and more. And this is where organizations face a painful, often invisible problem: To protect APIs, many organizations end up exposing the very data...

CVE-2025-1161 Improper Authorization in Nomysoft Informatics' Nomysem

Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation. This issue affects Nomysem: through May 2025...

PT-2025-39500

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 17.5 through 18.4.5 GitLab CE/EE versions 18.5 through 18.5.3 GitLab CE/EE versions 18.6 through 18.6.1 Description An authenticated user could potentially discover the names of private projects they do not have access to...

EUVD-2025-201942

Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls...

PT-2025-49842

A vulnerability has been identified in SIMATIC CN 4100 All versions V4.0.1. The affected application do not properly validate input parameters in its REST API, resulting in improper handling of unexpected arguments. This could allow an authenticated attacker to execute arbitrary code with limited...

GO-2025-4185 Mattermost Server exposes team invite IDs through API endpoints in github.com/mattermost/mattermost-server

Mattermost Server exposes team invite IDs through API endpoints in github.com/mattermost/mattermost-server...

CVE-2025-66581

Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints...

CVE-2025-12994

Medtronic CareLink Network allows an unauthenticated remote attacker to initiate a request for security questions to an API endpoint that could be used to determine a valid user account. This issue affects CareLink Network: before December 4, 2025...

CVE-2025-12997

Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects CareLink Network: befo...

CVE-2025-12997

The CVE-2025-12997 issue affects Medtronic CareLink Network. Description indicates an Insecure Direct Object Reference vulnerability where an authenticated attacker with access to specific device and user information can submit web requests to an API endpoint and expose sensitive user information...

CVE-2025-12994

Medtronic CareLink Network allows an unauthenticated remote attacker to initiate a request for security questions to an API endpoint that could be used to determine a valid user account. This issue affects CareLink Network: before December 4, 2025...

CVE-2025-12994

Medtronic CareLink Network is affected by CVE-2025-12994. The issue allows an unauthenticated remote attacker to initiate requests to an API endpoint that could be used to determine a valid user account. Affected component: CareLink Network (versions prior to 4 Dec 2025). According to the sources...

CVE-2025-66027

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled...

CVE-2025-63681

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers a normal user to stop arbitrary LLM response tasks...

SolisCloud Monitoring Platform

RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access sensitive information by manipulating API requests. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize...

CVE-2025-55948

This vulnerability fundamentally arises from yzcheng90 X-SpringBoot 6.0's implementation of role-based access control RBAC through dual dependency on frontend menu systems and backend permission tables, without enforcing atomic synchronization between these components. The critical flaw manifests...

PT-2025-49125

Name of the Vulnerable Software and Affected Versions Medtronic CareLink Network versions prior to December 4, 2025 Description The Medtronic CareLink Network allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint. Successful exploitation could allow an...

FreePBX SQL注入漏洞

FreePBX formerly known as Asterisk Management Portal is a set of tools from the FreePBX project for configuring Asterisk IP telephony system through a GUI web-based graphical interface. FreePBX suffers from a SQL injection vulnerability that stems from a lack of validation of externally entered S...