CVE-2026-4312

Affected product: DrangSoft GCB/FCB Audit Software. Vulnerability: Missing Authentication, enabling unauthenticated remote attackers to directly access APIs and create a new administrative account. Impact/risks: High impact on confidentiality, integrity, and availability as per CVSS metrics (CRIT...

CVE-2026-28254 Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge

A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs...

OliveTin 安全漏洞

OliveTin is an open-source web application developed by OliveTin. Versions of OliveTin prior to 300.11.1 contained security vulnerabilities. These vulnerabilities were due to authorization flaws, which could allow verified users with the view: false permission to enumerate bindings and metadata...

Free CRM 授权问题漏洞

Free CRM is a customer relationship management software developed by go2ismail’s individual developers. Free CRM has authorization issues and vulnerabilities; these vulnerabilities arise from improper authorization due to operations on parameters in files, APIs, or Security settings...

HP多款产品 安全漏洞

The HP Samsung MultiXpress SL-X7600LXR, among others, is a color laser digital printer produced by the American company HP. Several HP products have security vulnerabilities; these vulnerabilities stem from insufficient authorization in certain APIs, which may lead to information leaks. The...

CVE-2025-52024

A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services,...

CVE-2025-52022

CVE-2025-52022 affects the PHP backend of gemsloyalty.aptsys.com.sg (through 2025-05-28). The root issue is Information Exposure Through an Error Message: unauthenticated remote attackers can trigger detailed error messages via public API endpoints that disclose internal file paths, code snippets...

CVE-2025-66698

An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints...

Astra Linux – Vulnerability in Firefox

Use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 146.0.1...

CVE-2025-67811

Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potential compromise of sensitive data. Fixed in v.1.47.4...

Your Guide to PCI DSS 4.0.1 Web Application and API Controls with a Simplified Path to Compliance

Executive Summary PCI DSS 4.0.1 compliance mandates stricter security controls for web applications and APIs. Key updates include maintaining an inventory of custom software PCI 6.3.2 and managing payment page scripts to prevent skimming attacks PCI 6.4.3. Organizations must also adopt risk-based...

The Year in Review 2025: AI, APIs, and a Whole Lot of Audacity

...

CVE-2025-63402

An issue in HCL Technologies Limited HCLTech GRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via APIs do not enforcing limits on the number or size of requests...

PT-2025-48977

An issue in HCL Technologies Limited HCLTech GRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via APIs do not enforcing limits on the number or size of requests...

CVE-2025-59454

In Apache CloudStack, a gap in access control checks allowed an authenticated user to access information beyond their intended scope via several APIs. Affected endpoints include createNetworkACL, listNetworkACLs, listResourceDetails, listVirtualMachinesUsageHistory, and listVolumesUsageHistory. T...

It’s not personal, it’s just business

Welcome to this week's edition of the Threat Source newsletter. This week, we explore how advances in agentic AI are rapidly transforming the cyber crime business. Agentic AI programming gives AI agents autonomy, allowing them to interact with external systems to collect information, make decisio...

EUVD-2025-180549

IQ-Support developed by IQ Service International has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access specific APIs to obtain sensitive information from the internal network...

CVE-2025-13160 IQ Service International｜IQ-Support - Exposure of Sensitive Information

IQ-Support developed by IQ Service International has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access specific APIs to obtain sensitive information from the internal network...

CVE-2025-20377 Cisco Unified Intelligence Center API Information Disclosure Vulnerability

A vulnerability in the API subsystem of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to obtain sensitive information from an affected system. This vulnerability is due to improper validation of requests to certain API endpoints. An attacker could exploit this...

Dell Secure Connect Gateway 安全漏洞

Dell Secure Connect Gateway is an enterprise-grade secure connectivity gateway appliance from Dell that is used to monitor hardware status, automate the creation of support requests, and securely communicate to safeguard device connectivity to Dell backend services. A relative path traversal...