CVE-2026-32596

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials passwords, API keys,...

GHSA-9WMW-9WPH-2VWP Dagu: SSE Authentication Bypass in Basic Auth Mode

SSE Authentication Bypass in Basic Auth Mode Summary When Dagu is configured with HTTP Basic authentication DAGUAUTHMODE=basic, all Server-Sent Events SSE endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow...

Malicious code in ighack (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 889207a729f6b97c385d6c0afe217776d10331cdf7e5dd511f80e0d01e899842 Instagram hacking tool that besides abusing the Instagram API, also automatically uses user's credentials to follow hardcoded accounts. --- Category: MALICIOUS...

CVE-2026-32100 swag/platform-security: `/api/_info/config` route exposes information about licenses and active security fixes

Shopware is an open commerce platform. /api/info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7...

CVE-2026-30829

Checkmate is an open‑source self‑hosted tool for monitoring server hardware and incidents. Before version 3.4.0, the GET /api/v1/status-page/:url endpoint exposes full status page details without authentication or published-page checks, allowing access to unpublished pages and internal data to an...

[SECURITY] Fedora 44 Update: nextcloud-32.0.6-1.fc44

NextCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing rig ht on the web. NextCloud is extendable via a simple but powerful API...

CVE-2025-15602

Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the...

CVE-2026-28442

ZimaOS 1.5.2-beta3 (a CasaOS fork) exposes an improper input validation and broken access control in filesystem operations. By altering the path parameter in the delete API, restricted system files/directories can be removed, bypassing UI protections. Backend lacks validation to ensure the path i...

EUVD-2026-9854

Gogs: Access tokens get exposed through URL params in API requests...

CVE-2026-21621

Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...

PT-2026-23478

Name of the Vulnerable Software and Affected Versions Tata Consultancy Services Cognix Recon Client version 3.0 Description A lack of proper authentication and authorization in the web API of Tata Consultancy Services Cognix Recon Client v3.0 enables remote attackers to access application...

PT-2026-23517

Name of the Vulnerable Software and Affected Versions ZimaOS version 1.5.2-beta3 Description ZimaOS, a fork of CasaOS, exhibits a security issue where restrictions on deleting internal system files and folders can be bypassed through manipulation of the API. Specifically, altering the path...

CVE-2025-59784

2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. This vulnerability can only be exploited after authenticating with administrator privileges...

CVE-2025-15597

A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been...

CVE-2025-67840

CVE-2025-67840 corresponds to multiple authenticated OS command injection vulnerabilities in Cohesity TranZman 4.0 Build 14614 (TZM_1757588060_SEP2025_FULL.depot). The web API endpoints (including Scheduler and Actions) concatenate user-controlled parameters into system commands, allowing an auth...

CVE-2026-28288 Dify has a user enumeration issue

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue...

CVE-2026-20797

A stack based buffer overflow exists in an API route of XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to cause stack corruption and a termination of the program...

CVE-2025-3525

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have, under certain circumstances, allowed an authenticated user with certain access to cause Denial of Service by creating specially crafted CI...

CVE-2026-20133

A vulnerability in Cisco Catalyst SD-WAN Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system restrictions. An authenticated attacker with netadmin privileges could exploit this...

CVE-2026-0704

In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows...