EUVD-2025-201164

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers a normal user to stop arbitrary LLM response tasks...

EUVD-2025-201138

Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API...

EUVD-2025-201130

RomM ROM Manager allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership...

Architecture Patterns That Enable Cycode alternatives at Scale

Guide to scale ready code security with event driven scans unified data and API first design for large teams seeking strong growth aligned control...

[SECURITY] Fedora 41 Update: nextcloud-32.0.2-1.fc41

NextCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing rig ht on the web. NextCloud is extendable via a simple but powerful API...

[SECURITY] Fedora 42 Update: nextcloud-32.0.2-1.fc42

NextCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing rig ht on the web. NextCloud is extendable via a simple but powerful API...

[SECURITY] Fedora 43 Update: nextcloud-32.0.2-1.fc43

NextCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing rig ht on the web. NextCloud is extendable via a simple but powerful API...

INFERMAL: Inferential Analysis of Maliciously Registered Domains

Cybercriminals have long depended on domain names for phishing, spam, malware distribution, and botnet operation. To facilitate the malicious activities, they continually register new domain names for exploitation. Previous work revealed an abnormally high concentration of malicious registrations...

CVE-2025-35028 HexStrike AI MCP Server Command Injection

By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server’s normal privilege; typically, this is root. There...

CVE-2025-59454

In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that...

OneUptime Unauthorized User Creation via API

Summary A low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. PoC A low-permission user sends a crafted API request to the user-creation endpoint and the system creates the account successfully. Impact This allows attacke...

CVE-2025-65966 OneUptime Unauthorized User Creation via API

OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0...

CVE-2025-65966 OneUptime Unauthorized User Creation via API

OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0...

WordPress Search Exclude plugin <= 2.5.7 – Missing Authorization to Authenticated (Contributor+) Search Settings Modification via REST API vulnerability

Missing Authorization to Authenticated Contributor+ Search Settings Modification via REST API vulnerability discovered by Lucas Montes Nirox in WordPress Plugin Search Exclude versions = 2.5.7...

Primakon Pi Portal 安全漏洞

Primakon Pi Portal is a project, contract management platform from Primakon Croatia. A security vulnerability exists in Primakon Pi Portal version 1.0.18, which stems from insufficient access control in the /api/v2/users endpoint and could lead to unauthorized data disclosure...

Primakon Pi Portal 安全漏洞

Primakon Pi Portal is a project, contract management platform from Primakon Croatia. A security vulnerability exists in Primakon Pi Portal version 1.0.18, which stems from a lack of authorization checking in the /api/v2/user/register endpoint, which could lead to unauthorized user registration...

CVE-2025-64061

Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level including standard or low-privileged users, can make a GET request to this endpoint and retrieve a...

Malicious code in @lessondesk/api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c812dd964064f404443160aac0a9fddb5dccef95ecfb131a074fcf7176bd49f The package @lessondesk/api-client was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-198178

OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter...

CVE-2025-13315

Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password...