CVE-2025-53904 The Scratch Channel Has Potential Reflected Cross-Site Scripting (XSS) Vulnerability

The Scratch Channel is a news website that is under development as of time of this writing. The file /api/admin.js contains code that could make the website vulnerable to cross-site scripting. No known patches exist as of time of publication...

CVE-2025-20284

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as root. This vulnerability is due to insufficient validation of user-supplied input. An attacker with valid credentials coul...

SugarCRM 代码注入漏洞

SugarCRM is an open source Customer Relationship Management CRM system from SugarCRM, Inc. in the United States. The system supports differentiated marketing for different customer needs, managing and distributing sales leads, and enabling information sharing and tracking of sales representatives...

CVE-2025-7450

A vulnerability was found in letseeqiji gorobbs up to 1.0.8. It has been classified as critical. This affects the function ResetUserAvatar of the file controller/api/v1/user.go of the component API. The manipulation of the argument filename leads to path traversal. It is possible to initiate the...

CVE-2024-38327

IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 is vulnerable to information exposure and further attacks due to an exposed JavaScript source map which could assist an attacker to read and debug JavaScript used in the application's API...

PT-2025-32571 · WordPress · Mattermost Confluence Plugin

Name of the Vulnerable Software and Affected Versions: Mattermost Confluence Plugin versions prior to 1.5.0 Description: The Mattermost Confluence Plugin does not verify user authorization to the Mattermost instance, enabling attackers to create channel subscriptions without proper authorization...

The vulnerability of the API component of the Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) allows a perpetrator to load arbitrary files.

The vulnerability of the Cisco Identity Services Engine ISE and Cisco ISE Passive Identity Connector ISE-PIC API components is related to deficiencies in access control. Exploiting this vulnerability could allow a malicious actor to upload arbitrary files remotely...

SUSE CVE-2025-3611

Mattermost versions 10.7.x = 10.7.0, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team...

One Identity OneLogin AD Connector 安全漏洞

One Identity OneLogin AD Connector is a connector software from One Identity USA. A security vulnerability exists in One Identity OneLogin AD Connector versions prior to 6.1.5 that originates in the /api/adc/v4/configuration endpoint resulting in information disclosure...

Improper Authorization

Overview org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Improper Authorization via an incorrect permission check in the token creation process. An attacker can gain elevated privileges by crafting requests to the REST API and creatin...

UBUNTU-CVE-2025-1754

An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource...

Cisco ISE and ISE-PIC Injection Vulnerabilities

Cisco ISE and Cisco ISE-PIC are both products of the U.S. Cisco Cisco.Cisco ISE is the identity services engine introduced by Cisco, mainly used for network access control and security management.Cisco ISE-PIC is the passive identity connector of the Cisco Identity Services Engine, which is mainl...

CVE-2025-5990 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller

An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input...

The vulnerability of the Cisco Unified Intelligence Center reporting software and the Unified Contact Center Enterprise contact center management software lies in the implementation of security functions at the client side, which allows attackers to elevate their privileges to the root level.

The vulnerability of the Cisco Unified Intelligence Center reporting software and the Unified Contact Center Enterprise contact center management software relates to the implementation of security features at the client side. Exploiting this vulnerability allows a malicious actor to elevate their...

Fortinet FortiPortal 安全漏洞

Fortinet FortiPortal is an advanced, feature-rich hosted security analysis and management support tool for Fortinet's FortiGate, FortiWiFi and FortiAP product lines, available as a virtual machine for MSPs. A security vulnerability in Fortinet FortiPortal versions 7.4.0, 7.2.0 through 7.2.5, and...

The vulnerability of the Device Configuration component in the APIX application programming interface of the AXIS OS operating system allows a perpetrator to increase their privileges.

The vulnerability of the Device Configuration component in the APIX application programming interface of the AXIS OS operating system is related to insecure management of privileges. Exploiting this vulnerability can allow attackers to enhance their privileges...

CVE-2025-25020

IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an authenticated user to cause a denial of service due to improperly validating API data input...

SUSE CVE-2025-47933

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve...

ALPINE-CVE-2025-32801

Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through...

ISC Kea 代码注入漏洞

ISC Kea is a modern open source DHCPv4 and DHCPv6 server from the ISC organization. A security vulnerability exists in ISC Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8, which stems from configuration and API directives that can load malicious hook libraries,...