CVE-2026-27449

Umbraco Engage (before versions 16.2.1 and 17.1.1) exposes certain API endpoints that do not enforce authentication or authorization. An unauthenticated user can query these endpoints directly (for example via an id parameter like ?id=) to enumerate and retrieve sensitive Engage data associated w...

EUVD-2022-6251

Malicious code in bioql PyPI...

EUVD-2023-29945

Malicious code in bioql PyPI...

Mars: Insecure API Response Leads to Disclosure of Hashed Passwords

A security vulnerability was identified in the API of ████████. The endpoint ████████ was found to return sensitive user information, including hashed passwords, in its response. This exposure presented a significant security risk, as it potentially allowed unauthorized access to user credentials...

Server side request forgery (ssrf)

IBM Sterling Connect:Express for UNIX 1.5 is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 252135...

Code injection

An issue was discovered in MCUBO ICT through 10.12.4 aka 6.0.2. An Observable Response Discrepancy can occur under the login web page. In particular, the web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor. Th...

CVE-2023-26071

An issue was discovered in MCUBO ICT through 10.12.4 aka 6.0.2. An Observable Response Discrepancy can occur under the login web page. In particular, the web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor. Th...

GHSA-5PGM-3J3G-2RC7 Valinor error messages leading to potential data exfiltration before v0.12.0

php registerConstructorMoney::class, 'fromString' -mapper; try vardump$mapper-mapFoo::class, 'a' = 'HAHA', 'b' = '100 EUR', 'c' = 'USD 100' ; catch MappingError $e $messages = new NodeTraverserfunction Node $node foreach $node-messages as $message vardump '$message', $message-path, $message-body ...

Design/Logic Flaw

Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use ThrowablegetMessage when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database...

CVE-2022-31140 Valinor error messages leading to potential data exfiltration

Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use ThrowablegetMessage when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database...

Third-Party APIs: How to Prevent Enumeration Attacks

When organizations use APIs – the next frontier in cybercrime – to engage with third parties, it’s crucial they understand the associated security exposure they’re introducing. To do so, they must think like a hacker to evaluate whether or not they are introducing a problem or a solution for thei...